Today, Microsoft confirmed its acquisition of security startup Adallom for $250 million. The acquisition is great validation of the Cloud Access Security Broker (CASB) market. Adallom is Microsoft’s largest security acquisition since Satya Nadella took over as CEO and reflects the growing importance of securing data as it migrates to the cloud. Enterprises today are looking for ways to enforce security and compliance policies as they embrace the business benefits of cloud services. As one of the world’s largest application software providers, Microsoft has no doubt recognized this need in the market and views security as a key element in their “mobile-first, cloud-first” vision.
The CASB market is officially in hypergrowth mode
Analyst firm Gartner defines the category Skyhigh and Adallom serve as the Cloud Access Security Broker (CASB) market. According to Gartner, it’s the fastest growing security software category ever. The reason is simple: we’re in the midst of a secular move to the cloud as applications, infrastructure, and data migrate to cloud services. The challenge is that the traditional network edge doesn’t exist in the cloud. The security stack that companies have invested in to protect their on-premise applications doesn’t work either. Growth is accelerating so quickly that Forrester recently upwardly revised its 2020 projection of the cloud market from $159B to $191B.
Gartner estimates the SaaS market will top $22 billion in 2015 and that spending on CASB solutions will occupy 2-5% of overall cloud budgets. That makes CASB a $440 million to $1.1 billion market today! And that only accounts for revenue from SaaS services. If you count IaaS and PaaS spending, the market today easily ranges from $1-2 billion. But that number is small compared to where the market is headed. The unprecedented growth in cloud services is driving parallel growth in the CASB market that exceeds that of the respective markets for firewalls, web proxies, NGFW, DLP, MDM, IDS/IPS, SIEM, etc. at their peak. According to Gartner, by 2016, 25% of enterprises will secure access to cloud-based services using a CASB platform, up from less than 1% in 2012. While significant, that leaves significant growth potential in the CASB market beyond 2016.
Why Microsoft paid a high multiple relative to Adallom’s revenue
Based on publicly disclosed Adallom customers, it’s clear to industry observers that the company’s investors and shareholders received a high multiple relative to Adallom’s trailing 12 months of revenue (our estimate is a 50-60x multiple). One reason acquiring companies pay a high multiple during an acquisition is based on projected future growth. The CASB market has that in spades.
Another reason is strategic importance. Surveys of IT and IT security professionals show that the number one objection holding back cloud adoption from growing even faster is concerns about the security of data in the cloud. Recognizing the changing IT landscape, Microsoft is no doubt seeking to remove one of the key sales hurdles holding back its aspirations to dominate the cloud application market.
What this means for the CASB market
If history is any guide, Microsoft will use the technology acquired from Adallom to bolster its core businesses. This is a familiar story to those who followed Microsoft’s entrance to the data loss prevention (DLP) market in 2008. Instead of offering a multi-platform DLP solution with support for third party applications such as Lotus Notes, Microsoft focused exclusively on DLP for its own applications. During the same time period, the revenue for other DLP solutions including Symantec Vontu continued increasing at a rapid rate. Many enterprises selected independent DLP solutions because they offered the ability to enforce DLP policies across Microsoft and other platforms with one set of policies and workflow.
I believe we will see something similar play out in the CASB market. That’s because there are two types of CASB customers: SMBs who have relatively homogeneous cloud application environments and large enterprises with complex, heterogeneous environments. Many smaller organizations have standardized on cloud offerings from Microsoft or Google and their ideal solution includes built-in security controls for that platform. Enterprises, on the other hand, have deployed a wide array of solutions from Salesforce, Workday, Box, ServiceNow, AWS, IBM SoftLayer, etc. The average enterprise today uses 1,083 distinct cloud services, and they are looking for a vendor-neutral solution that enables them to enforce consistent policies across all cloud services from a single pane of glass.
Rather than continue to support third party applications from competitors like Salesforce, Box, and Google, I expect Microsoft will focus its newly acquired technology on its own suite of Office 365 applications along with Azure and Dynamics CRM. This offering will satisfy many requirements for SMB customers, who may not need a third-party CASB if they standardize on Microsoft. Microsoft’s acquisition is strong validation of the CASB market, its drivers, and its growth. At Skyhigh, we are excited to continue serving our global customers with a multi-cloud-service CASB platform that provides visibility and policy enforcement across over 14,000 cloud services.