Date: 31 March 2021
Who should read this? Anybody and everybody interested in managing privileged users, anyone looking to buy a PAM solution or anyone looking to renew their existing Privileged Access Management solution.
In this blog, we cover:
1. Why is this blog an important read?
2. What do Mergers & Acquisitions have to do with PAM & Cyber-attacks?
3. $1.4 Billion for Thycotic, a leading PAM-as-a-Service Provider
4. What does this merger mean for the PAM buyer?
Unless you’ve been without internet access since October, you know about the SolarWinds supply chain attack (known as the Solorigate attack) and the fact that it’s continuing to wreak havoc around the world.
It’s not over yet! Microsoft’s President Brad Smith says “No one should believe that this attack has yet been fully understood or is yet fully contained”[1]
So, why is this blog an important read?
First, let’s see what Microsoft’s President Brad Smith said about this attack to the US Senate Select Committee on Intelligence on 23 February, 2021:
“..unlike some attacks that take advantage of vulnerabilities in software, this attack was based on finding and stealing the privileges, certificates, tokens or other keys within on-premises networks.”
Put simply: one of the most sophisticated cyber-attacks was based on finding and stealing privileged credentials.
For years, we have advised our clients that privileged identity and access management controls are foundational for protecting enterprises from ever-evolving threats. Our clients and partners continue to rank PAM (Privileged Access Management) controls as one of the top three security priorities, continually looking to expand PAM protections across the enterprise and modernise implementations with newer, cloud-based vendors.
If you want a remote chance of defending yourselves from SolarWinds-type advanced cyber-attacks you must focus your energy and a significant portion of your budget on implementing and optimising privileged access management (or PAM) in your organisation. We can categorically say that organisations that have mature privileged access management are able to stop (yes, stop) between 80% - 90% of cyber-attacks at some point in the attack lifecycle. Put simply: If controls are in place that continually discover, manage, and safeguard privileged credentials, what an attacker can do once they have breached the perimeter is limited.
What do Mergers & Acquisitions have to do with PAM and Cyber-attacks?
Now this is where it gets interesting. Amidst the ongoing and rather annoying cyber-chaos, the Identity and Access management landscape continues to experience its own large-scale disruptions, via M&A activity and private equity capital investment. As CIOs and CISOs you need to understand these recent changes and ensure you invest in the right technologies as part of your effort to increase your cyber maturity.
Again, why do you need to read this article? Put simply, there is considerable consolidation going on in this space and you, regardless of whether you are a CIO, CISO or a techie, should know about the opportunities and threats posed by these mergers and acquisitions.
$1.4 Billion for Thycotic, a leading PAM-as-a-Service Provider
Around the first week of March, TPG Capital announced a $1.4 billion acquisition of Thycotic and announced its intent to merge the company with enterprise identity vendor, Centrify, which TPG acquired in January. It should not be a surprise that deals of such magnitude occurred just weeks after the SolarWinds revelation.
Oh, not to be outdone, you should also know that Okta recently acquired Auth0 for $4.5 Billion USD. Okta has shown an impressive ability to expand its market reach and product capabilities in recent years, as evidenced by their ~$27B market cap.
We reviewed Thycotic and recognised them as leaders in the PAM-as-a-Service space two years ago. Back then, we were impressed by their laser-like focus on delivering PAM-as-a-Service, their focus on end-user experience and usability, as well as their unique ability to quickly respond to changing market requirements and trends. They were the first-to-market with several unique technologies, including Account Lifecycle Manager, which brought IGA to the PAM space.
Thycotic’s surge to market leadership position has also been noted by both Gartner and Forrester as well as other industry analysts. This, in our opinion, is thanks to their consistent product innovation and geographic expansion. No doubt, its strategic relationship with IBM Security has helped move the compass firmly in the leadership zone.
So, what does this merger mean for the PAM buyer?
From our vantage point, unlike competition-destroying mergers, we believe that this merger is more of a marriage of two identity security leaders - Thycotic, a PAM and cloud-PAM specialist merging with Centrify, as an established SaaS player with its market-leading Active Directory bridging technology. While it’s early days, we see Thycotic leveraging this union and continuing its focus on innovation to extend its PAM leadership position and, quite possibly, emerge as the dominant player in the years to come.
[1] Strengthening the Nation’s Cybersecurity: Lessons and Steps Forward Following the Attack on SolarWinds Written Testimony of Brad Smith President, Microsoft Corporation Senate Select Committee on Intelligence Open Hearing on the SolarWinds Hack
