Palo Alto Networks Acquisition of CyberArk is the Right Strategic Direction
You can't do Zero Trust without Identity and Access Management
This month, Palo Alto Networks (a cybersecurity orchestration platform vendor) announced an agreement to acquire CyberArk (an identity platform) for about $25 billion. I have no idea if this is a great financial decision for Palo Alto Networks, but I do know that it’s absolutely the right strategic direction for their platform; indeed all orchestration platforms. Frankly, I’m a bit surprised that it has taken so long for any of them (Cisco, Fortinet, Check Point, Juniper Networks and Palo Alto Networks) to decide that identity tactics are a key and essential to their products.
To understand my reasoning though, you have understand a few things:
The evolution of security orchestration
How security vendor products responded to that change.
The importance of Zero Trust as a strategy
IAM Services Needed in an Orchestration Platform
Let’s dig in.
The Evolution of Security Orchestration
Orchestration, viewed through a cybersecurity lens, is the act of deploying, maintaining, and updating security controls for the tools in your security stack wherever they are deployed.
When the evil hackers behind the Wicked Spider attack campaign change one of their tactics, the good guy network defenders respond. They update their counter campaign by deploying new controls designed to detect and/or prevent that technique in every tool they have deployed.
In the early Internet days (the late 1990s), orchestration wasn’t a problem. We only had three tools in the security stack: a firewall, an intrusion detection system, and an antivirus system. When we wanted to make a change to the policy, we manually logged into each tool and made the change.
Today, our environments have morphed into enormously complex systems-of-systems deployed across multiple data islands (hybrid cloud, SaaS, internal data centers with legacy systems, and mobile devices). If you are a medium to Fortune 500 sized organization, you likely have anywhere from 20 to 75 security tools deployed in your stack (depending on which CISO survey you read); tools like Cloud Security, Firewalls, Endpoint Security, SIEM, SOAR, yada, yada. The list of possibles is long.
Orchestrating the security stack, across all those data islands, in some consistent manner, with velocity, is exponentially hard to do compared to the early days. Truth be told, most of us don’t do it very well at all.
From the early 1990s to about the early 2010s, many network defenders were enamored with the idea of the best-of-breed tool. If there were 20 vendors that sold an Anti-Wicked-Spider tool, network defenders would spend months conducting vendor tool bakeoffs to decide if vendor X’s 100 feature tool is slightly better then vendor Ys. Once they decided, they added that tool to their already growing list of tools in the security stack. We called them point products; one tool for each point of functionality. When you added one tool to the security stack though, the management complexity didn’t grow linearly. It grew exponentially.
After 20 years of that, some of us got tired of managing all of that complexity ourselves; all of those point products. We came to believe that complexity was the enemy of security. We might have the best security tools on the planet, our best-of-breed security stack, but if we didn’t configure them properly in a timely manner, we may as well not have gone through all of that bakeoff trouble in the first place. This is where orchestration platforms came in.
How Security Vendor Products Responded to Security Orchestration
Orchestration platforms combine a gaggle of security tools into one place. Instead of individual tools that give you the features of say, a firewall, an intrusion detection system, and anti-malware system (that you have to buy, deploy, maintain, and update individually), you deploy one platform that does everything. Maybe you can’t afford the intrusion detection system this year. But next year you can. Instead of deploying a completely new tool separately, you just reach into the orchestration platform and turn it on like a software subscription. No fuss, no muss.
Admittedly, the platform tools are probably not the best-of-breed tools that you would get in a bakeoff. That goes without saying. But they are good enough tools to get the job done and with a lot less complexity.
Security pundits, like Jon Oltsik (the principal analyst at Enterprise Strategy Group back then), started talking about this concept as early as 2015. All-in-one orchestration platforms started appearing in the market around 2017 from the big firewall vendors such as Checkpoint, Cisco, Fortinet, Juniper, and Palo Alto Networks.
The Importance of Zero Trust as a Supporting Strategy
I published a book in 2023 called Cybersecurity First Principles: A Reboot of Strategy and Tactics.
In it, I make the case that the absolute cybersecurity first principle, regardless of the vertical and regardless of the size, is this
Reduce the probability of material impact due to a cyber event in the next business cycle.
Assume that you agree with me, several potential supporting strategies emerge that infosec leaders may pursue that would greatly aid the achievement of that first principle goal.
Zero Trust: Reduce access to the attack surface based on need to know.
Intrusion Kill Chain Prevention: Deploy countermeasures to the security stack based on known attack campaigns.
Resilience: Survive the attack, not prevent it.
Risk Forecasting: If you can’t calculate your current probability of a material cyber event, you certainly can’t tell if your adopted strategy is reducing it.
Automation: Eliminate all manual work that has no intrinsic value (The Toil as Google likes to say).
Work Force Development: Manage your team like Brad Pitt in Moneyball.
This is not a checklist. They are distinct strategies, the “what” we are trying to do. In a world of limited resources, infosec leaders have to choose strategies that have the biggest bang in terms of risk reduction with the resources at hand. In many cases, you might only have the resources to pursue one.
Ever since John Kindervag published his original white paper in 2010, “No More Chewy Centers: Introducing The Zero Trust Model Of Information Security,” Zero Trust has been growing in popularity. In a 2024 report, Gartner analysts said that most of their customers are pursuing Zero Trust as their primary risk reduction strategy and security vendors have responded. Before the AI craze hit a couple of years ago, you couldn’t talk to a vendor without hearing how their product supports Zero Trust.
Orchestration platforms, especially those that evolved from next generation firewalls, were particularly suited to help pursue Zero Trust journeys. The old stateful inspection firewalls (from the 1990s to the mid 2000s) blocked bad guys based on IP addresses and ports. They are layer three firewalls (From the TCP/IP stack). Example: block all the IP addresses associated with the Wicked Spider command and control server.
By contrast, next generation firewalls are layer 7 firewalls; application firewalls. Infosec practitioners build rules based on running applications tied to the authenticated user. Example: Block access to Tik Tok from all employees except the marketing department.
And there you have it. I’ve finally tied all of this back to Identity and Access Management (IAM). You can’t do Zero Trust if you can’t do IAM and you can’t make a layer 7 rule unless you know who the user is. But orchestration platforms haven’t traditionally provided IAM services as part of the platform. They have relied on APIs that connect back to whatever IAM services the customer is using.
IAM Services Needed in an Orchestration Platform
With the Palo Alto Networks’ purchase of CyberArk, this is a signal that the leadership of one of the most successful orchestration platforms in the market has decided that IAM should be inherent in their platform. I expect that we will soon see the other orchestration vendors follow the Palo Alto Networks lead.
I want to be clear here though, IAM is two distinct things. The first is validating that the identity of the thing is really the thing. The thing, in this case, can be a person, a device, an application, or a piece of homegrown software. Once we’re satisfied that the thing is the thing (and Kindervag would say that we should routinely recheck that over and over again), then we can get to the second part, the access part. Is this new thing authorized to connect to this other thing that we’ve already validated? To accomplish this, the orchestration platform should support these three Zero Trust tactics:
Identity governance and administration (IGA): The internal group of IT, security, and business leaders who define the policy.
Privileged identity management (PIM): The system that dynamically manages all the identities and what they are allowed to access
Privileged access management (PAM): The system that enforces the rules created by the IGA against the identities in the PIM
In the 2024 Magic Quadrant for Privileged Access Management, Gartner says that CyberArk is the most visionary and has the most ability to execute. Ironically, Palo Alto Networks leadership has bought themselves a best-of-breed IAM platform to integrate into their good-enough security stack toolset. $25 Billion is a lot of money to pay for a company, but deciding to make IAM services part of the orchestration platform is strategically the right direction.
Source
Staff, 2025. Palo Alto Networks Announces Agreement to Acquire CyberArk, the Identity Security Leader [Press Release]. Palo Alto Networks. URL https://www.paloaltonetworks.com/company/press/2025/palo-alto-networks-announces-agreement-to-acquire-cyberark--the-identity-security-leader
References
Jon Oltsik, 2018. The evolution of security operations, automation and orchestration [Explainer]. CSO Online. www.csoonline.com/article/3270957/the-evolution-of-security-operations-automation-and-orchestration.html
Jon Oltsik, 2015. Malware? Cyber-crime? Call the ICOPs! [Explainer]. CSO Online. URL https://www.csoonline.com/article/551841/malware-cyber-crime-call-the-icops.html
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1
John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [White Paper]. Palo Alto Networks. URL https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf
John Watts, Thomas Lintemuth, Dale Koeppen, 2024. Top 3 Recommendations From the 2024 State of Zero-Trust Adoption Survey [Survey]. Gartner. URL https://www.gartner.com/en/documents/5286863
Abhyuday Data, Michael Kelley, Nayara Sangiorgio, Felix Gaehtgens, Paul Mezzera, 2024. Magic Quadrant for Privileged Access Management [Analysis]. Gartner. URL https://www.gartner.com/doc/reprints?id=1-2IPKTNM1&ct=240903&st=sb