Microsoft Corp. today said that it’s buying CloudKnox Security Inc., a venture-backed startup with a cybersecurity platform designed to reduce the risk of breaches in enterprises’ public cloud environments.

The deal will strengthen Microsoft’s multicloud capabilities in a time when its top rivals are also expanding their focus on this area.

A sizable portion of cyberattacks targeting cloud environments use stolen user credentials. For example, hackers targeting a company’s cloud database may attempt to breach it by stealing login details associated with the account of a database administrator. CloudKnox helps prevent such cyberattacks.

The startup’s platform scans an organization’s public cloud environment to find all active user accounts. It then identifies unused accounts that a company should remove to reduce the chance of hacking. The fewer accounts there are with access to sensitive components of a cloud environment, the less risk there is of hackers steaming login credentials and gaining access. 

CloudKnox also detects when a user account has access to more components of a cloud environment than is strictly necessary. For example, the information technology team at one of a company’s subsidiaries may have access to the virtual machines of another subsidiary, though it plays no active part in managing the latter unit’s infrastructure. 

Removing such unnecessary access permissions limits the impact of cyberattacks. When the number of systems that an account can access is reduced, so is the amount of data that might be compromised if hackers somehow obtain the account’s login credentials.

Through the acquisition of CloudKnox, Microsoft is gaining capabilities for managing not only users’ access to cloud resources but also the access permissions of those cloud resources themselves. Like a company’s employees, cloud resources need access permissions to interact with technology assets. An accounting application must be given permission to access the finance team’s transaction database, while a breach prevention tool needs access to a company’s cloud virtual machines before it can start collecting security logs.

Managing the permissions of cloud resources is even more complicated than securing user accounts. A company may have tens or even hundreds of thousands of individual virtual machines, applications, scripts, serverless functions and other components in its cloud environment that all need access permissions. Like it does with user accounts, CloudKnox’s platform helps remove unnecessary and overly broad access permissions.

The platform’s major selling point is that it provides information about permission-related security issues in single, centralized dashboard. This consolidated view solves a major challenge for enterprises, Joy Chik, the corporate vice president of Microsoft’s Identity unit, wrote in the blog post announcing the acquisition. 

“While organizations are reaping the benefits of cloud adoption, they still struggle to assess, prevent, enforce and govern privileged access across hybrid and multicloud environments,” the executive explained. “Traditional Privileged Access Management and Identity Governance and Administration solutions are well suited for on-premises environments, however they fall short of providing the necessary end-to-end visibility for multi-cloud entitlements and permissions.”

Microsoft will use CloudKnox’s technology to extend the capabilities of its Azure Active Directory service. Azure Active Directory enables administrators to centrally manage how employees access a company’s IT infrastructure and applications. 

At the same time, the deal boosts Microsoft’s multicloud capabilities. CloudKnox can provide a centralized overview of user and application access permissions not only in one environment but across all a company’s cloud deployments. The startup’s platform supports Microsoft’s Azure public cloud, as well as the platforms of competitors Amazon Web Services Inc. and Google LLC.

David Mahdi, a research vice president with Gartner Inc., told SiliconANGLE that cloud identity entitlement management or CIEM solutions such as CloudKnox’s will help Microsoft offer enhanced identity security and controls to cloud environments.

“Microsoft recognizes the fact that identity is critical to security, and security is critical to hybrid and multicloud environments,” he said. “As such the acquisition of CloudKnox brings additive identity security controls to Microsoft’s existing Azure identity and security suite. For the sector overall, this highlights the critical relationship of identity and cloud security.”

Microsoft was taking a multicloud approach with its cybersecurity product portfolio even before the CloudKnox acquisition. Azure Active Directory works with competing cloud platforms such as AWS. So does Microsoft’s Azure Sentinel service, which centrally analyzes cybersecurity data from all of a company’s cloud environments to spot potential breaches.

Microsoft’s top infrastructure-as-a-service rivals have likewise been expanding their multicloud capabilities to support the growing number of enterprises adopting this approach. Google offers BigQuery Omni, which enables Google Cloud customers to analyze data on other platforms, and Anthos for building multicloud application environments. AWS, meanwhile, late last year introduced tools that can be used to manage workloads on competing clouds.

Microsoft’s announcement today that it’s buying CloudKnox comes just days after its previous cybersecurity acquisition. The company earlier this month said that it will spend $500 million to buy RiskIQ Inc., whose software helps organizations find and fix security vulnerabilities in their cloud environments.

Another market where acquisitions have played a big role in Microsoft’s cloud product strategy is the carrier networking segment. Last year, the company spent more than $1 billion to acquire two major makers of software for managing 5G networks. The offerings that Microsoft’s obtained through the deals now form a core part of Azure’s portfolio of cloud services for carriers.

Photo: Microsoft