CyberArk to acquire Venafi from Thoma Bravo for $1.5B

CyberArk is expanding its identity and access management offerings by acquiring Thoma Bravo-backed Venafi for $1.5 billion.

The vendor announced that it entered into an agreement to purchase Venafi, a machine identity management tool that's been majority owned by private equity firm Thoma Bravo since 2020. Venafi's offerings assist enterprises with securing public key infrastructure (PKI), cryptographic keys and digital certificates and can be used in on-premises or cloud environments.

CyberArk cited ongoing cloud migration and the importance of implementing and maintaining privilege controls as two drivers behind the acquisition. Part of the problem is the rapid growth of machine identities, which help secure sensitive data and grant restricted access.

In the announcement, CyberArk said there are currently "40 machine identities for every human identity." Attackers can leverage visibility and management challenges to gain initial access to a victim organization. Identity and access management (IAM) is an ongoing struggle for some enterprises as attackers have increasingly leveraged stolen credentials, often acquired through effective social engineering techniques.

Attacks have even affected IAM vendors themselves. For example, Okta suffered a breach last year where attackers used stolen credentials to access the vendor's support case management system and view sensitive customer files. One year prior, password management vendor LastPass disclosed that it suffered a breach after attackers compromised a developer's account.

Microsoft was another major vendor to suffer a breach due to inadequate IAM security. In January, Microsoft disclosed that a Russian nation-state threat actor, tracked as Midnight Blizzard, compromised a legacy test tenant account that did not have MFA enabled. Midnight Blizzard then used malicious OAuth applications to gain access to corporate emails.

CyberArk said the acquisition will set a "new standard for end-to-end machine identity security." The acquisition is expected to close at the end of this year.

A Venafi spokesperson told TechTarget Editorial that the announcement signifies how enterprises continue to struggle with machine identity management and an influx of newly connected devices. The spokesperson added that the acquisition will help to expand its business geographically.

The machine identity management vendor is currently developing integration plans for customers.

"This acquisition is indicative of the inflection point we are currently facing when it comes to identity security. There are increasing mandates and controls which compel customers to secure identity, including machines and certificates. Alongside that, nearly every cyberattack involves the compromise of identity in some way. The problem is exacerbated by the rapid adoption of AI, which produces exponential growth in machine identities, many of which require sensitive access to perform their role," the Venafi spokesperson said.

Todd Thiemann, a senior analyst at TechTarget's Enterprise Strategy Group, said the Venafi acquisition will expand CyberArk's reach into certificate management and PKI.

"It will enable CyberArk to provide more functionality and help solve the challenge of certificate lifecycle management. Enterprises prefer fewer tools to do more work, and this is a further step in that direction," he said.

Thiemann also said securing machine identities has become a bigger focus for many security vendors. "The IAM space has seen an initiative from established players and startups to improve management of nonhuman identities in addition to the existing focus on human identities. Those nonhuman identities are a significant part of the enterprise attack surface," he said. "You are seeing a lot of activity and innovation in this space, from startups and established players coming at the nonhuman identity challenge, along with established IAM players like CyberArk expanding their reach through acquisitions like Venafi."

The Venafi sale marks the second deal for Thoma Bravo this month. Last week, the company announced that its LogRhythm subsidiary would merge with SIEM rival Exabeam. Thoma Bravo said the merger is expected to close in the third quarter.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.