Early last week, CA purchased Arcot Systems in a $200 million deal that its executives say will build on its identity and access management play within the cloud. Just a day later, VMware took the wraps off its own cloud identity purchase, this one of TriCipher. Though VMware did not disclose the valuation of the deal, industry scuttlebutt estimates the figure at more than $115 million.
Forrester analyst Andras Cser says the deals are proof-positive that authentication-as-a-service is critical for today's identity and access management strategies and that virtualization isn't viable without identity and access management.
"CA's acquisition of Arcot signals that partnering with an adaptive authentication vendor is no longer enough to offer a comprehensive access management strategy: You'd also have to have an adaptive authentication product to allow your customers to retire costly physical tokens," wrote Cser in a recent analysis of both deals. "But this is not the primary reason CA picked up Arcot. It is Arcot's thriving hosted authentication and fraud management services that were the most lucrative assets to CA."
According to Dave Hansen, general manager for the security business at CA, the company chose Arcot to solidify the company's ability to woo large enterprises and cloud providers and to help allay the security fears that have stymied adoption during the past year.
"When we built our strategy and decided how we wanted to take the company forward, clearly we saw that the cloud is really the next evolution of a computing platform that exists, and that across our product portfolio advanced authentication was going to be a key requirement for people adopting the cloud," he says.
Meanwhile, Forrester's Cser says the VMware purchase of TriCipher is a slightly different story. "Controlling access to resources on a virtual machine or a hypervisor is crucial. Data can be stolen from an unsecured virtual container much easier than from a physical box," he wrote. "Second-factor authentication will arguably make this much more difficult."
The VMware deal is especially interesting to many industry watchers who believe it is an especially big signal that the major platform vendors are on the hunt for authentication and identity management products to embed in their architectures, says Eric Olden, CEO of Symplified, another vendor that has made headway in the space, recently brokering a deal with Amazon to help its cloud customers improve their identity management.
"I think that a platform company like VMware adding identity into the virtualization stack is pretty interesting because then it raises the question of what the other platform players are going to do," he says. "That applies to Oracle, Cisco, Microsoft, and IBM. The tier-one IT providers are going to have to do something because if they don't control identity, they're going to be at the whim of their competitors who do control that fabric."
He believes the VMware deal also acts as pretty telling evidence that these platform providers will not be able to solve the cloud's authentication and identity management problems using old-school IAM technology.
"I have seen this movie before in the '90s when I built a company, Securant Technologies, and we were part of the first wave of consolidation in identity when it was bought by RSA," Olden says. "VMware is a subsidiary of EMC, and EMC owns RSA. RSA has my old company and all of the identity capabilities it had. The fact that one of the subsidiaries went out and made an acquisition when the other subsidiary already owned similar technology reflects the fact that you can't just take an enterprise identity software product and then cloud-wash it."
While nothing is a sure bet in the security M&A field, most experts believe these deals are only the start of future activity in cloud identity acquisitions.
"There's a lot of activity in the market right now, that's for sure," CA's Hansen says. "I think people are starting to shore up their identity portfolios."
While Hansen was unable to comment on any future buys, word on the street is that CA could be on the hunt for a federated identity vendor for its portfolio, possibly former partner Ping Identity. And Cser speculates that VMware could do well to augment its latest buy with a purchase of Courion, a not far-fetched proposition given Courion's ties with VMware sister subsidiary RSA.
And that's just two of many potential acquirers, which, according to Olden, outnumber the target companies in this niche.
"The giants are realizing that in the game of musical chairs, the music is about to come to the end and if they don't act quickly, they may be in a tough spot," says Olden, who says his company has already been courted with several offers but is choosing to grow in lieu of taking an early exit. "I don't have any intentions of being acquired. I'd like us to achieve a certain velocity and be the acquirer."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.