IBM shines a light on ‘shadow data’ with Polar Security buy

IBM made its fifth acquisition of 2023, scooping up California-based cloud security firm Polar Security for an undisclosed sum. Eric Maass, Director of Data Security Product Management at IBM Security, told Silverlinings the deal will help IBM address a “very large and pervasive” problem in enterprise security. 

Polar Security is one of a handful of young companies playing in the data security posture management (DSPM) space, which focuses on providing visibility into where sensitive data resides across clouds and applications, who can access it (or who already has) and remediating any risks that are identified.  

The technology is especially pertinent as it relates to so-called “shadow data,” or data which exists outside of known parameters set by IT. This can include data which was copied from a production environment to train an AI model in the cloud and then left to sit there unprotected, or even something as simple as HR data which was shared between managers in a Slack channel. Given personally identifiable information (PII), credit card details, HR and healthcare data can be strictly regulated, shadow data presents a real legal and financial risk for companies. 

Maass said DSPM and concerns about shadow data have only really been a topic of interest in the last 18 to 24 months. But venture capital quickly latched on and Maass said it’s now something IBM is hearing about from every CISO it is speaking to. 

“If I’m responsible for data security as the CISO or chief risk officer or chief data officer, I’m really concerned first and foremost that I don’t even know where my data is and I don’t even know what’s at risk from a compliance perspective,” Maass said. “Every company out there is very rapidly adopting cloud and SaaS applications, but very few of them can answer these tough questions.” 

He added that it’s not just CISOs who have taken notice, but also hackers. The latter are increasingly targeting cloud and SaaS resources because they know these are a blindspot for enterprises. 

“They know there’s a lack of visibility into where this data may exist. They know there’s a lack of control, so it’s an easy target at the moment,” Maass said. 

Lay of the land 

According to Gartner, DSPM vendors include Securiti, Symmetry Systems, Dig Security, Laminar, Sentra, Cyera, Concentric AI, TrustLogix, Flow Security, Veza and, of course, Polar Security. While all of these companies are relatively young, Maass said IBM felt Polar Security was one of the best at not only scouring cloud environments but also SaaS applications to shine a light on shadow data.  

Founded in 2021 by cybersecurity veterans Dov Yoran, Guy Shanny and Roey Yaacovi, Polar Security emerged from stealth in January 2022 with $8.5 million in seed funding in hand. Tom Noonan, VP and GM of IBM Security, was among the initial investors in the company in a funding round led by Glilot Capital Partners and the IBI Tech Fund. 

Maass said Polar Security’s technology not only identifies but also classifies shadow data and shows not just who has accessed the data but who could. The latter is key in identifying not only existing risks but potential ones as well. Additionally, Maass said the Polar Security’s technology understands cloud native controls, can incorporate changing cloud policies and can help map data flows across a company’s cloud and SaaS environments. 

IBM plans to integrate Polar Security’s tech into its Guardium product. That’s largely because Maass said IBM has found enterprises want data security platforms rather than a portfolio of products, so it’s adjusting accordingly. He added it’ll be “a near term integration for us” rather than a process which takes several years. 

Once that’s done, IBM will be able to tackle what Maass characterized as a sprawling addressable market which spans nearly every vertical – or at least every enterprise which uses the cloud or SaaS applications. 

“This is really a problem that is just so real for every client that we speak to regardless of their industry,” he said. “It’s a rare circumstance where you have such a large addressable market.” 

The acquisition of Polar Security is IBM’s fifth so far this year, following deals to buy GraphQL API company StepZen Inc. and network automation company NS1. IBM does not appear to have disclosed the other purchases. In 2022, it acquired eight companies and since April 2020 has scooped up more than 30.