rvlsoft - Fotolia

Enterprises gear up for surge in cloud security M&A

Users look forward to benefits and brace for potential risks as experts say Red Hat's acquisition of StackRox portends major consolidation in cloud security this year.

IT pros should expect more deals this year similar to Red Hat's recent acquisition of StackRox, industry watchers say, which has early adopters of such cloud security tools anticipating the pros and cons.

The COVID-19 pandemic pushed companies toward cloud computing and with it, cloud security tools, including container security and Kubernetes security products such as those produced by StackRox and its competitors. With money still flowing into tech amid a broader economic downturn in 2020, the latter half of the year also saw an overall M&A surge in the industry that topped $485 billion in transactions, according to a report released this month by S&P Global Market Intelligence.

Cybersecurity startups have also seen an influx of venture capital (VC) investment -- more than $8 billion in 2019 and greater than $7 billion in 2020, according to analysis by Momentum Cybersecurity Group and Crunchbase. Thus, it's natural to expect that the many VC-backed cloud security companies that have begun to emerge from that trend will make ripe acquisition targets, analysts said.

S&P Global M&A tech deals
The number of monthly tech deals valued at more than $1 billion rose sharply toward the end of 2020, according to a Jan. 12 report by S&P Global Market Intelligence.

"The very nature of cloud-native technology – particularly the ability to easily leverage APIs to describe or manipulate the cloud environment – makes it easy both for new startups to create products but also for established vendors to do their own development," said Fernando Montenegro, an analyst at S&P Global. "This means cloud-native security M&A may be a bit less flashy, a bit smaller than cybersecurity deals from years past, but we still see them happening."

IT analysts have previously predicted cybersecurity consolidation, particularly in cloud and container security, without major results. But two years ago, those predictions centered around legacy security firms buying up bleeding-edge container security startups; the difference now is in the acquiring companies, according to S&P Global.

"There's been a big jump in non-security companies buying security companies," said Garrett Bekker, an IT security analyst at the firm, based in New York. "It used to be all in the family, with Symantec and McAfee buying other security companies, but one of the biggest security deals last year was Nasdaq buying a fraud detection company called Verafin."

Almost by definition, you have to shift the way you do security [away] from being workload-centric, which is why you see network and security stacks coming together.
Zeus KerravalaPrincipal analyst, ZK Research

Red Hat, which has experience in IT security products such as SELinux, but isn't a cybersecurity specialist per se, is another example of this trend, as is F5 Networks' $500 million acquisition of edge computing provider Volterra, which includes cloud security in its platform, earlier this month. Others include VMware acquiring cloud security software maker Octarine last year, Cisco's acquisition of container security specialist PortShift, and Arista Networks' purchase of Awake Security, an AI-driven network threat detection and response firm.

Analysts now expect cloud security acquisitions to be made by networking firms, along with purveyors of Kubernetes platforms and cloud computing.

"Overall, digital transformation is based on cloud, but also things like mobility, IoT and all those things are network-centric compute models," said Zeus Kerravala, principal analyst at ZK Research. "Almost by definition, you have to shift the way you do security [away] from being workload-centric, which is why you see network and security stacks coming together."

IT pros hope for security tools reduction, R&D boost

Enterprise StackRox customers said they hope the Red Hat acquisition will spur faster product development, given the IBM subsidiary's deeper pockets. For example, StackRox planned to launch a SaaS version of its product in early 2021, which is a big undertaking for a relatively small company.

"We want StackRox to host the 'brain' of its software so we don't have to manage it ourselves," said Pathik Patel, head of security at Informatica. "[StackRox] have a lot of roadmap and growth ahead of them, and with a bigger company taking them over, they'll be able to use the resources of Red Hat."

Red Hat officials stopped short of confirming plans to back that product but said in an email that the SaaS idea "aligns well with Red Hat's portfolio."

Rishi Kulkarni, enterprise architect director, CapgeminiRishi Kulkarni

Overall, Patel said he wants his DevSecOps team to get away from managing multiple security tools and focus more on the company's overall cloud security, a sentiment echoed by other practitioners who say tool consolidation will help IT teams achieve that goal.

"More and more organizations are moving towards a product-oriented delivery and providing business value, and that value shouldn't be dependent on a certain technology, application or skill set," said Rishi Kulkarni, enterprise architect director at cloud and tech consulting firm Capgemini, who works with the company's DevSecOps clients in North America. "This cross-functional need can [only] be fulfilled when there is more consolidation … so that they will be able to not just deploy applications, but actually roll out products much faster."

Some users brace for cloud security consolidation cons

StackRox was a smart buy on Red Hat's part, some customers say. However, they also wonder how the acquisition might affect the security vendor's support for some Kubernetes distributions that Red Hat might see as directly competitive with its OpenShift platform.

Red Hat's acquisition FAQ states that StackRox will continue to support Amazon Elastic Kubernetes Service, Microsoft Azure Kubernetes Service and Google Kubernetes Engine. It did not name independent Kubernetes distribution vendors such as SUSE's Rancher Labs, VMware Tanzu Kubernetes Grid (TKG) and D2iQ Konvoy

"The fact that they didn't mention the [independent] options is concerning," said Nicolas Chaillan, chief software officer at the U.S. Air Force, which is a Red Hat OpenShift customer but also uses other Kubernetes vendors. "They support Rancher and Konvoy and TKG today -- I hope this won't go away, because we use [StackRox with all three]."

More will be revealed about Kubernetes distro support after the acquisition closes this quarter, Red Hat officials said in a statement.

Jonathan Meyers, principal infrastructure engineer, Cybrary Jonathan Meyers

Some IT pros simply prefer working with smaller vendors, which may offer better pricing than large software companies as they establish themselves, along with direct access to product developers.

"We like smaller companies, because they're more laid-back and you tend to get more help, especially as early adopters," said Jonathan Meyers, principal infrastructure engineer at cybersecurity training provider Cybrary Inc., a StackRox user that also runs a web application firewall from Signal Sciences, which was acquired by content delivery network vendor Fastly in August. "We're just afraid that when they get gobbled up by big companies, that kind of goes away."

Dig Deeper on Containers and virtualization