The acquisition at the end of April of cloud security posture management (CSPM) developer DivvyCloud by vulnerability management and next-gen SIEM vendor Rapid7 was the latest in a series of purchases of CSPM players, mostly by companies with broader portfolios. So has the landgrab ended, or are there more acquisitions ahead?
Over the last couple of years, a whole host of CSPM vendors have now been acquired by larger entities in the security market with a view to incorporating their capabilities into broader product offerings. Palo Alto Networks (PAN) and VMware each bought two (Evident.io and RedLock in the case of PAN; CloudCoreo and CloudHealth for VMware), while Check Point bought Dome9, Sophos bought Avid, FireEye bought Cloudvisory, Trend Micro acquired Cloud Conformity, and Aqua Security, itself something of a specialist that focuses primarily on securing containers, acquired CloudSploit.
As if that round of M&A frenzy were not enough, in April this year Zscaler entered the fray, acquiring Cloudneeti, and now Rapid7 has planted its flag on the cloud security planet by buying DivvyCloud. The latter was one of the best-known independent CSPM vendors still around, and you could be forgiven for wondering whether there are any more left to acquire.
Well yes, there are. The likes of Fugue and Secberus come to mind, and while they may not be household names, rest assured that they are on the radar of the corporate M&A teams of cyber-industry heavyweights that have yet to make their play in this segment. As such, it will be no surprise if there are further acquisitions.
For Rapid7, the move extends the vendor’s offerings in cloud security. It has expanded from vulnerability management (its insightVM product) into next-gen SIEM (insightDR) and app security testing (InsightAppSec), the last of which can clearly be complemented with CSPM, enabling Rapid7 to talk both pipeline and runtime security for cloud apps.
But what makes CSPM so attractive to different types of security vendors? Firstly, cloud security is clearly a hot topic, as the adoption of the infrastructure-as-a-service and platform-as-a-service (IaaS and PaaS) forms of cloud computing gains a head of steam and threatens to catch up with the runaway leader, software-as-a-service (SaaS), in the next few years. This trend was already underway, and the experience of widespread working from home as a result of COVID-19 only strengthens it even further. As such, Omdia expects demand for CSPM and other forms of cloud security to enjoy healthy growth. So, if you want to be relevant in cloud security, it’s a good time to buy into it.
Secondly, while CSPM came into existence to check, alert on, and then correct the security posture and compliance of virtual machines (VMs) in the cloud, it is just as relevant for the next iterations of workload formats – containers and serverless (as Aqua’s move last year indicates). In other words, buying a CSPM vendor will keep you relevant as workload formats evolve.
Finally, for the CSPM vendors themselves, acquisition is a logical way to expand their product reach, for important as it is, CSPM is only part of a broader requirement for workload security. It can happily sit alongside a portfolio that includes a cloud workload protection platform (CWPP), as at PAN, for instance. However, it is equally relevant to vendors of cloud access security broker (CASB) technology, which has so far been limited to SaaS security but is now spreading its wings to encompass IaaS and PaaS. CASB went through its own landgrab a few years ago, but all the remaining standalone vendors (Bitglass, CipherCloud, and Netskope) boast a CSPM capability within their platforms.
Cloud security – IaaS and PaaS, INT005-000063 (December 2019)
“Analyst Commentary: Another CSPM vendor snapped up as Zscaler buys Cloudneeti,” INT005-000110 (April 2020)
“FireEye buys Cloudvisory, makes late push into cloud security posture management,” INT005-000086 (January 2020)
“Aqua expands into cloud posture management with CloudSploit acquisition,” INT005-000057 (November 2019)
“Trend Micro adds cloud security and compliance checking with Cloud Conformity buy,” INT005-000043 (October 2019)
Rik Turner, Principal Analyst, Cybersecurity