CyberArk Goes All In on Machine Identity With Venafi Deal

Identity-based attacks aren't just limited to breached credentials of people with rights to sensitive information or privileged access to critical systems. Machine identities are increasingly being targeted in attacks, so organizations need to expand their defenses to include both user and machine identity.

Identity security and access management company CyberArk's announcement that it is spending $1.54 billion to acquire Venafi from private equity firm Thoma Bravo reflects the shift to protect machine identities. CyberArk over the past few years has added machine identity management capabilities via Secrets Manager and Secrets Hub to its privileged access management (PAM) platform and identity and access management (IAM) tools. Venafi specializes in machine identity management and will allow CyberArk to expand its capabilities once the deal closes in the second half of 2024.  

Analysts say CyberArk has zeroed in on machine identity security more aggressively than other established identity providers among the significant providers of IAM and PAM platforms.

"Machine identities haven't been an area of focus for [most IAM] vendors," says TechVision Research CEO Gary Rowe.

Machine Identity Management Heats Up

Several security companies have already made this shift. Ping Identity merged with ForgeRock last fall. Providers of certificate life cycle management platforms have also added machine identity security capabilities, including AppViewX, Keyfactor, and HashiCorp, which IBM recently agreed to acquire for $6.4 billion. 

Numerous smaller players and startups have also surfaced with machine identity offerings. For example, startup Token Security launched a machine-centric IAM platform earlier this month on the heels of receiving $7 million in seed funding from TLV Partners, SNR, and angel investors. And in February Entro extended its machine secrets and identity protection with a machine identity life cycle management offering. 

Forrester principal analyst Geoff Cairns says other startups with machine identity management offerings include Aembit, Astrix and Natoma.

"We've been seeing a growing number of machine identity management startups recently, while established PAM vendors have mainly been approaching machine identity management from a DevOps-secrets management standpoint," Cairns says. 

Secrets Hub With Certificate Life Cycle Management

Indeed, that was the case for CyberArk, whose secrets management offerings protect, discover, secure, and manage the secrets machines use to access data, infrastructure and systems. Yet that only covers some of the potential machine identities that organizations manage. 

"We're focused there, but that's only a sliver of the extensive and very long-tailed set of nonhuman identities," Clarence Hinton, CyberArk's chief strategy officer, tells Dark Reading. Adding Venafi will let CyberArk expand its ability to manage and protect other machine identity types with Venafi's certificate life cycle management platform, he explains. 

"They have a massive, powerful certificate discovery engine that defines certificates throughout your estate," he says. 

Specifically, Venafi's platform encrypts and locks down the certificates and ensures that any outdated, obsolete, or unused ones are destroyed. Also, Venifi keeps the rest of the certificates up to date, which includes automatically renewing them before they expire, Hinton says.

"If you don't renew an inactive and needed certificate, obviously you will have downtime that can be tremendously expensive," he emphasizes. 

After the deal closes, CyberArk plans to integrate its secrets management offerings with Venafi's control plane. In addition to certificate life cycle management, the Venafi control plane offers cloud-based PKI, identity management of IoT nodes, and cryptographic code signing. The Venafi control plane secures machine identity types by orchestrating cryptographic keys and digital certificates using machine-to-machine communications. 

"We will deliver an end-to-end machine identity security platform at enterprise scale," said CyberArk CEO Matt Cohen, during the investor call announcing the deal. "We are confident this acquisition will help us set a new standard for machine identity security."

More Machine Identities Than Human

Cohen emphasized the growth of machine identities in the past two to three years, noting that large organizations can have 40 machine identities for every human identity.

"The threat landscape has increased at such a quick vector, where machine identities are actually a target in the attack landscape — actually a significant target and a cause of several of the most recent, most prominent breaches."

The number of machine identities is expected to accelerate as companies expand their digital transformation efforts to replace legacy software with microservices, and as they deploy Internet of Things-based applications. In the next 12 months, CyberArk is forecasting a 2.4x rise in machine identities, based on a survey of 2,400 security leaders polled for the company's "2024 Identity Security Threat Landscape Report."  

According to the report, released this week, 68% of respondents noted that up to half of all machine identities have access to sensitive data, compared with 64% who said that half of the human identities have that access. 

CyberArk's acquisition of Venafi underscores the growth of machine identities and the challenges that will be put on large organizations, which require resilient operations and agile environments for developers, according to Forrester's Cairns.

"Longer term, it should enable organizations to take a more cohesive approach to identity security — across a diverse set of both human and machine use cases — with a single platform," he says.