Phone Number +1-202-802-9399 (US)

Thycotic is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Thycotic Extends PAM Cloud Leadership with Acquisition of Onion ID


Written by Kali Linette

June 2nd, 2020

WASHINGTON, D.C., June 2, 2020 — Thycotic, provider of privileged access management (PAM) solutions to more than 10,000 organizations, including 25 of the Fortune 100, announces the acquisition of PAM solution provider Onion ID. With the acquisition, Thycotic adds three new products to its PAM portfolio: Thycotic Remote Access Controller, Thycotic Cloud Access Controller and Thycotic Database Access Controller. This acquisition extends Thycotic’s industry leadership for emerging PAM use cases protecting access to SaaS applications, IaaS infrastructure, and ensuring remote workers stay productive and secure.

“With the sudden growth of remote workforces across the globe, privileged access security controls must also account for ordinary business users, like those in finance and marketing, who are accessing sensitive and privileged corporate data from untrusted devices on untrusted networks,” said James Legg, President and CEO at Thycotic. “With the addition of Onion ID, we are now able to implement fine-tuned Role Based Access Controls across any web-based application, IaaS console, and cloud-hosted database, while providing flexible multi-factor authentication that gives security leaders a significantly easier way to ensure secure access paths for remote employees.”

Anirban Banerjee, CEO and Founder at Onion ID, adds, “By joining forces with Thycotic, we are enhancing our commitment to delivering user-friendly authentication, authorization and auditing to cloud servers, databases and applications. We are launching a diverse set of next-generation PAM 2.0 offerings in the market which will enable enterprise customers to elevate their security controls above and beyond current best of breed solutions and reduce costs with secure remote access.”

Enforcing Zero Trust for Remote Workers and Third-Party Access

The explosion of remote workforces have led enterprises to adopt a Zero Trust security approach for remote employees and third parties who need access to corporate resources. The principle of least privilege should guide all remote access channels, ensuring that third parties have access to only those resources required to do their jobs. Security teams must control who can access what and when, in order to protect corporate resources and comply with regulatory mandates.

Thycotic Remote Access Controller solves this by simplifying and automating the management of remote workers accessing the IT resources. The Controller uses multi-factor authentication (MFA) and session recording, without requiring any software or browser extensions, to provide an advanced level of security granularity to enforce corporate security and compliance policies. With its API suite that can be integrated into automated workflows and ticketing systems, Remote Access Controller streamlines access grants for contractors within a centralized web portal.

Protecting Enterprise Cloud Assets

With 80 percent of IT budgets already committed to cloud solutions, Gartner warns that the move to the cloud does complicate PAM challenges. For most organizations this then makes PAM unmanageable without automated processes and specialized tools.

Thycotic Cloud Access Controller ensures that administrators accessing IaaS platforms such as Amazon Web Services (AWS) and SaaS applications like Salesforce and Twitter maintain appropriate Role Based Access Controls (RBAC) which dictate what each user can click, read, or modify within any web application.  Administrators also have a centralized dashboard which displays what applications have been accessed, access removal, audit report production and more, for tighter security and streamlined compliance.

Martin Kuppinger, Founder and Principal Analyst at KuppingerCole, said, “Cloud Management consoles, like those on Azure, AWS, and GCP, pose significant security risks to every company. Over-privileges are a common fact and most organizations lack granular visibility into whether privileged users have unnecessary entitlements and provisions.” 

Controlling Access to Databases

The increased adoption of cloud-hosted databases have further complicated privileged access and compliance requirements for security teams. Databases containing sensitive employee and customer PII are an increasing area of focus for auditors and are prime targets for hackers. 

Thycotic Database Access Controller enables enterprises to adopt modern cloud databases from AWS (RDS), Google, Azure, Oracle, Redis, and others, while still enforcing appropriate access levels, MFA, and complete reporting and auditing workflows. Now customers can record entire database access sessions, provide just-in-time access, report and log actions, generate alerts and cut off connections in an automated manner. Database access management is no longer manually intensive or complicated.

“The recent wave of remote workers has accelerated enterprise adoption of cloud apps and platforms, causing more corporate resources to be exposed to the public internet,” said Lamont Orange, Chief Information Security Officer (CISO) of Netskope, current customer of Onion ID. “These conditions have created a heightened risk environment for any infosec team. Implementing least privilege for remote BYOD workers who need privileged access to hundreds of SaaS applications is a huge challenge that the combination of Onion ID and Thycotic is uniquely positioned to solve.”

“The very definition of privileged access has undergone a paradigm shift due to the changing landscape of work — from central offices to personal residences on the edge,” said Jai Dargan, Vice President of Product Management at Thycotic. “Legacy appliance-based PAM solutions have not been effective in extending privileged access controls to cloud environments and are simply unusable as password vaults for business users. This acquisition extends Thycotic’s security umbrella over every user, application, and secret, securing high-risk cloud resources that have historically been the domain of conventional IAM vendors.”

Financial terms of the Onion ID deal have not been disclosed. As part of the transaction, Onion ID will operate under Thycotic brand and leadership.