CyberArk strengthens their Identity Governance offerings with the acquisition of Zilla Security

CyberArk press release

As Identity Security domains continue their convergence, The #1 Privileged Access Management (PAM) vendor on the market just added a modern Identity Governance & Administration (IGA) solution to their already comprehensive Identity Access Management (IAM) security portfolio, making them a serious contender in the IAM-as-a-Platform space, rubbing shoulders with the likes of Microsoft, Okta and OneIdentity. 

With the addition of Zilla, CyberArk now touts capabilities from Identity Governance, Lifecycle Management and Access Reviews to their already robust Just-In-Time Privileged Access with Multi Factor Authentication (MFA) & Passwordless Authentication for human and workload identities.

The convergence isn’t new, as vendors dominant in IGA and PAM, like SailPoint, Saviynt, Delinea, Netwrix and ObserveID either acquired or natively introduced this converged capability onto their platform.  Moreover, CyberArk already possessed Governance capabilities, so why add Zilla and why now? 

To understand the importance of this merger, we need to first understand the evolving compliance landscape.  Regulatory controls like Sarbanes-Oxley (SOX), Payment Card Industry standards (PCI) and Health Insurance Portability and Accountability Act (HIIPAA) that were largely focused on publicly traded companies, retail and healthcare respectively, have expanded to also include:

companies, retail and healthcare respectively, have expanded to also include –

  • NYDFS for private financial & wealth management institutions
  • SOC2 certification for anyone transmitting and storing customer data
  • GDPR for companies working with entities in the European Union (EU)

all with the common underlying security themes –

  • Enforce ‘Least Privileged’ access
  • Apply Multi-Factor and Risk-based authentication
  • Periodically review & certify access

While the number of organizations having to perform Access Reviews & Certifications increased significantly, so too did the number of failed audits.  Routine periodic access review campaigns aimed at ensuring the right people had access to the right resources at the right time for the right reasons, were riddled with inaccurate data, missing fine-grained permissions, issues with data validation, rampant rubber-stamping and incomplete provisioning/de-provisioning activities. This resulted in overall end-user campaign fatigue and eventually, a failed audit.  What was also missing in these campaigns were reviews of privileged & service accounts – specifically, Who had access to them, and Who were the owners.  Not to mention, integration with Vaults and PAM solutions were often complex and required heavy customization.

Other ancillary challenges included –

  • Proprietary & complex integrations with applications
  • Complex roles-based access control models
  • Missing risk and ownership metadata for workflows

And more….

Better Compliance it seemed, did not equate to Better Security. 

Legacy IGA solutions continued advancing compliance themes while adding features like AI derived risk intelligence (to eliminate rubber stamping), integrations with IT Service Management (ITSM) platforms (for a more seamless access request experience), and expanding capabilities to include governance of 3rd party, Cloud and Non-Human identities.  Information Security teams looking to better their cybersecurity defense posture and reduce their cyber-insurance premiums were leading with an Identity-first Zero-trust security strategy employing NIST-CSF, ISO-27001, CIS, CMMC and other security controls. 

The Compliance-led Security strategy was quickly being replaced by a ‘Security first, then Compliance later’ approach.

With this shift, a new breed of IGA vendors quickly emerged onto the scene targeting the security owner – Zilla Security, ConductorOne, and Lumos to name a few.  We’re also seeing Identity-as-a-Service (IDaaS) vendors dabble in IGA and PAM but more on them in a later blog.

Under Deepak Taneja’s leadership and Nitin Sonawane’s vision, Zilla Security had solved for the three biggest challenges plaguing IGA deployments –

  • Fast Application Onboarding
  • Frictionless End-User Experience
  • Minimal services footprint for deployment

To mitigate Risk, an organization must empower and transfer ownness from IT to the Business.

Zilla’s approach to application onboarding employs a built-in Robotic Process Automation (RPA) like functionality, called Zilla Universal Sync or ZUS.  Application owners themselves were empowered to rapidly onboard their application with zero coding skills required à

Drawing on lessons learned from his prior venture as founder of Aveksa, the very first IGA product company, Deepak focused on the end-user experience making it truly business friendly with an intuitive UI built with security risk signals, intelligence and access profiles aimed at preventing rubber stamping and developing roles.

In the shift to cloud, many applications conformed to open standards for API-based integrations.  But for those pesky on-premises applications, Zilla PO Box provided customers with a quick, easy to deploy & maintain appliance, complete with API and CSV based integrations. à

With CyberArk leading many of the security conversations, albeit around privileged access, you can now see why it’s an easier add-on to layer Zilla’s governance modules to their existing user base.  One place to secure, manage and govern all identities – human and non-human.

The road ahead however does pose some challenges, and flawless execution will be key for this merger to be successful. 

Technology Challenge

  1. CyberArk is still tackling a migration to Privilege Cloud (PCloud) or their on-premise customers. Most organizations are hesitant to lift and shift their credential vault to the cloud, and I tend to agree.  Authentication and Credential vaults should stay local, if you have a hybrid environment.  A hybrid deployment strategy is needed.
  2. Non-Human identities have become the focus for security practitioners. Who has access to API keys, tokens, secrets, scripts, etc have taken center stage.  CyberArk needs to go beyond Machine and Workload identities to include these non-human identities.
  3. 3rd party Identity governance is missing in Zilla Security.

As with all mergers, the focus on innovation tends to slow down during the platform integration.  I’ve seen this occur to great companies.  Hopefully CyberArk will continue to let Zilla drive innovation around Identity Governance and retain the subject matter expertise that made them successful.

———
How can Abira Security help:
If you are a CyberArk customer or are looking to modernize your legacy IGA platform, or just want a review of your security led compliance strategy, drop us a note and let Abira Security assist in all your CyberSecurity needs.

Note about the Author
Nabeel has over 28 years of experience in the Identity & Access Management domain, having previously worked for Novell (OpenText), Saviynt and MajorKey Technologies. He now consults and advises organizations on future-proofing their IAM strategy