Discover more from BIG by Matt Stoller
Thoma Bravo: The Bridge Trolls of Enterprise Software?
Private equity giant Thoma Bravo bought two ID management service firms over the summer, Ping and SailPoint. Now it's buying ForgeRock. Should we care?
Today I’m writing about an ID software management roll-up, where the private equity billionaire responsible for the worst software hack in American history is trying to get into even more sensitive territory.
One common theme of this newsletter is how a finance-first mentality creates hidden risk, particularly in areas of opacity and interconnection, like in enterprise software, the systems that manage the flow of information throughout big corporations.
The guts of corporate America runs on this stuff, large bloated software packages tied together with duct tape and run by ornery techies nagging their superiors about potential problems. Microsoft has built a somehow-unnoticed set of giant monopolies here, but there are an endless number of parasites - from software integrators to management consultants - who feed at this trough. And why shouldn’t they? Most CEOs of big companies don’t care if they spend a few more pennies per seat on some random network access security feature. They have IT departments for that, or CTOs they can ignore. And so enterprise software is often vastly overpriced and of poor quality. But it’s a rounding error on the profit-and-loss statement, it just doesn’t matter.
Only, sometimes it does.
SolarWinds is one of these innumerable enterprise software parasites, it makes a cheap and ubiquitous network management service called Orion. As the CEO put it, “We manage everyone’s network gear.” And he wasn’t, as we would find out later, joking. In late 2020, SolarWinds, and as it turns out every major corporation, was at the center of a devastating Russian hack. The victims were the most important American institutions, from the FBI to the Department of Treasury to Cisco Systems, Intel, Nvidia, California hospitals, etc. Russians got access to Microsoft’s source code and into the Federal agency overseeing America’s nuclear stockpile.
Hackers put malware into updates that SolarWinds sent to clients. Since SolarWinds was everywhere, the malware went everywhere. We hear a lot about how difficult it is to avoid cybersecurity problems, but this particular catastrophe wasn’t some unavoidable natural disaster. SolarWind’s security practices were not, shall we say, top quality. One researcher had previously alerted the company that “anyone could access SolarWinds’ update server by using the password “solarwinds123.’” It wasn’t just one instance of Spaceballs-style Dark Helmet idiocy, either. Lax security practices were common and systemic, so bad that the key advisor at the firm told them a security breach would be catastrophic, and eventually quit in frustration. For days after the firm was hacked SolarWinds continued to offer its software.
Why was SolarWinds such a poor quality software provider? The firm chose to underinvest in security, a result of a specific business model, which is designed to maximize cash flow while offloading risks, like vulnerabilities to hacking, onto others.. SolarWinds is owned by Thoma Bravo, a private equity firm which scoops up software companies in obscure areas where customers are locked in. In a puff piece in 2020, the Wall Street Journal covered the basic business model.
Thoma Bravo identifies software companies with a loyal customer base but middling profits and transforms them into moneymaking engines by retooling pricing, shutting down unprofitable business lines and adding employees in cheaper labor markets.
The firm then guides its companies to use the profits they generate to do add-on acquisitions, snapping up smaller rivals with offerings that they could spend months and millions of dollars trying to replicate.
Typically Thoma Bravo raises prices and cuts quality, but the affected constituency group - corporate IT managers - don’t have a lot of power or agency. Their superiors don’t want to think about a high-cost but low-probability event, especially if every other big institution would be hit as well. CEOs, ever since the turn to monopoly and finance in the early 1980s, have become bankers, not engineers. So the Thoma Bravo model works, because no one with power listens to the IT nerds offering sage warnings about software quality and risk.
What makes SolarWinds more than a catastrophe, and turns it into a scandal, is what happened after the security breach. The Financial Times reported that Thoma Bravo sold a large chunk of SolarWinds “shortly before the US issued an emergency warning over a “nation-state” hack of one of the software company’s products.” Though Thoma Bravo insists it did not know of the hack when it sold the shares, the whiff of insider trading is strong. And yet, despite the immense damage caused by its portfolio company, Thoma Bravo hasn’t suffered, at all. Its owner, Orlando Bravo, is a billionaire who continues to scoop up companies. In fact, Thoma Bravo suffered more from the FTX disaster, in which he invested and lost $130 million, than at having one of his subsidiaries responsible for the largest hack in American history.
And despite all the rottenness of this model, Thoma Bravo is still buying cybersecurity software companies. Which brings me to the private equity firm’s recent acquisitions. Last month, Thoma Bravo purchased ForgeRock, a software firm in the identity and access management software market (IAM). What is IAM? It’s one of those really boring but important areas that makes modern society work. Basically it’s how really big companies keep track of their customers and employees when they login to stuff or pass through security doors. Done right, it’s unnoticeable. Done wrong, it can become something along the lines of SolarWinds, with potentially catastrophic implications.
IAM isn’t simple stuff, especially for large security-conscious banks. If you are a customer of Citigroup, for instance, then the bank needs to validate a customer whether he/she is logging in through an app, a website, or going into a branch and talking to an employee about an account. Such a multi-national bank needs password recovery features, and the ability to manage access, multi-factor authentication, and single-sign-on. And their system has to be scalable and secure, and conform to different regulatory schemes worldwide, like Europe’s General Data Protection Regulation (GDPR) privacy rules.
And just as multi-nationals need this kind of system for customers, they also need it for employees. So IAM firms sell services to large companies that allow them to manage their workers, helping employees access internal applications and provision application access for onboarding. With ‘the internet-of-things,’ this kind of ID management can get complex pretty quickly.
There are a lot of companies that do identity management, and you can in fact set it up yourself if you want to, if you’re a mid-size or small firm. Google has offerings, so does Microsoft, and IBM, as well as a coterie of small firms. But if you are a big customer, then there really are only three companies to buy from. You can get it from ForgeRock, a similar size firm Ping Identity, or its largest rival Okta.
An acquisition of ForgeRock by Thoma Bravo wouldn’t be that big a deal, except that in August it also agreed to buy its rival, Ping Identity (as well as an adjacent firm in the space called SailPoint). Ping and ForgeRock see themselves as key competitors. As the CEO of ForgeRock noted earlier this year, “Fortune 100 companies,” he said, “compared us to Okta and to Ping Identity.” And here, for instance, is how Ping Identity showed its main competition on its own website. (It has since pulled down this webpage.)
This purchase follows earlier consolidation in the industry, with Okta completing its acquisition of Auth0 earlier this year as well. So the purchase of ForgeRock and Ping takes the number of players in this particular market segment from three to two.
I suspect that the merger is something enforcers should look into, considering the private equity pedigree involved in the roll-up. Thoma Bravo has already gotten dinged a few times by antitrust enforcers. Earlier this year, email security provider Mimecast rejected an acquisition offer by Thoma Bravo’s Proofpoint, citing antitrust as a risk. Multiple Thoma Bravo affiliates have resigned from boards of various companies, having violated Section 8 of the Clayton Act, which bars interlocking directorates. Indeed, in some ways, it feels like the antitrust laws were written specifically to stop Thoma Bravo from ruining companies.
The ForgeRock software purchase doesn’t seem that bad, and will probably only raise prices modestly. But it also would mean that SolarWinds owner Thoma Bravo - who also bought into FTX - would be managing identity software for the biggest firms in the world. There’s a reasonable chance the elevated market power, though unlawful, won’t matter that much. Maybe Citigroup would have to pay a few more pennies a year, and Orlando Bravo’s net worth might go up another eight figure amount.
Or maybe we’ll get another SolarWinds hack. Who knows?