Why Barracuda Just Bought an Identity Startup — and What It Signals for Every MSP's Roadmap

Why Barracuda Just Bought an Identity Startup — and What It Signals for Every MSP's Roadmap

Barracuda's acquisition of Evo Security on 7 July is more than another vendor deal. It confirms that identity is now the frontline of SME security — and here's what UK businesses and their IT providers should do about it.

Tony Brown
By Tony Brown ·

On 7 July, Barracuda Networks announced it had bought Evo Security, a small identity and access management company built specifically for managed service providers. Barracuda isn't a household name to most people running a Nottingham accountancy firm or a Midlands manufacturer, but it sits behind a lot of the email filtering, backup and firewall products that keep UK small businesses running. When a company like that spends money to add identity tooling to its portfolio, it's worth asking why — because the answer changes what your IT should look like over the next two years.

Here's the short version: the attackers stopped kicking down the front door years ago. Now they log in.

A person logging into a laptop with a fingerprint authentication prompt on screen

The shift nobody announced

For a long time, security was about walls. Firewalls at the edge of the network, antivirus on the laptop, a spam filter on the email server. The mental model was a castle — keep the bad people outside and trust everyone inside.

That model broke quietly. Staff started working from kitchen tables and coffee shops. Files moved to Microsoft 365 and Google Workspace. Line-of-business apps became websites you log into rather than software you install. The 'inside' of the network stopped being a place. It became a collection of accounts scattered across a dozen cloud services.

When the valuable stuff lives behind a login, the login becomes the target. The Verizon Data Breach Investigations Report has said the same thing for several years running: stolen credentials are among the most common ways attackers get in. Not clever malware, not zero-day exploits — a working username and password, often bought cheaply or phished from an unsuspecting employee.

Barracuda buying an identity firm is a plain acknowledgement of this. The battleground moved, and the vendors are following the money.

Why Evo, and why the MSP angle matters

Evo Security wasn't a general-purpose identity product. It was designed for the way managed service providers actually work — a firm like ours looking after fifty or a hundred different client organisations, each with their own set of users, their own admin accounts, their own risk profile.

That's a genuinely hard problem. An MSP technician might need privileged access to dozens of separate client environments. Every one of those access points is a potential breach that could jump from provider to client. The industry learned this the painful way in 2021, when attackers compromised Kaseya's remote management software and used it to push ransomware to the customers of MSPs around the world. One weak link, hundreds of victims.

So an identity platform built to secure how providers log into client systems — with proper multi-factor authentication, least-privilege access and clear audit trails — is exactly the kind of thing a security vendor wants to own. Barracuda gets to offer its MSP partners a way to lock down the most dangerous accounts in the whole chain: the ones with the keys to everything.

The signal for the rest of us is straightforward. Identity has graduated from a feature buried inside other products to a category worth acquiring outright. Where the vendors invest, the roadmap follows.

What this means if you run an SME

You don't need to care about Barracuda's corporate strategy. You do need to care about what it's telling you.

Passwords alone are finished. If any part of your business still relies on a username and password with no second factor, treat that as a live problem, not a future project. Multi-factor authentication — a code from an app, a prompt on your phone, a physical key — is the single most effective thing most small businesses can do to stop account takeover. Microsoft has repeatedly said MFA blocks the overwhelming majority of automated attacks on accounts. It is cheap, it is available in the tools you already pay for, and too many firms still haven't switched it on everywhere.

Know who can access what. Most small businesses accumulate accounts like a loft accumulates boxes. The bookkeeper who left in 2022 might still have a live login. The shared 'admin' account that three people use means you can never tell who did what. An honest audit of every account, every service, and every level of access is unglamorous but revealing. You almost always find more than you expected.

Watch the privileged accounts especially. The administrator accounts — the ones that can reset passwords, change settings, or reach everything — deserve extra protection. Fewer of them, stronger authentication on them, and a record of when they're used. A standard staff account being compromised is bad; an admin account being compromised can be terminal.

What it means for choosing a provider

If you outsource your IT, this acquisition should shape the questions you ask. It's fair to expect any competent provider in 2025 to have a clear answer on identity.

Ask them how they secure their own access to your systems. This isn't rude — it's the Kaseya lesson in question form. A good provider will happily explain that their engineers use multi-factor authentication, that access is granted per task rather than left open permanently, and that every action is logged. If the answer is vague, that's telling.

Ask whether identity management is part of the service or an add-on you'll be sold later. The vendor market is moving fast, and providers who aren't building identity into their standard offering are going to be scrambling to catch up. You want the firm that already sees this as core, not the one treating it as an upsell.

Ask about conditional access — the ability to say 'allow this login from a company laptop in the UK during working hours, but challenge or block a login from an unrecognised device abroad at 3am'. The tools to do this ship with the Microsoft 365 Business Premium licences that a lot of SMEs already own. Whether they're switched on and configured properly is another matter.

The practical roadmap

You don't need to buy the exact product Barracuda now owns. You need to act on what its purchase reveals. In rough order of priority:

  • Turn on MFA everywhere it isn't already — email, cloud apps, remote access, admin accounts first.
  • Audit every account across every service and remove the ones that shouldn't exist.
  • Reduce the number of privileged accounts and protect the survivors properly.
  • Set up conditional access rules using licences you likely already hold.
  • Make sure your IT provider can demonstrate, not just assert, that they secure their access to you.

None of this is exotic. Most of it uses tools that are already in your subscriptions. The gap is rarely technology — it's whether someone has taken the time to configure it and keep it maintained.

Barracuda spent real money to say that identity is where the fight is now. You can take that as an expensive hint. The firms that treat their logins as seriously as they once treated their firewalls will be the ones still standing when the next credential-stuffing wave rolls through.

If you're not sure where your own weak points are, that's exactly the kind of thing worth a conversation. We're always happy to take a look.

Request a no obligation callback