Palo Alto Networks, the cybersecurity company known primarily for its next-generation firewall technology, made another move last month toward the new “zero trust” approach to security with the announcement that it’s buying Aporeto, a microsegmentation company that uses machine identities to restrict network traffic.
“We believe the addition of Aporeto’s unique machine identity technology will further enhance our leading Prisma Cloud capabilities and strengthen our commitment to helping customers secure their journey to the cloud,” Nikesh Arora, Palo Alto’s chairman and CEO, said in a statement.
Palo Alto declined to provide any additional information about the acquisition, but in its most recent earnings call, Arora said that firewall revenues “did not deliver to our expectation... Firewall as a platform grew only 11 percent year over year.”
Security market experts DCK spoke with explained that there is a broader industry shift away from perimeter-focused, firewall-based security toward a new model, where security is everywhere and is based on identity, such as the identities of users, applications, and machines that are sharing or requesting information.
The softening of Palo Alto’s firewall revenues and its acquisition of Aporeto – and others – are more evidence of this shift.
“This buy acknowledges that data centers are moving to the cloud, and new solutions are needed,” Ken Levine, CEO at ShieldX Networks, a zero-trust cybersecurity vendor, said. “Traditional perimeter-based firewalls are becoming useless. Palo Alto Networks needs something to make up for a cloudy future.”
The Aporeto acquisition isn’t Palo Alto’s first step toward the cloud. It’s made several strategic buys recently, said Ofer Schreiber, partner at YL Ventures and an expert in investing in cybersecurity companies. The other acquisitions include Evident.io, Redlock, Twistlock, and Puresec, he said.
“Each one of these companies added another layer in [Palo Alto’s] unified cloud-native security platform, which consists of multiple security capabilities and addresses different security use cases,” Schreiber said.
Zero trust, or microsegmentation, is a better fit for today’s cloud and hybrid data center environment, experts said. In addition, identity-based policies, such as Aporeto’s machine-based identities, are easier to manage and scale than firewall-based security policies.
According to Gartner, the zero-trust approach is the direction all organizations should be moving to in order to secure their cloud infrastructure.
Kowsik Guruswamy, CTO at Menlo Security, called this a “seismic shift in enterprise security.”
“Data centers will be more secure,” he said. “Networks are transforming, and security is transforming to help enterprises adapt to the age of cloud and SaaS.”
Aporeto’s technology is an enhancement to Palo Alto’s existing product portfolio, he said. But it remains to be seen whether Palo Alto can successfully integrate it into its current technology.
Overall, the acquisition should be a net benefit for data center security managers, said Aleksandr Yampolskiy, co-founder and CEO at SecurityScorecard. Today they have to deal with too many vendors and technologies.
“Most CISOs I spoke with welcome the consolidation, because they will get to deal with one company like Palo Alto Networks, which can offer all these different solutions out of a single suite,” he said.
There are too many fragmented tools today, he said.
“My gut sense would be that Palo Alto is a company with a great product suite and a deep security DNA,” he said. “So I envision this being a great outcome for the Aporeto suite of products.”
One potential roadblock is that the two approaches to security are so different that making them work together seamlessly might turn out to be impossible.
“It’s one thing to put a veneer of management on top of a bunch of different solutions,” said Peter Smith, co-founder and CEO at Edgewise Networks, a microsegmentation company that competes against Palo Alto. “But it’s a different thing entirely to unify them, to make the distinction between them irrelevant.”
Traditional firewalls and identity-based segmentation require different management paradigms, he said, and have very different approaches to security policy management.
Firewalls get their value from specific and granular security policies. There’s a limit on how general the security policies can be and still work well for containers, microservices, and other new approaches to application deployment.
Identity-based security allows for a very different approach, with a smaller number of policies that can work across a very diverse set of environments, for systems that might only exist for a few seconds at a time.
“You can’t effectively mix them,” he said.
So, what should companies that have both on-prem and cloud environments and want a single vendor to provide security for everything do?
“You should treat your on-premises data center as just another kind of cloud,” Smith said.