I should note that this post focuses on the acquisition. I'll be doing a follow-up post regarding why I think IDM and DLP are complementary solutions and fit well together.
CA are one of the leaders in the Identity and Access Management software marketplace. Most would group them with IBM, Oracle and Sun as the leaders. As I've said recently, they've been going from strength to strength and I probably don't need to say too much more about them at the moment.
Orchestria are a very strong player in the DLP space and well respected. They are a very strong competitor to Symantec (they acquired Vontu, who many considered to be the leader in DLP software) and have the typical DLP components covered off: endpoint controls, network monitoring, data-at-rest capabilities and email server controls. I haven't actually seen their products in action so I can't comment on whether they can do everything they claim, but they tick most of the boxes on a marketing slide and in RFPs. In other words, CA made a good choice in picking Orchestria from a "perception" standpoint. If the technology works as specified, they're on to a winner.
What this means is that CA's got a head-start on everyone else. It'll be interesting to see what they do with it. Early signs are good because they've already stated they see close links with their IDM suite. They may need to watch IBM because IBM ISS offers a data security managed service, but IBM as a whole will never be able to get their act together to compete (if someone wants a combined IDM + DLP solution) unless Tivoli acquires the other vendors mentioned (one of which is Verdasys, who I used to work for). As an aside, the gentleman who runs CA's Identity and Access Management EMEA organisation knows his DLP. How do I know this? Because we used to be colleagues at Verdasys. So there's another "tick in the box" for CA.
I haven't been able to find other commentary on this acquisition (apart from publications spitting out the press release) except for this article from NetworkWorld. Dave Hansen, CA's corporate senior vice president and general manager, CA Security Management is quoted as saying:
"We were not competing in this space, and our two main competitors don't have data-leak prevention."
He's referring to IBM and Oracle if my interpretation of the article is correct (he's mostly right if you don't count the IBM ISS capabilities I mentioned above - I think he's referring to IBM Tivoli Software though so I'll let it pass). In fact, the only Identity and Access Management vendor that sells DLP software is RSA (via their acquisition of Tablus) in the form of their DLP Suite. Unfortunately for RSA, they still don't have a provisioning product, which is why none of the large IDM suite vendors ever thinks of them as being a serious competitor. I should point out that Novell has some data security stuff, but nothing that would make anyone take them seriously.
The article also makes reference to Dave's comment as follows:
"While CA says its primary competitors in the identity and access management market -- IBM and Oracle -- don't have such DLP capabilities, Symantec does."
I don't mean to pick on the article, but what's the point of mentioning Symantec? It might as well have said McAfee...or Trend Micro...or any vendor that has Antivirus products and claims to also do DLP. Kaspersky, Checkpoint, Sophos...I could go on but I won't. I think the writer's referring to the fact that CA and Symantec are competitors in the security market, but we're talking Antivirus products and NOT Identity and Access Management software (where Symantec are not a player).
All things considered, this is a good move for CA.
Update: My post on why I think IDM and DLP are a good fit is here.