Website security company Cloudflare plans to round out its SASE service by adding cloud-based email security with its acquisition of Area 1 Security for nearly $162 million.

In 2021, Area 1 Security blocked over 40 million phishing attempts to business email, malware, ransomware and other threats, according to the company. Phishing attempts targeting business email cost US businesses over $1.8 billion, according to the FBI's Internet Crime Complaint Center 2020 Internet Crime Report.

"Email is the largest cyber-attack vector on the Internet, which makes integrated email security critical to any true Zero Trust network," said Matthew Prince, co-founder and CEO of Cloudflare, in a statement.

Cloudflare's global network blocks about 86 billion cybersecurity threats daily, according to the company.

Cloudflare's initial foray into the email security market came in 2021 with its launch of the Advanced Email Security Suite and tools to generate custom email addresses, manage incoming email routing, and prevent email spoofing and phishing in outgoing emails. In addition, the company launched Email Security DNS Wizard last year, which was its first email security product to address spoofing and phishing. Cloudflare has also been using Area 1's email security internally for its own employees since 2020.

"With Area 1, we've been able to proactively identify phishing campaigns and take action against them before they cause damage," wrote Cloudflare CTO John Graham-Cumming in a blog post. "We saw a significant and prolonged drop in phishing emails. Not only that, the Area 1 service had little to no impact on email productivity, which means there were minimal false positives distracting our security team."

Adding in email security features from Area 1 Security to the Cloudflare One SASE service is a bit tangential to Gartner's definition of SASE, which "combines network security functions (such as SWG, CASB, FWaaS and ZTNA), with WAN capabilities (i.e., SD-WAN)."

Still, Cloudflare's CEO said adding email security functionality to SASE is a logical step. "We think email security makes total sense as part of SASE … I think we are trying to stretch the bounds of what it means to be SASE," Prince told VentureBeat in a interview.

'Largest attack vector'

Chris Rodriguez, research director for network security products and strategies at IDC, echoes the notion that email security is part of an organization's well-rounded security strategy. "Email is often the largest cloud application for any organization; and also represents the largest attack vector," he said in a statement. "Instead of viewing email security as a standalone issue, more businesses realize that it needs to be part of their holistic security strategy."

Cloudflare took a more traditional approach to broadening its SASE service earlier this month with the acquisition of startup Vectrix, a cloud access security broker (CASB) provider. CASB suppliers increasingly are being scooped up by SASE providers – Futuriom founder Scott Raynovich predicts SASE will eventually absorb the CASB market.

"The CASB functionality is being rapidly subsumed by SASE vendors and is likely to go away as a standalone market in the future," Raynovich wrote in the 2021 Cloud Secure Edge and SASE Trend Report.

Area 1 Security was founded in 2014 by NSA alumni and protects over 10 million cloud email security users, according to the company. In addition, it raised $25 million in June 2020 in a funding round led by ForgePoint Capital, bringing the startup's total funding to $80 million.

Cloudflare's acquisition of Area 1 Security will be a combination of 40% to 50% of the price payable in shares of Cloudflare's Class A common stock and the remainder in cash. The acquisition is expected to close in Q2 of this year.

— Kelsey Kusterer Ziser, Senior Editor, Light Reading