IBM’s Polar Buy Creates Focus on a New ‘Shadow Data’ Cloud Security Area

IBM's Polar Buy Creates Focus on a New 'Shadow Data' Cloud Security Area

IBM’s purchase of Polar Security for an undisclosed sum on May 16 has focused attention on an emerging market space that, until recently, didn’t even have a formal name associated with it.

Polar is among an increasing number of startups — many based in Israel — that offer a new class of tools, built to accomplish “data security posture management (DSPM).” They help organizations discover, monitor, and secure sensitive data across hybrid and multi-cloud environments. To that end, IBM will integrate Polar’s technology with its Guardium portfolio of data security products. 

The Polar acquisition is the company’s fifth so far this year.

Data Classification in the Cloud

The key selling point of products from Polar and companies like it, is their ability to automatically classify discovered data in these environments (in addition to monitoring user access and discovering threats to the data) — so security teams can protect it better. Many of the technologies, including Polar Security’s DSPM platforms, are agentless and have the claimed ability to automatically discover sensitive data in minutes and to classify them into categories such as PII, PHI, and PCI.

Gartner, which gave the category its name last year, describes DSPM products as enabling organizations to discover shadow data — structured and unstructured — in repositories across cloud service providers, data lakes, and SaaS environments. The analyst firm has predicted that more than 20% of organizations will deploy a DSPM capability by 2026 because of “urgent requirements to identify and locate previously unknown data repositories and to mitigate associated security and privacy risks.”

IBMs purchase of Polar gives the company immediate access to technology that will help it compete in the market segment with a growing number of pureplay vendors, and vendors expanding into the space from other markets such as cloud security posture management and cloud DLP. Examples of pureplay DSPM vendors include Laminar, Cyera, and Dig, while Wiz, Varonis, Orca — and now IBM — are all vendors that have added DSPM to their technology portfolio over the past year.

A Vibrant DSPM Market

Richard Stiennon, chief research analyst at IT-Harvest, says his firm currently tracks over a dozen vendors in the market. “DSPM is a vibrant space with at least 16 players,” Stiennon says. 

Polar, which launched in 2021, was in the middle of the pack with about 30 employees at time of purchase he notes, adding, “IBM Tech Fund had participated in the $8 million seed funding, so they have had visibility into Polar for at least 16 months.” Among the larger vendors in the space are Wiz, Laminar with about 95 employees, and Cyera with a headcount of some 75, Stiennon says.

A lot of the enterprise interest in the space stems from growing concerns over data exposure in cloud and SaaS environments. Just like shadow IT is a problem, shadow data — or sensitive data in cloud databases, AWS S3 buckets, and other repositories stored across multiple environments — has become a real and pressing problem for many organizations.

“Sensitive data discovery and classification has become a top priority [for organizations],” says Justin Lam, an analyst with S&P Global Market Intelligence. A recent survey of technology decision makers that the analyst firm conducted showed that for many organizations, DSPM has become a top technology priority for 2023, he adds. 

“A lot of enterprises are waking up to the fact they need to find out what data they have in the cloud,” Lam says. “How do I find out what it is, how risky it is, what kind of non-public info is out there in the cloud. These are all huge concerns.”

IBM’s Cloud Security Investment: Triggering a Landgrab?

Analyst firm Omdia expects the IBM acquisition of Polar to push other technology heavyweights into the space as well. As has often been the case with new technologies, a lot of the initial proponents of DSPM are startups. But that could change quickly as bigger players move into the space. 

“We have seen such landgrabs before — in data leak prevention in the mid-2000’s, cloud access security brokers in the mid-2101’s, and cloud security posture management later in the last decade,” says Rik Turner, analyst with Omdia.

Turner describes the DSPM market as still largely immature or moving just beyond that phase. To date, it has been all about startups, many of them from Israel, raising early rounds of venture capital money and starting to evangelize about DSPM. Until Gartner came up with a name for the category, many of the players in the space were positioning themselves as providing cloud data posture management and DSPM together, he says.

IBM’s purchase has raised the profile of DSPM as a technology and potentially puts other cyber industry majors in the market to buy one of Polar’s competitors. Already, there are some rumors that Laminar is in talks with a potential buyer or two, Turner says. 

“Now, alongside the startups, we have not only Big Blue jumping in but also CSP vendors like Orca and Wiz, both of whom are adding some DSPM capabilities,” Turner notes. “It may be too early to see IBM’s acquisition of Polar as the tipping point, but if Laminar does indeed go to one of the bigger beasts, the land grab really will have begun.”