Licensed for Distribution
Published 1 December 2021 - ID G00758322
By Charlie Winckless, Joerg Fritsch, Peter Firstbrook, Neil MacDonald, Brian Lowans
Security and risk management leaders continue to be asked to do more with less — facing more demand for service, fast-changing threat landscapes and insufficient technical talent. This research predicts that platform consolidation will help SRM leaders’ organizations thrive in hostile environments.
Overview
Key Findings
Driven by the need to reduce complexity, leverage commonalities and minimize management overhead, security technology convergence is accelerating across multiple disciplines.
Organizations are working or planning to work on vendor consolidation strategies; this is a long-term project for most of them, because it’s often a large architectural shift.
Vendors are increasingly divided into “platform” and “portfolio” camps, with the former integrating tools to make a whole that’s greater than the sum of the parts, and the latter packaging products with little integration.
Technology consolidation is not limited to one technology area or even to a closely related set of technologies; these consolidations are happening in parallel across many security areas.
Recommendations
Evaluate security platforms where they share data and control planes; leverage this consolidation to define common policies and reduce gaps and vulnerabilities between legacy silos.
Evaluate your security needs for outbound communications and determine where cloud-managed solutions fit your risk and business profiles.
Inventory data security controls to implement a multiyear phaseout of siloed data security tools that are holding you back when you need to leverage your data in favor of a modern data security platform.
Implement an integrated and converged security approach that covers the entire life cycle of cloud-native applications, starting in development and extending into production.
Evaluate workspace security packages united by extended detection and response as a meaningful way to reduce the complexity of security operations.
Strategic Planning Assumptions
By 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services and private application access from a single vendor’s security service edge (SSE) platform.
By 2025, 30% of enterprises will have adopted a data security platform (DSP), due to the pent-up demand for higher levels of data security and the rapid increase in product capabilities.
By 2025, 70% of organizations will consolidate the number of vendors securing the life cycle of cloud-native applications to a maximum of three vendors.
By 2027, 50% of midmarket security buyers will leverage eXtended detection and response (XDR) to drive consolidation of workspace security technologies, such as endpoint, cloud and identity.
Analysis
What You Need to Know
Security technologies and mindsets have continuously oscillated between best-of-breed and platform solutions (even if the latter has too often been a marketing construct, more than an actual approach). This oscillation is driven by buying centers, vendor preferences and technical demands. It has left organizations and security and risk management (SRM) leaders with huge technical debt and often a fragmented, complicated infrastructure that doesn’t help an organization’s mission to enable its digital business. Such infrastructures are hard to manage, limit visibility to the true state of security, and have created gaps between silos or mismatched policies.
Gartner’s 2020 Security and IAM Adoption Trends Survey¹ shows that most organizations have or plan to have a vendor consolidation strategy (see Figure 1). Only 20% did not plan to adopt such a strategy, and, of those already in the process, more than 80% had been consolidating for at least a year.
Figure 1. Eighty-Three Percent of Organizations Pursuing a Vendor Consolidation Strategy Have Been Doing So for at Least One Year
This is not the first time we’ve seen vendor consolidation on unified platforms as a trend — the pendulum has swung back and forth repeatedly. Although this pattern will continue, we are in a different situation today — in terms of both the negative impact of complex, nonintegrated sets of products and the positive synergies integration can bring. Modern platforms sit across common data and control planes and use the cloud to synthesize huge amounts of data.
The world also faces a huge shortfall in cybersecurity talent — more than 3.2 million, according to the 2020 ISC2 survey¹ — so operational efficiency is a key requirement. Effective modern platforms focus on business and organizational objectives as much as on technology combinations. Furthermore, the concept of the cybersecurity mesh (see Top Strategic Technology Trends for 2022: Cybersecurity Mesh) enables these platforms to collaborate via APIs, using current and emerging security standards. Administration can be centralized, while policy enforcement is distributed.
Vendors are taking two clear approaches to consolidation:
Platform Approach
Leverage interdependencies and commonalities among adjacent systems.
Integrating consoles for common functions.
Support for organizational business objectives at least as effectively as best-of-breed.
Integration and operational simplicity mean security objectives are also met.
Portfolio Approach
Leveraged set of unintegrated or lightly integrated products in a buying package.
Multiple consoles with little to no integration and synergy.
Legacy approach in a vendor wrapper.
Will not fulfill any of the promised advantages of consolidation.
Differentiating between these approaches is key to the efficiency of the suite, and vendor marketing will always say they are a platform. As you evaluate products, you must look at how integrated the consoles are for the management and monitoring of the consolidated platform. Also, assess how security elements (such as data definitions, malware engines) and more can be reused without being redefined, or can apply across multiple areas seamlessly. Multiple consoles and multiple definitions are warnings that this is a portfolio approach that should be carefully evaluated.
As the platforms shift to the cloud for management, analysis and even delivery, the ability to leverage the shared responsibility model for security brings enormous benefits to the consumer. However, this extends the risk surface to the vendor and requires further due diligence in third-party vendor management. The benefits include:
Lack of physical technical debt; there is no hardware to amortize before shifting vendors or technology.
The end-customer’s data center footprint is reduced or eliminated for key technologies.
Operational tasks (e.g., patching, upgrades, performance scaling and maintenance) are performed by the cloud provider. The system is maintained and monitored around the clock, and the staffing of the provider supplements that of the end customer.
Controls are placed close to the hybrid modern workforce and to the distributed modern data; the path is not forced through an arbitrary, customer-owned location for filtering.
Despite being large targets, cloud-native security vendors have the scale and focus to secure, manage, and monitor their infrastructure better than most individual organizations.
In terms of vendors, capabilities and technologies, consolidation efforts are spread across the security spectrum. Here, we highlight trends in network security with the SSE platforms, in data security with the emerging DSPs, in applications with cloud-native application protection platforms (CNAPPs) and, in incident response, with XDR.
Each of these covers a different aspect of the security spectrum, but even here we see synergies. For example, XDR might consume data from cloud access security brokers (CASBs) and other SSE products (as well as directly from popular SaaS and cloud infrastructure providers) to respond to and manage cloud incidents. DSPs will provide data classification that must be consumed by the SSE to prevent unauthorized data use in cloud services. Meanwhile, both the SSE and CNAPP markets are incorporating cloud security posture management (CSPM). The business must find the borders between these platforms and ensure that they align well with how they will be operated and managed — or there must be consolidation of the teams who run them, as well.
To maximize advantage from this trend, SRM leaders must drive assertive architectural thinking, rather than respond to a buyer- or cost-driven vendor consolidation strategy. This supports meaningful security optimization and allows focus on the areas that will benefit your specific organization. Focusing purely on a cost-driven strategy will often lead to less-than-optimal security choices and vendor lock-in. Leaders who evaluate where they have an operational or security shortfall and push for a consolidation investment will have a higher rate of security success than those driven by the security team.
Strategic Planning Assumptions
Strategic Planning Assumption: By 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform.
Analysis by: Neil MacDonald and Charlie Winckless
Key Findings:
With a hybrid workforce and data everywhere accessible by everything, vendors are offering an integrated SSE solution to deliver consistent and simple web, private access and SaaS application security. The platforms manage outbound egress communications initiated by remote workers and from branch locations — they secure users and data closer to where they are located — increasingly outside the enterprise network.
Cloud delivered security for remote and branch users shifts much of the operational burden to a cloud security service staffed and built for that purpose, helping make better use of scarce security talent.
The business outcomes that organizations need from access edge security are similar across the technology stack. Key among them is the detection of threats from outside or inside the organization, protection of sensitive data, and ensuring a seamless and efficient working environment.
Single-vendor solutions provide significant operational efficiency and security efficacy, compared with best-of-breed, including reduced agent bloat, tighter integration, fewer consoles to use, and fewer locations where data must be decrypted, inspected and re-encrypted.
Market Implications:
Gartner’s Future of Work research (see Future of Work Primer for 2021) shows that HR leaders expect a hybrid workforce. Our continued evaluation of enterprise spending shows the shift to cloud continues (see Market Trends: Cloud Shift — 2020 Through 2024). These two trends mean that traditional network and network security architectures centered on the data center are not just less relevant, but also less effective at delivering secure business outcomes. The data is not in the data center, and the consumers of the data are not in offices. Organizations must deliver the access to capabilities in a risk-appropriate way to the digital workforce, with minimal impact to their experience. This means delivering network security services from the cloud, rather than forcing traffic — via virtual private network (VPN), software-defined wide-area network (SD-WAN), MPLS or other transit — to a client-owned security stack in a data center.
The shift to remote work and the adoption of public cloud services was well underway already, but it has been further accelerated by COVID-19. SSE allows the organization to support anywhere, anytime workers using a cloud-centric approach for the enforcement of security policy. SSE offers immediate opportunities to reduce complexity, costs and the number of vendors.
Secure web gateways (SWGs), CASBs and zero-trust network access (ZTNA) products have traditionally been separate markets and, indeed, often competing vendors. These markets have converged to form the SSE market, with these three capabilities as cornerstones of the product set, and remote browser isolation (RBI), firewall as a service (FWaaS) and digital experience monitoring (DEM) as key secondaries.
SSE secures access to the web, private applications and usage of cloud services. Capabilities include access control, threat protection, data security, security monitoring and acceptable use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service and may include on-premises or agent-based components.
The evolution of the SSE market has been driven by the challenge that unintegrated and near-overlapping products present for both admins and users. These include the need for multiple agents, inconsistent security results, disparate user experiences, and the need to configure, support, and manage different security products to achieve the same results. This unsustainable situation has led to the integration of controls such as CASB, SWG, ZTNA, RBI and FWaaS (among others) into SSE platforms that support strong, consistent and adaptive risk-appropriate security for a user, regardless of location. They enable organizations to effectively use emerging cloud technologies by managing the use of SaaS and controlling access to infrastructure as a service (IaaS). They support key initiatives, such as zero trust by enforcing identity and context controls on connections. Integrated agents mean less load on endpoints, while enforcing controls. Finally, the cloud delivered adaptive security approach effectively supports the future of work — a hybrid workforce on a mix of devices.
Vendors are increasingly acquiring or developing these adjacent technologies and integrating them into a single platform. The benefits are best realized when this integration minimizes consoles and configuration planes, and reuses components (e.g., endpoint agents) and information. This market growth and interest has led some vendors to bundle products as a portfolio without any synergy. This can be the worst of all worlds — products that may not excel in all areas without the integrations to reduce complexity and overhead.
A cloud-centric network and network security model extends to support the branch office, as well as the traveling user, in a broader architecture called SASE. Instead of deploying a security stack at smaller sites, the ability to use the internet as a WAN and to deliver traffic to a cloud security stack provides huge benefits. Site devices can be field-replaceable units with minimal management and maintenance — simple onramps to the SSE stack. The single enforcement control plane (with a replicated and highly available data plane) simplifies the work for the operator, especially if a tightly integrated or organic SD-WAN provider is also used.
Recommendations:
Evaluate your outbound security needs to determine where cloud-managed solutions fit into your risk and business profiles.
Prioritize vendors by evaluating their available SSE features and how well they meet your highest requirements. Not all vendors provide best-in-class features for each discrete component. This could involve a less-mature, cloud-service security component; weak cloud infrastructure footprint; missing advanced data security features; or a lack of full ZTNA support for all use cases.
Partner with networking teams to coordinate the acquisition of SSE services to align with wider network transformation, digital initiatives, and hybrid work initiatives.
Related Research:
Strategic Planning Assumption: By 2025, 30% of enterprises will have adopted a DSP, due to the pent-up demand for higher levels of data security and the rapid increase in product capabilities.
Analysis by: Joerg Fritsch and Brian Lowans
Key Findings:
As more cybersecurity point solutions come to market, SRM leaders have reached the critical point for vendor integration and management. They must rationalize their data security portfolios to determine whether a consolidation or best-of-breed strategy is the right approach.
Patchworks of use-case and silo-specific data security controls are causing SRM leaders to struggle to understand how to orchestrate their capabilities and limitations.
This complexity is encouraging vendors to rapidly amalgamate disparate data security capabilities into data security platforms. Organizations applying these newer platforms are securing their data better and more easily.
The confluence of data security into large product platforms has never been more evident than right now, but complexity grows faster than vendors are consolidating.
Market Implications:
Gartner defines DSPs as products and services characterized by data security offerings that target the integration of the unique protection requirements of data across data types, storage silos and ecosystems. The data security market is characterized by vendors integrating their capabilities into a DSP. In this market, the formerly siloed capabilities will come together under a common set of data security governance policies. This will considerably streamline data security and make DSPs a key enabler of meaningful data risk analytics, orchestration of data security policies and reduction of operational complexities.
Two trends relating to data security, privacy and advanced analytics are driving DSP adoption:
Enterprise agendas for strengthened data security and privacy are increasingly in competition in terms of their approach to DevSecOps, open data regulations and advanced analytics.
Organizational data is increasingly distributed across different service and trust boundaries, frequently outside traditional on-premises data centers. Data is likely to be processed and stored in public cloud services of all types — infrastructure-based, platform-based and SaaS. This situation requires organizations to manage their data security far more effectively.
A DSP significantly increases the visibility of, and control over, data and its broad usage — for example, in relation to unknown behaviors, not just narrower, privacy-related compliance goals. Therefore, this puts organizations in a position to truly secure their data. The increase in visibility and control enables secure data flows among individuals, organizations and governments (see Figure 2). Consequently, wiser decisions can be made, and better outcomes delivered for business and society as a whole.
Figure 2. Amalgamation of Data Security Capabilities into Data Security Platforms
Examples of market convergence areas include:
Data protection technologies (such as tokenization, encryption and data masking), database activity monitoring (DAM) and data discovery. Mature DAM products based on database agents, proxies, or network gateways are combined with data masking capabilities as a post processing step after tokenizing or encryption of the data.
Data masking, data discovery, DAM and data access governance (DAG). Traditional data masking products add DAM capabilities by reconstructing audit logs from dynamic data masking gateways. Data discovery capabilities are added to give clients greater visibility across their data stores. The information is often stored in a data catalog.
Data discovery and data categorization techniques are being used in combination with user account credentials to create data risk analytics and identify user account access privileges to specific datasets. This is increasingly used to how data security governance policies are enforced through DAM, DAG and data protection technologies.
Recommendations:
Inventory data security controls to implement a multiyear phaseout of siloed data security tools that are holding you back when you need to leverage your data in favor of a modern data security platform.
Consolidate vendors and cut complexity and costs as contracts renew. For example, in DAM, data masking, data discovery, data encryption or DAG.
Include DSPs in your cybersecurity mesh architecture by choosing DSP products that offer high levels of integration capability. The security of the composable enterprise (see Quick Answer: What Does It Mean to Be ‘Composable’?) requires flexible cybersecurity mechanisms with a rich set of APIs, based on interoperability standards.
Related Research:
Strategic Planning Assumption: By 2025, 70% of organizations will consolidate the number of vendors securing the life cycle of cloud-native applications down to a maximum of three vendors.
Analysis by: Neil MacDonald
Key Findings:
The unique characteristics of cloud-native applications make them impossible to secure without a complex set of overlapping tools spanning development and production.
The use of multiple fragmented security testing approaches increases complexity, costs and the likelihood of misconfiguration, mismanagement or mistakes. This weakens the application’s security posture.
Understanding and addressing the true risk of cloud-native applications requires advanced analytics combining siloed views of application custom code risk, open-source component risk, cloud infrastructure risk and runtime workload risk.
The complexity problem is exacerbated as developers adopt serverless PaaS with no underlying OS to instrument and are increasingly responsible for programming more of the computing stack, including infrastructure.
Market Implications: To support digital business initiatives, developers have embraced cloud-native application development. They typically combine microservices-based architectures built using containers assembled in DevOps-style development pipelines, deployed into programmatic cloud infrastructure and orchestrated at runtime using Kubernetes. Ideally, they are maintained with an immutable infrastructure mindset. This shift creates significant challenges in securing these applications.
Most notably, organizations have manually stitched together DevSecOps with 10 or more disparate security tools — some old and some new — each with siloed responsibility and view of application risk. This results in blind spots and incomplete views risk (see Survey Analysis: Enabling Cloud-Native DevSecOps).
Securing cloud-native applications offers enterprises the opportunity to redesign security approaches. Rather than treat development and runtime as separate problems — secured and scanned with a collection of separate tools — enterprises should treat security and compliance as a continuum across development and operations. They should look to consolidate tools into cloud-native application protection platforms where possible.
Recommendations:
Implement an integrated and converged security approach that covers the entire life cycle of cloud-native applications, starting in development and extending into production.
Evaluate emerging CNAPP offerings as contracts for CSPM and CWPP expire and use this opportunity to reduce complexity and consolidate vendors.
Integrate security into the developer’s toolchain, so that security testing is automated as code is created and moves through the development pipeline, reducing the friction of adoption.
Acknowledge that perfect apps aren’t possible and focus developers on highest severity, highest confidence and highest risk vulnerabilities to avoid wasting developer’s time.
Scan all development artifacts and cloud configuration comprehensively and combine this with runtime visibility and configuration awareness to prioritize risk remediation.
Related Research:
Strategic Planning Assumption: By 2027, 50% of midmarket security buyers will leverage XDR to drive consolidation of workspace security technologies, such as endpoint, cloud and identity.
Analysis by: Peter Firstbrook
Key Findings:
Eighty percent of SRM leaders are looking to consolidate the number of security vendors and products to better manage risk and increase security operations productivity.
Security tools to protect the “workspaces” people use, such as endpoints, email and cloud SaaS applications, are mature. The difference between these security tools is less significant than how they fit into the organizations’ security operations.
Large security technology vendors with multiple products are increasingly integrating their security products into broader solutions integrated by a common data plane and incident response capability commonly called XDR.
XDR capability will be an increasingly critical capability for buyers to evaluate when seeking strategic solutions.
Market Implications:
Workspace security is defined as the collection of security tools that protect the modern workspace used by knowledge workers. The core of workspace security is the endpoint protection platform (EPP). However, anti-phishing, SWGs, CASBs, remote access tools, multifactor authentication (MFA), data loss prevention (DLP), and mobile threat defense (MTD) are also critical workspace security tools.
Traditionally, buyers select the best specific security tools for each function, then use security information and event management (SIEM) and security orchestration and automated response (SOAR) tools to integrate the log data and perform investigations and automated actions. However, the mainstream CISOs are getting frustrated by the complexity of this type of best-of-breed security stack. Lack of visibility into consolidated risk posture and the total cost of ownership (TCO) of a best-of-breed workspace security stack are often cited concerns. Concurrently, solution providers with broad portfolios of these tools were often less well-integrated than their best-of-breed counterparts. However, this is changing. A key enabler of this change is XDR.
Although there is debate about what constitutes an XDR, for the purposes of this prediction, XDRs are defined as tools that provide a common detection, alert management, and incident response capability across multiple security products. The goal of XDRs is to enable better visibility across multiple security tools and faster, more-accurate incident response, because these tools share data and are integrated with APIs to provide for semi-automated response capability across multiple tools.
For example, if the endpoint agent is compromised with Metasploit, and credentials are stolen and used to log into a cloud application, the XDR provides the incident responder the CASB info that credentials were used in cloud applications. The analyst can then use the XDR capability to trigger an automated action to revoke credentials and suspend the cloud session and use the integrated CASB log data to determine the extent of the breach.
Recommendations: SRM leaders responsible for workspace security should:
Evaluate workspace security packages united by XDR as a meaningful way to reduce the complexity of security operations.
Design EPP as the foundation of the XDR strategy with identity and email security as the top priorities for integration, followed by cloud and network security.
Consider data and API integration in the vendors portfolio, and with select partners, as a critical consideration.
Give consideration to how well the workspace security tools help to proactively detect and remediate configuration issues, which can be exploited by attackers.
Related Research:
A Look Back In response to your requests, we are taking a look back at some key predictions from previous years. We have intentionally selected predictions from opposite ends of the scale — one where we were wholly or largely on target, as well as one we missed.
This topic area is too new to have on-target or missed predictions.
Evidence
¹ Gartner’s 2020 Security and IAM Solution Adoption Trend Survey: This study was conducted to learn which security solutions organizations are benefiting from and what factors affect their choice/preference for such solutions. The research was conducted online during March and April 2020 among 405 respondents from North America, Western Europe and the Asia/Pacific (APAC) region. Companies from different industries were screened for having annual revenue less than $500 million. Respondents were required to be at manager level or above (excluding the C-suite), and to have a primary involvement and responsibility in risk management roles for their organization.
The study was developed collaboratively by Gartner analysts and the Primary Research Team that follows SRM.
© 2022 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates.
Comments