CyberArk, the market leader in privileged access management (PAM), has entered the identity-as-a-service (IDaaS) segment with the $70m acquisition of Idaptive. Omdia sees CyberArk applying its clout in IDaaS, with the two markets converging as digital transformation leads PAM to bleed into IDaaS.
The PAM market evolved to address the need for more stringent control of access rights for privileged users such as system administrators and C-level execs than vanilla identity and access management (IAM) platforms could deliver, adding functionality such as password vaults, privilege management, and session recording. Founded in 1999, CyberArk was a pioneer in the segment and remains the clear market leader despite the best attempts of IAM heavyweights, such as IBM, CA (now part of Broadcom), and Oracle, to add PAM functionality to their portfolios.
The IDaaS segment, meanwhile, is the natural evolution of vanilla IAM, which is the management of identities for business-to-employee and business-to-business environments, but not for users with privileged access. The cloud was a natural place for IAM to migrate, enabling the technology to move from product to service, and from capex to opex. It also broadened the market, beyond the large enterprises that could afford on-premises IAM, to the midsize and even SMB segments. The large corporates could use it to address the challenges of M&A, integrating companies they had acquired more easily and quickly than when they had to add all the new employees to the on-premises IAM directory.
Here too, the main players are dedicated startups, with Okta the clear market leader, followed by the likes of Ping Identity and OneLogin. Members of the IAM old guard, such as IBM and Oracle, also developed IDaaS offerings and see it as a major part of their business.
With the Idaptive acquisition, CyberArk not only adds another revenue stream, but also envisages an overall identity market that is evolving, with privileges proliferating in multiple spheres, thanks to trends such as digital transformation, cloud, and automation. Privileged access is moving beyond traditional privileged users to new groups of humans such as developers, and to systems, as virtual machines and containers increasingly communicate directly between themselves, a phenomenon referred to as the growth of east-west traffic.
The old either/or scenario, in which one set of use cases was for IAM/IDaaS and another for PAM, gives way to a continuum, or a sliding scale on which there are degrees of privilege assigned, frequently on an ad hoc basis. This creates an opportunity for a single platform that can deliver not only traditional IAM/IDaaS and traditional PAM but also various stages between the two.
This vision is intriguing, and it will be interesting to see how CyberArk’s PAM competitors such as Thycotic, BeyondTrust, and Centrify respond to its move, as well as the IDaaS vendors.
There is also an irony in this acquisition because Idaptive came into existence in 2018 when it was spun out of Centrify, with both of the resulting vendors arguing that the amicable divorce enabled each of them to focus on their core markets without the distraction of trying to address the needs of both the privileged and the non-privileged segments.
Privileged access management has a major role to play in container security, INT005-000029 (August 2019)
Rik Turner, Principal Analyst, Infrastructure Solutions