There is a lot of official jargon and joint communication that may or may not help you understand what is going on. As people in my circle of influence know I am a man of reasonable transparency. So this will be a more personal post on just what is happening at Scorpion Software.
When I founded the company more than a decade ago, the goal was always to help small and mid-sized businesses to safeguard their information. For those that may remember the early days, we had a Latin phrase all over our business collateral of “Custodit Nuntium”, which loosely translates to “protect information”. It was, and continues to be, a core belief of the organization.
Over the years, the threat landscape has shifted, but a core attack vector continued to remain the same. Untrusted adversaries are gaining access to sensitive corporate resources through trusted user accounts. Usually from a weak password that was shared, stolen or guessed. And it was one of the core reasons we built solutions like AuthAnvil Two Factor Auth and RWWGuard. Since then we have added a plethora of additional integrations and agents to protect everything from desktops and servers, cloud applications and Citrix/VDI implementations, on top of standard things like firewalls, VPNs, routers and network device protection.
By far the most interesting integrations have been in helping IT teams, both in mid-sized businesses and through IT Service Providers, to safeguard their infrastructure and help meet IT compliance needs. We have always been selective in our clients, mostly because there is a huge gap in what I call “security ignorance” or the “ostrich syndrome”. That’s the gap in which IT professionals believe “it will never happen to me”, or “I trust my team explicitly” when it comes to properly managing identity and access control, refusing to consider putting in process and product to address the situation that could help protect their clients, and their business liability. Quite honestly, while we have been here to educate those that want to learn, we simply don’t have time or energy to debate with those individuals who are sure they know better… and then end up putting their clients at risk anyway. I could tell you horror stories we see in the field, from a disgruntled technician let go weeks earlier who completely nuked a vSphere implementation and almost killed a manufacturing company’s ability to deliver millions in product, to a technician who was so lazy he set his RMM password to “a” (because he was tired of always having to enter his password) which was compromised and allowed an adversary to seize complete control of several key client networks. The stories are boundless, but they have a common thread amongst them… by not controlling access effectively and assuring the identity of those requesting access properly, a lot of unnecessary risk is being exposed to businesses everywhere.
But we saw hope. Our most successful customers seemed to follow a simple pattern. They had process in place for managing IT operations with tools like Autotask and ConnectWise. As importantly they leveraged IT automation capabilities in RMM tools like Kaseya. In fact, we continue to find our best and largest customers are almost always using Kaseya as a cornerstone of their operations. It was one of the reasons we invested more energy in such deep integration with their platform. It didn’t hurt that Kaseya is the only RMM platform that openly embraced our security work and allowed us to work with them through the rich APIs that we built together.
In the last few years we expanded our capabilities to support federation for single sign-on and automated the tedious tasks in password management, going so far as to make it possible to not only store passwords, but to also go out and change them for account holders, both within Windows systems and services all the way to changing them on the web. Nothing beats hearing some of our customers being ecstatic when, after the Heartbleed incident, they were able to click a few buttons and have AuthAnvil automatically expire at-risk passwords and go out and change them for the users without their intervention.
What many of you don’t know though is a lot of our work in the last few years has been on plumbing identity and access management throughout our entire solution stack. You can see small shards of that in things like our Office 365 integration in AuthAnvil Single Sign On, where you do NOT need ADFS or DirSync and still benefit from account synchronization and federation to Microsoft Online Services without having to do anything. You can see the account syncing in 2FA through ADUS, but you don’t realize behind the scenes we have been building capabilities for a universal directory that can provision and protect accounts, regardless if they are on-premise or in the cloud. Imagine having the ability to add a user in Active Directory and then seeing the account provisioned in AuthAnvil, pushed to ConnectWise or Autotask and then finally pushed into Kaseya. Take that further and imagine that the user’s devices, as they are registered, automatically becoming trusted and given capabilities to access sensitive resources without needing another password. This is the direction we have been following.
Kaseya saw that vision and asked us to join them in building it into their next generation platform. This was a very unique opportunity for both the company, and for me personally. I mean, getting so see AuthAnvil used to protect the millions of endpoints that Kaseya has exposure to is exciting. Taking it to the next level, to architect the framework to deliver identity and access management for the hundreds of millions of users and devices they are building the next generation platform for, well that’s just awesome.
As part of the transition, I will be moving from the CTO position at Scorpion Software to the role of “Principle Architect – Identity and Access Management” at Kaseya. In my new role, I will work with the small group of Principle Architects within the company to design the security and identity and access management throughout the next generation platform, and graft the core capabilities of AuthAnvil into a universal directory that will manage the entire identity metasystem within Kaseya. It’s an exciting challenge, as I take on the responsibility to properly identify, control and manage all things “identity”. That includes people, process and product. Through the new data fabric and automation fabric that the other architects have already designed, I get the luxury of leveraging it for big data capabilities to drive my vision to graph the entire identity lifecycle. It will also deliver an Identity-as-a-Service (IDaaS) component for use by anyone in IT, anywhere.
Over the past few months as we have worked with more of the Kaseya leadership, it is clear that their team is hungry and capable of driving cloud-based IT management to the masses. If I could summarize it in a sentence, it would be that they are building to become the “SaaS platform for IT Service Management (ITSM)”. I mean, think about it. They are building a cost-effective cloud-based system at scale to manage all things IT, both on-premise and in the cloud, where you can simply sign up for an account and be up and running in no time at all. That is very compelling.
Now add AuthAnvil into the mix. We can deliver the authentication, authorization and identity management to host billions of transactions (yes, I said billions) with help from Kaseya’s next generation platform. And we help deliver new capabilities to the Kaseya cloud through our work with the AuthAnvil Data Protection Gateway (DPG) to provide data residency controls through our tokenization broker to keep sensitive data in your control, on your systems, behind your firewalls.
As you can see, the acquisition is a heavenly marriage of products and passion from both sides. The entire team at Scorpion Software is excited to become the identity and access management division within Kaseya. And we look forward to where we take IAM within the Kaseya cloud in the coming years to build the next generation IDaaS platform.
Now I know people are going to ask, “How does this affect me”? Well, it doesn’t really. Regardless if you use Kaseya or not, AuthAnvil now and in the future will be available to you. Even if you use a competing RMM platform. We will continue to work with integration partners that see our vision in identity and access management for ITSM. A core shift will be our move to host most compute operations in the Kaseya cloud and through Kaseya’s client fabric, and control data residency/sovereignty through DPG. But I am getting ahead of myself. For the near term, we have a lot of work to do to move AuthAnvil into Kaseya’s cloud.
I look forward to talking with many of you as we at Kaseya build the next generation platform. To my fellow Kaseyans, especially those that have over the years continued to ask for more AuthAnvil support, thank you. I look forward to meeting as many of you as I can in the coming months. To all our customers now and in the future, my door is open. If you have questions or ideas on how IAM should be delivered, please feel free to share it within the Kaseya Community. While I can’t guarantee we can act on all your awesome ideas, I will be listening.
To the future of the Kaseya cloud…. cheers!