More consolidation is afoot in the world of cybersecurity, specifically around services to help organizations manage identity and access. Today, One Identity -- which provides tools for managing "zero trust" access to systems, as well as running log management and other governance services for enterprises -- announced that it has acquired OneLogin, a rival to companies like Okta, Ping and others in the area of secure sign-on services for end users.
Terms of the acquisition -- which officially closed last week, on October 1 -- are not being disclosed, but we are trying to find out.
For some background, One Identity today is part of Quest Software, which is privately held by PE firm Francisco Partners. Before that it was a part of Dell. Francisco originally partnered with Elliott to acquire Quest and related assets from Dell back in 2016 as part of the latter's streamlining efforts, in a deal that at the time was reportedly worth about $2 billion. The company has some 7,500 enterprise customers and says that it manages some 250 million identities.
OneLogin, meanwhile, last disclosed funding in 2019 -- a $100 million Series D that valued it at $330 million, according to PitchBook data. (Note: You will notice that PitchBook lists another fundraise after this, but it doesn't specify a date, or an amount.) OneLogin has some 5,500 customers, including the likes of Airbus, Stitch Fix, the AAA and Pandora. Together, the companies will handle some 290 million identities under management, Quest CEO Patrick Nichols told TechCrunch in an interview. This figure includes not just "people" but M2M-style nodes on systems, he added.
The M&A comes amid a bigger shift in the security industry. In the intervening years since both Dell sold off its assets and OneLogin raised money, cybersecurity threats have only grown, fueled by the ongoing shift to more cloud services and people and organizations doing more business digitally. (OneLogin, citing data from IBM, estimates that the average cost of a breach now stands at $3.86 million, although that also does not include the significant cost to an organization's reputation and trust with its users.)
Within that bigger trend, identity management -- and often more likely mis-management -- has been an especially vulnerable area, with malicious hackers using a variety of techniques relying both on sophisticated technology and human error to crack into systems.
When considering the different threat vectors in the market today, "70% of them are a direct result of poor identity management," Nichols said, citing research from Verizon.
And the threat is particularly acute in part because the numbers of end points are growing rapidly, not because of more people coming on to networks, but because of more connected devices. Half of the endpoints on a system are typically devices rather than specific individuals, Nichols said, "and once they get breached, it is just like stealing a password."
And at the same time, after years of using point-solutions for different aspects of their cybersecurity strategies, enterprises are increasingly looking for platforms and bigger toolsets that can handle multiple functions to have a more unified picture of system activity, and to ensure that there is less risk of different cybersecurity tools inadvertently conflicting.
All of this points to more consolidation. In the specific case of One Identity, the company sees an opportunity in providing a fuller set of services to customers beyond those to help them manage networks internally, by adding more end-user facing tools. Similarly, the thinking goes that customers of OneLogin might also be interested in bringing more of their cyber strategy on to a single platform.
"Right now, organizations see a twofold gain from consolidating around a platform player in cybersecurity," Nichols said. The first is, "to increase efficiency," but the other, he pointed out, is legislation. With more regulatory oversight in how companies are handling their cybersecurity challenges, the pressure is on them to make their systems more resilient, and having too many components becomes a challenge to manage for that reason, too.
“Joining One Identity provides us with the ability to further accelerate our growth and provide additional value for both of our customers,” added Brad Brooks, CEO of OneLogin, in a statement. “With OneLogin’s robust unified platform for both workforce and CIAM, combining forces with One Identity’s suite of products including their PAM solution, will allow new and existing customers, on a global scale, to tap into the market’s only unified identity security platform.”
It will be interesting to see how and if we continue to see more M&A moves in the space. Okta has been a very acquisitive player to date, and there are still a number of companies on the market covering different aspects of the identity challenge that are still independent. (Jumio being one example.)
The combined company will cover a number of services, including Privileged Access Management (PAM); Identity Governance and Administration (IGA); Active Directory Management and Security; and now Identity & Access Management (IAM).
“With the proliferation of human and machine identities, the race to the cloud and the rise of remote working, identity is quickly becoming the new edge – and protecting identity in an end-to-end manner has never been more important,” said Bhagwat Swaroop, president and general manager of One Identity, in a statement. “By adding OneLogin to our portfolio, and incorporating it into our cloud-first Unified Identity Security Platform, we can help customers holistically correlate all identities, verify everything before granting access to critical assets and provide real-time visibility into suspicious login activity. With identity at the core, customers can now implement an adaptive zero trust strategy and dramatically improve their overall cybersecurity posture.”