It has been a few days now since word got out that Microsoft signed a letter of intent to acquire Adallom. Since we apparently do not yet have a definitive agreement in place, we have not heard from either party on the synergies and points of leverage this acquisition provides, some of which are obvious, others more nuanced. In any case, this news highlights some fundamental dynamics for how this emerging and highly relevant security product category will develop. But, first, some context setting is in order.
Whilst vendors such as CloudPassage, Evident.io, ThreatStack, and Trend Micro focus on securing cloud-resident workloads and services (let’s call that “in the cloud” for now), Adallom, CipherCloud, CloudLock, Elastica, Netskope, Skyhigh Networks, and others are about securing the use of SaaS apps delivered from the cloud. Most importantly, “from the cloud” security solutions provide visibility and control for data being created, accessed from, and stored in the cloud a la Data Loss Prevention (DLP) for SaaS apps or “Cloud DLP.” Yeah, we need work on some definitions, stay tuned. And from a go-to-market perspective, it is also important to note the former typically sells to a DevOps influenced buyer, the latter more traditional IT.
The need for “from the cloud” security is, of course, born of the shadow IT revolution. That horse is out of the barn and well down the road such that corporate IT needs to embrace that reality by playing the role of enabler, not preventer while at the same time gaining corporate governance over unauthorized SaaS applications. Ah, those rogue business units and pesky users running amuck with Dropbox, Jive, Facebook, Google Apps, and so many more! Oh, yeah, and Office 365 as well, which brings us back to the topic at hand: With the Adalllom buy, Microsoft will now be able to tout Office 365 and likely Azure Active Directory (AD) and OneDrive as more secure than Google Apps, Box, et al. But Adallom does more than secure the use of Office 365, and therein lies some key questions centered around the notion of scope.
- Breadth v. Depth: A fundamental question customers will need to answer is whether they want a security product that goes super deep for a few SaaS apps or one that provides visibility into all SaaS apps being used in their environment. In the same way that not all data is created equal relative to its intrinsic value to the business, apps have relative importance with respect to the sensitivity of their associated data. Case in point: Many companies today run essentially their entire business on salesforece.com as the single source of truth for all things related to a customer during their lifecycle from suspect to prospect to customer. Yet IT knows all too well there are a ton of SaaS apps in use and that they cannot protect and secure what they don’t know they have. As such, companies evaluating products in this category to get ahead of the shadow IT curve should seek both breadth in coverage and depth for their most strategic SaaS apps.
- Feature, Product, or Platform: Let’s channel Dan Akroyd and Gilda Radner and their Saturday Night Live Shimmer skit and debate floor wax or desert topping in the context of where SaaS app usage governance belongs—in the app itself or in a third-party product or platform. SaaS apps should absolutely include more native security controls such as integration with Identity and Access Management (IAM), which is especially important since security should be applied at the user, not device level, given today’s mobile workforce. Google Apps, for example, does provide Two-Factor Authentication (2FA). But IT still needs to know whether 2FA is enabled and will rightfully want integration with their corporate directory service. Governance, however, requires a single view of access and usage (visibility) and centralized policy management (control) across all apps. As such, base-level security controls in SaaS apps are a must while standalone products are too as they provide horizontal coverage. Products that provide a rich set of integrations, native APIs, the use of cloud-delivered threat intelligence as well as breadth of coverage represent strategic platforms that truly help IT enable business at the speed of the cloud.
- Integrations: Defense in depth and a layered approach to security should mean integrating disparate technologies together to cover up seems and lower the cost of ownership associated with product, agent, and console fatigue. Companies looking to address the shadow IT genie that’s out of the bottle should strongly consider offerings that integrate with their network security controls including firewalls and proxies as well as their SIEM, DLP, IAM, and Enterprise Mobility Management (MDM) investments. Social media threat intelligence feeds such as the one offered by ZeroFox would also be an interesting integration point for these cloud security platforms.
It’s unlikely customers will buy security for Box, Google Apps, etc. from Microsoft when Microsoft offers competitive apps. And, given the distributed nature of SaaS app buying centers, it’s at least equally unlikely that Microsoft will be able to cross-pollinate Office 365 and OneDrive sales on the back-end of an Adallom sale. Given this, this acqustion would seem to fall on the depth end of the spectrum while also providing Microsoft threat research and intelligence DNA as well as some measure of security street cred given the strength of the Adallom team. All of this is assuming, of course, that this deal goes down.
The shadow IT reality and cloud first imperative for strategic IT projects is such that the Microsoft-Adallom news should increase the volume of the discussion around these and other cloud security considerations.
“From the cloud” security focused on access and usage for visibility, control, and governance is one of the cloud security segments on which ESG will be conducting in depth end-user research and industry analysis, so stay tuned. In the meantime, I’d love to hear your thoughts on this news and more!