Starting late last year, I kept on hearing a growing drumbeat from customers that they were highly interested in consolidating the breadth of security vendors and products that they use internally to secure their enterprise. In past years, the talk by customers regarding “vendor consolidation” typically had been more in terms of the purchasing process and not having to deal with getting contracts and negotiating with yet another vendor. This time it was different — it has become clear to customers that having disjointed point solutions leave significant air gaps with regard to securing their enterprise, and that customers are now looking more for platform solutions that can deliver a set of integrated best-of-breed capabilities versus a set of one-trick ponies.
I wanted to withhold judgement that this was really a trend until after I spent time with customers at the RSA conference. But even going into RSA, I started seeing other data points echoing this marked shift — meaning I was not alone in hearing about the desire for vendor consolidation. In mid-January of 2017 equity research analyst John DiFucci of Jefferies and his team published both a “Cybersecurity Survey” of 76 IT execs as well as a comprehensive “Cybersecurity Primer.” One of the top findings they documented was: “we observe a high demand for consolidation.” More specifically:
“Corporate IT Security Users are overwhelmed with the plethora of seemingly endless technologies required to protect their enterprise and now accept that consolidation of the solution is a legitimate and welcome alternative. Those vendors that can accomplish this as a contiguous platform play or those that can consolidate others’ solutions should benefit.”
Drilling down in more detail they saw the following:
“About 70% of respondents said “Yes” to potential consolidation, although 68% of that group would only consolidate if offered 100% or near of the functionality and security of the disparate vendors. The remaining 32% of this group wish to consolidate even if for mildly less functionality.”
The key point here is that customers want a platform to address multiple security functions and that features have to be near the capabilities of a point solution, but not necessarily completely match. The net conclusion by Jefferies: expect “potential headwinds” for point solution vendors, “especially those that do not offer best of breed solutions.”
So after a bunch of customer meetings at RSA in mid-February, I am now convinced this is the current trajectory that customers are heading towards as they have been burned in the past. Namely almost every enterprise customer is now actively looking to reduce the number of security vendors, and are also expressing a strong willingness to shut off and replace existing point solutions.
Interestingly, I am now reading reports coming out of RSA that further confirm this desire. For example, according to a report published by BTIG Equity Research on February 20, 2017, one of the key takeaways from RSA was:
“Vendor consolidation accelerating. Buyers’ first question is what can you replace? Vendor consolidation is accelerating as CIOs continue to reduce their vendor exposure and simplify their cyber security strategy and infrastructure. Larger enterprises are looking for vendors that can integrate with their existing infrastructure and across their heterogeneous environments, from endpoint to the cloud. Consistent with broader trends in software and technology, vendors continue to realign their portfolios to match customers’ increasing appetite for cloud‐based software. We have found that over 70% of enterprise security buyers are consolidating vendors.”
Specific to Identity and Access Management (IAM) solutions, I heard from customers at RSA that they clearly believe that functionality such as multi-factor authentication (MFA) should be an integrated part of a single sign-on (SSO) and privileged access security solution instead of a standalone solution. Furthermore, most enterprise mobility management (EMM) deployments were mostly being used for basic mobile device management (MDM), and that was good enough; so, if an IAM solution can deliver solid EMM capabilities, then the sooner they can shut off a classic MDM solution, the better.
Moreover, password vaulting in a privileged account security solution was of interest to address shared account password management (SAPM), but should be combined with a superuser privileged management (SUPM) solution to address the granular security of both non-human and human privileged accounts. There was no need or interest to have a standalone user auditing solution or password vault. MFA should also be extended everywhere as it relates to privilege — not only to check out passwords, but to check server logins as required for privileged command execution as well. Finally, identity consolidation is a big issue not only for admin users but also end users — customers want to have all types of users use one single login instead of having multiple accounts and/or sharing accounts.
Finally, customers want threat analytics that can take a holistic view of all types of users, versus just looking at end or privileged users in isolation. This is important because an attack typically starts with a hacked account of one or more end user and then from there, privileged accounts eventually are compromised.
I think this move to vendor consolidation puts Centrify in a great situation given we offer the following capabilities built on a single integrated platform:
- Single Sign-On
- Multi-Factor Authentication
- Enterprise Mobility Management
- Mac Management
- Enterprise Password Vaulting / Shared Account Password Management
- Secure Remote Access
- User-level Auditing
- Active Directory Bridging
- Privileged Elevation Management
- User Behavior Analytics
When we think of consolidation, we typically think we are sacrificing feature completeness and “best of breed” functionality for single vendor solution. But, this is not true, and Centrify absolutely does not do that. And, the cool thing is that each of these capabilities from Centrify are in fact recognized by press and analysts as a best-of-breed offering, so you are not sacrificing functionality to move forward with a comprehensive identity platform. Centrify is the only vendor recognized by Gartner and Forrester as a leader in Identity-as-a-Service and Privileged Identity Management respectively. We have even won “shoot-outs” for SSO and Mac Management, so even at the point solution level we are frequently the top rated solution. So why buy a point SaaS SSO, EMM or MFA solution? Or a point password vault or user-level auditing solution? Or a separate IDaaS solution that does not work with a Privileged Identity Management solution? This point solution approach will just leave air gaps (or significant product overlap) that will force you to find a plethora of unintegrated point solutions that will be the equivalent of stuffing square pegs into round holes. And of course you will have to deal with multiple vendors for support, contracts, etc. vs. dealing with “one throat to choke.”
At the end of the day Centrify addresses the issues of too many passwords and too much privilege. We do this through an integrated platform for identity, and increasingly we see enterprises seeing the value in this approach which fits into a larger trend of being more secure by moving to security platform offerings.
Read this eBook, “Rethink Security: A Massive Paradigm Shift in the Age of Access,” to understand how an identity platform will protect your organization from a security breach.