Pathlock-Appsian Deal Combines App Governance, ERP SecurityDeal Will Help Clients Secure Users and Data Across SAP and Oracle's ERP Apps
Pathlock has merged with Appsian to form a 500-person behemoth that secures users and data across SAP and Oracle's Enterprise Resource Planning applications.
See Also: Managing API Security
Bringing Pathlock, Appsian and Security Weaver together will allow the company to take a larger bite out of the $110 billion market focused on compliance testing for business applications, according to CEO Piyush Pandey. Companies rely on ERP apps for items such as HR, finance, supply chain management and business analytics and want to simplify securing all the critical information contained within.
"We want our customers to manage risk in a comprehensive fashion across different applications with a single tool, which not only helps automate the process, but also helps with testing," Pandey tells Information Security Media Group. "We want to combine these tools into one platform so that people can get a comprehensive view of risk."
Growth equity firm Vertica Capital Partners combined Pathlock, Appsian and Security Weaver and adopted the Pathlock name for positioning and branding purposes even though Appsian was the largest of the businesses. Pandey was the CEO of Appsian and had been working for more than a year to build a platform that could deliver security, compliance, governance and automation around SAP and Oracle (see: Attackers Target Unpatched SAP Applications).
As part of the transaction, Pathlock has also raised $200 million from Vertica to expand its application governance and data security capabilities. Pandey says the combined company will continue to invest in and support its existing portfolio of products while at the same time creating an integrated platform that will have a cloud component as well as a better user interface.
A Centralized View of ERP Risk
By later this year, Pandey says, customers will be able to manage risk for different ERP applications from a single instance regardless of whether the instance is on-premises or in the cloud or involves SAP or Oracle. Once the integration is complete, he says, customers will be able to buy the access governance, security control enforcement and vulnerability management functions either all together or separately.
Pathlock's access governance capabilities run the gamut from segregation of duties and provisioning and de-provisioning to role design and privileged access management, according to Pandey. And the security control enforcement and visibility piece makes it possible to do testing, checking and provisioning in real-time and to stop transactions when they're in violation of company policy, he says.
Bringing Pathlock, Appsian and Security Weaver's capabilities onto a single platform will require a little bit of development work with API call-ins so that customers can choose between on-premises and cloud-based versions of the products. Relying on APIs for the integration means that Pathlock can forgo rebuilding anything and instead create procedures and steps to configure and reuse its existing tools.
"This is about putting things together," Pandey says. "We have five different doors and five different rooms, and we will put the right door in the right place so that things can go."
Appsian traditionally sold to more than 300 data security customers with an emphasis on supporting the HR department and the Oracle platform, while Pathlock excelled at safeguarding financial services clients on SAP's ERP platform, according to Pandey. Security Weaver, meanwhile, exclusively supported SAP.
The security needs around SAP tend to be most acute in the manufacturing, health care, higher education and government spaces, while Oracle's ERP offering is typically most popular with large, distributed organizations in industries such as health care, higher education, and state and federal agencies, according to Pandey.
The Need for Scale
Customers who adopt Pathlock typically aren't using it to replace a direct competitor and in most cases were either relying on consultants or attempting on their own to automate the manual processes associated with compliance and auditing. The Pathlock portfolio overlaps with SecurityBridge when it comes to SAP security in Europe as well as SailPoint and Microsoft in the access governance arena.
The combined organization today relies on North America for 60% of its revenue, Europe for 30%, and other regions such as Asia, Australia and Latin America for the remaining 10% of revenue, according to Pandey. Much of Pathlock's growth outside North America and Western Europe has been opportunistic, and Pandey says the company wants to stay focused on the largest markets in the world.
Pandey hopes the mega merger will streamline automation and provide tangible benefits to lines of business outside the CISOs, including human resource, finance and the controller. Pathlock today has 1,200 customers, and Pandey would like to see the company quadruple or quintuple its revenue over the next half-decade by cross-selling existing customers or winning additional large customers globally.
"Nobody has provided this fine-grained and needed risk management, compliance and automation tool to business owners," Pandey says. "This is not just a solution for CISOs but gives business owners a way to see how they're going to secure everything."