Thycotic acquires Onion ID to expand privileged access tools to the cloud

By Robert Scammell

Cybersecurity firm Thycotic has acquired privilege access management platform Onion ID for an undisclosed figure to expand its privileged access tools to cloud-based applications.

As part of the deal Thycotic will launch three new products in the privilege access management market that cover software as a service (SaaS) applications and infrastructure as a service (IaaS) technologies.

Prior to the acquisition, Thycotic’s portfolio focused on privilege access management for endpoints. Privilege access management is a technological system that limits who can access the most important parts of an organisation’s IT network. By restricting access to just the times it is needed, it reduces the attack surface of a business.

The new additions to the firm’s portfolio are Thycotic Cloud Access Controller, which gives administrators greater control over platforms such as Amazon Web Services; Thycotic Remote Access Controller, which automates the management process for employees accessing the network remotely; and Thycotic Database Access Controller, which brings appropriate access levels and multi-factor authentication to modern databases and logs database access sessions.

These were all existing Onion ID products, but not all had been released before the acquisition. They have now been rebranded and integrated into Thycotic’s business. Thycotic had been looking to expand its offering to provide privilege access management tools to cloud applications and decided to purchase Onion ID instead of developing it own tools from scratch.

“What Onion ID does is allow us to do is expand what we were doing in privileged access and least privilege for infrastructure, such as domain active directory, vulnerability scanners, Wi-Fi access, business applications. It’s allowed us to apply that same principle for cloud-based applications,” said Joseph Carson, chief security scientist at Thycotic.

It means, for example, that when customers log in to a SaaS-based application such as Salesforce, Thycotic customers can now apply the principle of least privilege to “buttons and icons within those web interfaces”, creating an additional layer of security.

Pandemic heightens remote working security challenges

Thycotic’s decision to acquire Onion ID was made before the coronavirus pandemic disrupted much technology deal-making activity.

“The pandemic didn’t have any influence on our date or strategy,” Carson told Verdict, adding that Thycotic is still looking into other technologies to acquire but it “doesn’t have anything close to closure”.

However, the sudden shift to remote working triggered by lockdown measures has created new cybersecurity challenges for organisations, highlighting the need for security professionals to be able to limit levels of access that employees have in a company network.

“With the sudden growth of remote workforces across the globe, privileged access security controls must also account for ordinary business users, like those in finance and marketing, who are accessing sensitive and privileged corporate data from untrusted devices on untrusted networks,” said James Legg, president and CEO at Thycotic.

“With the addition of Onion ID, we are now able to implement fine-tuned Role Based Access Controls across any web-based application, IaaS console, and cloud-hosted database, while providing flexible multi-factor authentication that gives security leaders a significantly easier way to ensure secure access paths for remote employees.”

Anirban Banerjee, CEO and founder at Onion ID, said: “By joining forces with Thycotic, we are enhancing our commitment to delivering user-friendly authentication, authorisation and auditing to cloud servers, databases and applications.

“We are launching a diverse set of next-generation PAM 2.0 offerings in the market which will enable enterprise customers to elevate their security controls above and beyond current best of breed solutions and reduce costs with secure remote access.”

Founded in 1996, Thycotic provides privileged access management solutions to more than 10,000 organisations. It counts 25 companies from the Fortune 100 among its customers.

Read more: Nearly a quarter of remote workers do not consider data protection when sharing information