
For years, identity was seen as one security control among many — a login screen, an MFA prompt, a policy layer beside firewalls, endpoint tools, and email protection. But, that’s not perspective doesn’t work in an AI world. As AI agents, service accounts, automation, and non-human users grow, identity has become the control plane everything else depends on, and MSPs are feeling the impact.
Barracuda’s acquisition of Evo Security seems like a straightforward platform expansion where Barracuda is adding an IAM provider purpose-built for MSPs to strengthen BarracudaONE. But, there’s more to the deal in terms of the importance of identity. The identity tools many providers have relied on were not built for the scale, multi-tenant complexity, or attack surfaces MSPs are dealing with.
Enterprise IAM platforms were generally designed for one organization managing one workforce inside one administrative structure. Of course, that’s very different than the MSP model. They manage hundreds or thousands of users, privileges, customer environments, and policy decisions across many tenants at once. A conventional enterprise IAM tool likely adds complexity and cost, and creates operational gaps.
Those gaps are important. Identity has become one of the most efficient ways into a customer environment — credential compromise, privilege escalation, and lateral movement remain among the cheapest and most effective paths for attackers. When privileged access management, authentication, access control, and threat detection live in separate tools, the seams between them actually become part of the attack surface and create potential vulnerabilities.
That’s the more important part of the acquisition — an effort to reduce those gaps by providing a more unified approach to identity. With Evo Security folded into BarracudaONE, the platform can be positioned as a four-layer identity security architecture:
- IAM and PAM to control who can access what,
- SecureEdge ZTNA to eliminate overly broad access paths,
- Entra ID Backup to protect identity systems from disruption, and
- Managed XDR to detect and stop identity-driven attacks as they unfold.
This makes sense from an identity attack structure perspective. The problem is rarely just authentication, but how privileges are granted, how access is scoped, how identity systems recover from bad changes, and how quickly identity misuse is detected. MSPs need those controls to operate more like one system rather than a stack of adjacent products.
The focus on non-human identity is also worth noting specifically. As AI agents and automated workflows take on more credentialed work, they become identities that need governance, least-privilege access, monitoring, and lifecycle management just like human users do. That’s not what many identity stacks were created for originally, and it creates a scale issue for MSPs.
Managing privileged access for a client’s human users is already difficult across multiple tenants. Managing it for growing numbers of AI agents, background automations, service accounts, and machine identities is exponentially more difficult, especially with manual review and loosely connected tools.
That’s where the practical side of the deal comes in. Evo Security was built specifically for MSP operations and its multi-tenant IAM and PAM model is designed around how MSPs work.
“We built Evo Security to solve the identity challenges MSPs face every day,” said Michael Roth, Evo Security CEO and Founder. “Our identity-first approach was designed from day one for MSP operations.”
Barracuda now gives it the scale it previously lacked.
Looking at it from a broader cybersecurity perspective, email, endpoint, and network security have already moved through similar tool consolidation cycles where point solutions became bigger, unified platforms. Now, identity is seeing a similar shift. It makes sense because of the operational cost of stitching together separate tools, while AI is creating more identities that need to be managed faster.
This isn’t just another security feature, but a sign that identity is being treated more like infrastructure. IAM, PAM, zero-trust access, identity protection, and identity threat detection are all becoming a single operating layer, something that’s necessary for MSPs that need to manage them in multi-tenant environments.
Edited by
Erik Linask