Zscaler Buys Cloud Security Startup Cloudneeti
Zscaler will acquire Cloudneeti for an undisclosed amount in a deal that adds cloud security posture management (CSPM) to its platform.
CSPM companies provide security processes and tools to prevent and fix cloud misconfigurations. This is important because these misconfigurations are the leading cause of data breaches and compliance violations in cloud applications — the Capital One data breach is one recent example. In fact, the most recent Cloud Security Alliance’s threat reports ranks data breaches and cloud misconfigurations as the No. 1 and No. 2 cloud security threats, respectively.
Gartner recommends all cloud security vendors invest in CSPM, and forecasts “through 2024, organizations implementing a CSPM offering and extending this into development will reduce cloud-related security incidents due to misconfiguration by 80%.”
CSPM “is only becoming more important,” said Gartner analyst Neil MacDonald. “It allows organization to identify where they have known or unacceptable risk in their cloud configurations, and there’s been multiple acquisitions in this space.”
Hot M&A Market
Last year Aqua Security purchased CloudSploit, Trend Micro bought Cloud Conformity, and Sophos acquired Avid Secure to add CSPM to their portfolios. And in 2018, CheckPoint acquired Dome9 and Palo Alto Networks bought a couple of CSPM vendors: Evident.io and RedLock. Also that year VMware bought CloudCoreo and CloudHealth to round out its CSPM.
“It does raise the question of what some of the other competitors will do here, like Cisco or Fortinet, as they evolve their offerings,” MacDonald said. “I think this CSPM market will continue to change shape. There will be more acquisitions and more vendors adding this to their portfolio. This won’t be the last change we see in this space.”
Cloudneeti’s technology collects actual configurations from cloud service providers, compares them against cloud security best practices, and then analyzes risks and fixes misconfigurations. It works across software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS) providers including Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and Microsoft’s Office 365.
The company, which is one of the earlier CSPM vendors, differentiated itself by being “one of the first to focus on Azure because everyone else was focusing on AWS,” MacDonald said. “The other thing they did that was smart: the extended their CSPM capabilities to Office 365. They realized that this problem of misconfiguration and mismanagement is not just a problem in infrastructure-as-a-service, it’s at the SaaS layer as well and there are very few CSPMs that have gone up to the SaaS layer.”
In fact, Cloudneeti’s Microsoft expertise made it an attractive acquisition target, said Punit Minocha, Zscaler SVP of business and corporate development. While many CSPM companies start with AWS before branching out to other public cloud providers, “these guys took a different stance as it relates to cloud of choice. They started with Azure, and we as a company do a fair amount of partnering with Microsoft.”
Boost to CASB, Zero Trust
Zscaler last year added out-of-band cloud access security broker (CASB) capabilities to its platform to provide visibility and enable data protection for SaaS applications. And after adding CASB, “the second piece that started to come up in discussions with customers was ‘we have a fair number of workloads running in public clouds — AWS, Azure, GCP, you name it,’” Minocha said.
Customers expressed concerns about public cloud misconfiguration leading to noncompliance and data breaches. “So to address this need, we went down this path of adding CSPM,” he said. “Think of it as yet another add-on to make sure we are bolstering our data protection services.”
Cloudneeti’s capabilities strengthen Zscaler’s existing data protection capabilities across its internet access and CASB services, Minocha explained. It also expands application protection capabilities in Zscaler Private Access by allowing developers to find and automatically correct misconfigured applications and compliance violations in cloud service provider environments.
Additionally, the Cloudneeti company culture meshed well with Zscaler, Minocha said. “We have been public for two years and going down this path of inorganic growth, and we want to make sure that we acquire companies that are a good cultural fit.”
Zscaler’s Security Strategy
This is Zscaler’s third acquisition. It acquired artificial intelligence (AI) and machine learning (ML) startup TrustPath in August 2018, and browser isolation startup Appsulate in May 2019.
The company’s Cloud Security Platform processes “well over 100 billion transactions daily,” Minocha said. “And the word ‘platform’ I know is used bastardly by almost everyone out there. Ours is a true, in-line, active inspection element. Nothing good leaves the organization and nothing bad comes in. And when you are processing as much traffic as we are, we have to be mindful of in-line inspection abilities we can build in, and then capabilities that we can add inorganically that might be less performance sensitive.”
These inorganic additions to the platform include secure browser isolation via the Appsulate acquisition, he added. Also, processing 100 billion transaction requires “a fair amount of AI and ML,” and the TrustPath purchase plays into that.
The Cloudneeti acquisition advances Zscaler’s security capabilities and “it’s a logical progression,” MacDonald said. “They started with secure web gateway, they they added branch office firewall-as-a-service and Zscaler Private Access — what we call zero-trust network access.”
The vendor also acquired Appsulate and built its own CASB, he added. “This is the latest in a series of capabilities they are building out on top of their global security fabric.”