Identity & Access Management , Privileged Access Management , Security Operations

CyberArk to Secure Machine Identities with $1.54B Venafi Buy

Deal Expands CyberArk's Reach and Capabilities Around Machine Identity Management
CyberArk to Secure Machine Identities with $1.54B Venafi Buy

CyberArk plans to purchase machine identity management stalwart Venafi for $1.54 billion to address the increased number of machine identities used in sophisticated cyberattacks.

See Also: Insights into Enhanced Cybersecurity Insurance Requirements: Meeting the demands of cyber risk insurers

The Boston-area privileged access management titan said combining Salt Lake City, Utah-based Venafi's capabilities with CyberArk's secrets management technology will create a comprehensive end-to-end machine identity security platform. The acquisition of Venafi is expected to close in the second half of 2024 and will expand CyberArk's total addressable market by 20% to approximately $60 billion (see: CyberArk CEO Touts New Browser That Secures Privileged Users).

"Our combined solutions and expertise will uniquely address the growing identity security needs of global enterprises to secure the explosive growth of machine identities," CyberArk CEO Matt Cohen told investors Monday. "These identities are increasingly leveraged in sophisticated cyberattacks."

CyberArk will acquire Venafi from private equity goliath Thoma Bravo, which bought the then -venture-backed company in December 2020 at a $1.15 billion valuation. Purchasing Venafi will add roughly $150 million in annual recurring revenue to CyberArk's topline and will immediately strengthen the vendor's margins.

The Challenges in Securing Machine Identities

Venafi was founded in 2004, employs roughly 440 people and has more than 550 customers across verticals including financial services, retail and aviation, according to IT-Harvest. The company was led for 14 years by Jeff Hudson, who in January 2024 was replaced as chief executive by former ExtraHop CEO and longtime EMC executive Patrick Dennis. Dennis wasn't mentioned in CyberArk's announcement (see: An 'Epochal Change' in Cybersecurity).

"The number of machine-to-machine communications is in the billions and easily outnumbers human communications by many orders of magnitude," Cohen said. "To mitigate security risks, all machine identity needs to be first discovered, then secured and then managed to really automate their life cycle. This is the only way to keep their connections and communication safe."

Both human and machine identities must be secured with appropriate privilege controls to address the security needs of global enterprises, according to Cohen. There's been a significant increase in machine identities due to advancements around cloud computing and artificial intelligence, which Cohen said has heightened the need to secure and manage these identities at an enterprise scale.

"Cloud computing has expanded the attack surface, increasing the connectivity between humans and machines in a perimeter-less world," Cohen said. "Every workload, API application, consumer and IoT device is now connected, and each connection point creates a potential vulnerability."

CyberArk already excels at spotting, securing and managing secrets used to access data, infrastructure and systems, and Cohen said buying Venafi will extend those capabilities across the machine landscape. Cloud computing, increased connectivity and regulatory pressures have complicated the process of securing machine identities, and Cohen said companies need modern tools to manage certificates.

"Legacy approaches like manual spreadsheets, disparate open-source tools and native platform tools leave organizations with insufficient visibility, context, automation and scale for the modern enterprise," Cohen said. "Outages caused by mismanaged or untracked identities often lead to expensive downtime, ongoing customer dissatisfaction and increased cyber risk."

What Venafi Brings to the Table

The exponential growth in machine identities such as workloads, applications, API, containers, bots and internet of things devices has led to them vastly outnumbering human communications, according to Cohen. He said securing machine identities was a recurring theme among both customers and channel partners at this month's RSA Conference, indicating significant demand for more tools and expertise.

Cohen praised Venafi for its rapidly growing SaaS operation as well as for transacting all business on a recurring basis. He expects significant revenue synergies from cross-selling and upselling Venafi's technology through CyberArk's extensive global sales and channel partner network. Cohen said Venafi's business is growing faster than CyberArk today, meaning the deal should accelerate top-line growth.

"There needs to be a paradigm shift," Cohen said. "When you combine this market inflection with CyberArk's reach and scale, the opportunity to drive accelerated penetration in enterprise accounts is enormous."

CyberArk has made acquisitions sparingly in recent years. The company most recently bought multi-cloud security and compliance provider C3M in July 2022 for $28.3 million to add cloud privilege security offerings. Four months earlier, CyberArk bought for $17.7 million to bolster its identity life cycle management capabilities and broaden its identity automation and orchestration capabilities.

In May 2020, CyberArk bought Idaptive from Thoma Bravo for $68.6 million to extend its ability to manage and protect identities with various levels of privileges across hybrid and multi-cloud settings. And in March 2018, the company bought certain assets of Vaultive to boost proactive cloud security controls and streamline the user experience for privileged accounts and cloud administrators.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.