Sergey Galushko - Fotolia

IT pros brace for wave of M&A in microservices security

Microservices and DevOps have made IT security a shared responsibility among enterprise stakeholders, and experts expect this shift to prompt mass consolidation among vendors.

Predictions about IT security market consolidation have been greatly exaggerated so far, but as microservices security trends grow stronger, experts expect those prophecies to come to fruition in 2019.

A crop of container security startups rolled out products in 2017, and in 2018 analysts predicted that established IT security vendors would acquire them to flesh out container support. However, vendors such as Alert Logic instead developed the features themselves, and M&A activity in the IT security market remained relatively quiet.

But now, as enterprises such as Alaska Airlines pave the way for DevOps security with tools from newcomers such as ShieldX, a wide swath of IT security software vendors well beyond containers is about to converge, industry watchers said.

"The role of IT security is changing," said Fernando Montenegro, an analyst at 451 Research. "People are now distributing responsibilities for security a lot more across their organizations, and building security capabilities into DevOps pipelines."

Microservices security and cloud computing, which are based on ephemeral components that move between locations, break traditional approaches that shored-up data center perimeters. Now, security protection must apply to individual applications, and travel with them as they move between multiple environments. Where IT security once relied on trusted infrastructure in static data center environments, zero-trust security concepts will take over.

Moreover, as traditionally siloed roles for IT pros disappear under DevOps, multiple enterprise stakeholders, including nontechnical business managers, must share microservices security tools and collaborate on corporate security policies.

Fernando Montenegro, analyst, 451 ResearchFernando Montenegro

Thus, what used to be a compartmentalized market where vendors sold software to separate buyers in different corporate departments must realign itself, and appeal to broader enterprise security organizations that demand much more flexible IT security tools. Industry watchers said this shift has already begun, with last month's acquisition of Twistlock by Palo Alto Networks.

"The Palo Alto and Twistlock deal was very interesting," Montenegro said. "Zero-trust infrastructure is the marketing buzzword du jour."

That deal, along with Palo Alto's simultaneous acquisition of PureSec, as well as F5's acquisition of Nginx whose service mesh software includes security policy management features, show a convergence between network, security and application management tools that will only continue, he said.

Microsegmentation and containers and clouds, oh my

Until the expected M&A tsunami breaks over the market, IT security will remain a highly fragmented space where enterprises manage a plethora of tools. In addition to convergence between container security and network infrastructure vendors, enterprise IT buyers also expect new blends between traditionally VM-focused network microsegmentation vendors such as ShieldX, vArmour and Illumio and cloud infrastructure providers. They hope this will eventually lead to centralized security policy management tools that can help them make sense of it all.

The role of IT security is changing. People are now distributing responsibilities for security a lot more across their organizations, and building security capabilities into DevOps pipelines.
Fernando MontenegroAnalyst, 451 Research

"We use a lot of different suppliers, and try not to impose strict requirements on developer teams," said an executive at a large global telecommunications service provider who requested anonymity. At his company, DevOps teams choose their own container and application security tools, so the company already uses software from Aqua Security, Twistlock and CloudPassage, among others. "Now, we're figuring out how to maintain visibility into the business logic across several environments with unique capabilities," he said.

Here, vArmour, which the telecom has used in its VMware environment since 2015, has pivoted away from marketing its own Layer 7 microsegmentation features. Instead, it now focuses on security policy distribution through segmented networks provided by cloud vendors and VMware NSX at lower layers of the network stack.

This strategic move by vArmour especially intrigues the telecom executive.

"What we're looking forward to with vArmour is trying to solve some higher-ordered problems that the market hasn't really completely addressed, in my opinion, around how you define appropriate policies for a microsegmented network," the executive said. "We're looking for something that lets us operate an apparatus of multiple security tools that maintains some simplicity."

Tim Eades, CEO and co-founder at vArmour in Mountain View, Calif., also expects IT security M&A to flourish this year, especially because he expects the Federal Reserve will continue to lower interest rates, which greases the skids for capital investments.

"You're going to see unusual buyers -- Amazon, Microsoft and VMware will buy in the security space," he said. "Zscaler and Okta are also [potential] buyers."

Eades wouldn't say definitively whether vArmour will be a buyer or an acquisition target, but after IT security consolidation over the next two years, he expects further convergence and consolidation that encompasses IT security policy integration with change management databases.

"A CMDB [configuration management database] can be completely dynamic if it's done right," Eades said. "A CMDB, with policy computation on top of it, can calculate what is happening, what should be happening and what can happen in the environment. That's what IT operations will turn into."

Dig Deeper on Containers and virtualization