adrian_ilie825 - Fotolia

Cloud security challenges spark startup acquisitions

Cloud security startups are popular acquisition targets, as cloud providers and third parties seek to address corporate IT concerns across multiple platforms.

Security on public cloud platforms is a chronic user concern, but as enterprise adoption rises, cloud security startups are a hot commodity.

Amazon Web Services, Oracle and VMware have all snapped up startups this year to address cloud security challenges. This market consolidation has happened as large-scale IT vendors strengthen their own platforms or make their technologies an integral part of a multi-cloud architecture.

AWS in January acquired Sqrrl, which it will likely fold into its security tool set to address threat detection. That deal came nearly two years after AWS bought Harvest.ai and its machine learning-backed (ML) Macie tool, which later became an AWS product to identify anomalous behavior.

Some purchased assets will be used to secure more than just public cloud infrastructure. Oracle said last month it will acquire Zenedge for its line of cloud cybersecurity tools. Google added Bitium in September 2017 for its single sign-on capabilities, and Microsoft acquired Hexadite in June 2017 for its ML-backed threat detection.

"These guys understand that security is an adoption barrier for their services and they'll do whatever they can to reduce that," said Fernando Montenegro, an analyst at 451 Research.

This trend isn't just limited to cloud but aligns with broader IT shifts. By Montenegro's count, there have already been at least 20 IT security vendor acquisitions in the first two months of 2018.

Cloud security startups acquired to address multi-cloud

The third-party market for cloud security is a highly fractured mix of traditional vendors and cloud-native startups that seek to complement services offered by the hyperscale providers. No single vendor has a clear edge in technology or market share. Many of these cloud security vendors tackle singular problems, so it leaves the door open for even more acquisitions as larger vendors flesh out their security portfolios.

Fernando Montenegro, analyst, 451 ResearchFernando Montenegro

That is what drove traditional enterprise security vendor McAfee to buy Skyhigh Networks in January for its cloud access security broker capabilities. And later that month log analytics vendor, Sumo Logic, bought FactorChain for its rapid search and identification of security issues across multiple cloud assets.

No single player is likely to dominate cloud security because of all the multi-cloud deployments, added to the fact that most major cloud platforms specialize in some ways. For example, Microsoft Azure is tailored to the enterprise market, while Google Cloud Platform gears itself toward complex engineering tasks. Those cases call for different security approaches, so it's hard for any one company to offer a unified product that handles both equally well.

Companies on the outside looking in at the public cloud platforms see an opening to either manage or secure these workloads. This is a logical step because a customer may run applications on AWS, Azure and GCP, but those vendors don't care much about how that customer secures applications that don't run on their individual platforms.

It's mind-blowing ... the kind of instrumentation and monitoring and automation that you can get from a cloud environment.
Fernando Montenegroanalyst, 451 Research

The need to secure a multi-cloud environment has even enticed non-cloud security companies, such as VMware, to move deeper into this space. VMware released a tool last year called AppDefense, and this February it acquired CloudCoreo, which assesses configurations and vulnerabilities across multiple environments. Cisco also boosted its cloud security portfolio when it acquired Observable Networks last July.

Cloud security challenges persist. It has become a baseline expectation, however, that cloud providers will offer enough features and continue to evolve, said Cassandra Mooshian, an analyst at Technology Business Research Inc. in Hampton, N.H. Enterprises have different security implications and expectations for hybrid deployments as they share data between a private data center and the cloud.

"As vendors push the hybrid environment -- and as they also push into AI and analytics capabilities -- they have to do this," she said. "Security is top of mind for customers and they don't want their data compromised."

Notable cloud security vendor deals since mid-2017

It's uncertain how long MSPs' window of opportunity will remain open. Third parties will continue to add value because it's hard to manage multiple clouds, and because there will be new innovations to address threats. But cloud vendors themselves will solve many of these problems, said 451 Research's Montenegro. It's left to customers to determine when it's best to choose a native tool and when to choose a tool from a third-party vendor.

"It's mind-blowing when you think about the kind of instrumentation and monitoring and automation that you can get from a cloud environment," Montenegro said. "What I hope to see moving forward is people paying attention to what is offered by third parties, but also paying attention to whatever they can get from their provider."

Next Steps

Risk & Repeat: Security startups and trends from RSAC 2021

Dig Deeper on Cloud deployment and architecture