Tools & Resources

ScaleFT: Identity-Based Access to Infrastructure

March 12, 2026

ScaleFT: Identity-Based Access to Infrastructure Review: Features, Pricing, and Why Startups Use It

Introduction

ScaleFT (ScaleFT Access) was a Zero Trust, identity-based access platform focused on securing infrastructure without traditional VPNs or long-lived SSH keys. It was acquired by Okta and its technology now underpins Okta Advanced Server Access (ASA). In practice, when founders or teams talk about ScaleFT today, they are usually referring to Okta ASA, which uses the same core concepts and architecture.

This review treats “ScaleFT” as the identity-based access approach now delivered through Okta ASA, because that is how a startup would actually buy and implement it in 2026.

Startups use ScaleFT-style access for one main reason: simplified, secure access to servers and infrastructure based on user identity rather than static credentials. It lets you manage who can access what (and when), without juggling SSH keys, VPN gateways, or brittle bastion hosts.

What the Tool Does

ScaleFT / Okta ASA provides ephemeral, identity-aware access to servers and other infrastructure. Instead of distributing shared SSH keys or passwords, it issues short-lived certificates tied to a verified user, device, and policy.

At a high level, it:

Replaces static SSH keys with short-lived, on-demand credentials.
Uses your identity provider (Okta, Google Workspace, etc.) to decide who can access which servers.
Makes access auditable and revocable in real time (offboard someone and access disappears).
Removes much of the operational burden of managing jump hosts, VPNs, and manual key rotation.

Key Features

Identity-Based, Zero Trust Access

The core feature is Zero Trust, identity-aware access control. Each access request is evaluated in real time based on:

User identity (who is asking?)
Device posture (from which machine?)
Policy (are they allowed to reach this resource right now?)

This lets you enforce least-privilege access without relying on network location or static credentials.

Ephemeral Certificates Instead of SSH Keys

Traditional SSH access uses long-lived keys that are hard to rotate and revoke. ScaleFT/ASA replaces this with:

Short-lived X.509 certificates generated on demand for each session.
Automatic expiration and rotation, removing the need for manual key management.
Per-user, per-session credentials, making lateral movement and credential theft much harder.

Centralized Policy Management

You define access policies in a central control plane, rather than on each individual server. Policies can consider:

User groups and roles (DevOps, contractors, SREs)
Resource tags or environments (prod, staging, test)
Time-bound access (maintenance windows, on-call only)

This centralization is particularly valuable as your infrastructure and team scale.

Deep Integration with Identity Providers

ScaleFT/ASA integrates tightly with Okta and can federate with other IdPs (e.g., Azure AD, Google Workspace via Okta). Benefits include:

Single Sign-On (SSO) for infrastructure access.
Automatic provisioning and deprovisioning through identity lifecycle management.
Multi-factor authentication (MFA) at the point of access, not just at VPN login.

Multi-Platform Support (Cloud, On-Prem, Hybrid)

ScaleFT/ASA works across different environments:

Linux servers (various distributions)
Windows servers (RDP access via identity)
Cloud VMs (AWS, GCP, Azure, DigitalOcean, etc.)
On-prem and hybrid data centers

This lets you maintain a consistent access model even as your infrastructure evolves.

Auditing and Session Visibility

Every access request and session is logged centrally:

Who accessed which server, when, and from where.
Policy decisions (granted, denied, reasons).
Integration with SIEM tools for monitoring and compliance.

For regulated or security-conscious startups, this is critical for SOC 2, ISO 27001, and similar frameworks.

Developer-Friendly Tooling

ScaleFT/ASA provides:

CLI tools that integrate into existing workflows.
APIs and SDKs for automation (e.g., incorporating access into deployment tools).
Agent-based model that can be automated via Terraform and configuration management.

Use Cases for Startups

1. Secure SSH Access for Distributed Teams

Remote-first and hybrid startups can:

Give engineers secure SSH access without a VPN.
Avoid managing public keys for dozens of laptops and contractors.
Instantly cut access for offboarded employees or vendors.

2. Production Access with Fine-Grained Controls

Founders and CTOs often want to tightly control production access while still enabling debugging and incident response. ScaleFT/ASA helps you:

Limit prod access to on-call SREs or senior engineers.
Require MFA and approval workflows for sensitive resources.
Keep an audit trail for every production login.

3. Multi-Cloud and Hybrid Infrastructure

Many startups span AWS, GCP, and on-prem environments. Using ScaleFT/ASA, they can:

Apply one consistent access model across all environments.
Avoid per-cloud VPNs or per-environment bastion hosts.
Reduce operational overhead in a rapidly changing infrastructure.

4. Compliance-Driven Startups (Fintech, Healthtech, Enterprise SaaS)

If you are aiming for SOC 2, HIPAA, PCI-DSS, or selling into the enterprise, ScaleFT/ASA can:

Demonstrate strong access controls and auditing.
Simplify evidence collection for audits.
Reduce internal risk around shared admin credentials.

5. Contractor and Vendor Access

Startups using contractors (DevOps, security, third-party developers) can:

Grant temporary infrastructure access based on identity.
Limit access to specific environments or projects.
Revoke access cleanly once the engagement ends.

Pricing

ScaleFT as a standalone brand is no longer sold; pricing is via Okta Advanced Server Access, which typically follows Okta’s per-user, per-month model.

Free and Trial Options

Okta often offers free trials (e.g., 30 days) for ASA.
For very small teams, Okta has historically offered free tiers for some products, but ASA usually targets paid plans.

Paid Plans

Exact pricing depends on region, contract size, and bundle, but broadly:

Per-User Pricing: You pay per human user who needs access, not per server.
Minimum Commitments: Enterprise-grade plans may require minimum seat counts.
Bundling with Okta: Cheaper if you already use Okta for SSO/MFA.

Plan Type	Typical Model	What You Get
Trial	Time-limited (e.g., 30 days)	Full or near-full feature set for evaluation, limited users.
Standard ASA	Per user / month	Core identity-based access, ephemeral certs, policies, basic audit logs.
Enterprise ASA	Per user / month (volume discounts)	Advanced policies, compliance features, support SLAs, integrations, and enterprise onboarding.

Founders should expect ASA to be more expensive than DIY SSH + VPN, but cheaper than security incidents, audit failures, or heavy internal tooling.

Pros and Cons

Pros	Cons
Strong security model with Zero Trust and ephemeral credentials. Centralized management of access policies and auditing. Tight integration with Okta and existing identity providers. Good fit for compliance and enterprise-readiness. Reduces operational overhead vs. managing keys, VPNs, bastions.	Cost can be significant for very early-stage or tiny teams. Vendor lock-in to Okta’s ecosystem. Complexity for small, simple infrastructures; might feel like overkill. Migration effort from legacy SSH/key workflows. Less appealing if you already standardized on another Zero Trust stack.

Alternatives

Several tools compete in the same “identity-based, Zero Trust infrastructure access” space:

Tool	Core Focus	Best For
Teleport	Unified access for SSH, Kubernetes, DBs, web apps with strong audit and recording.	Engineering-heavy teams wanting open-core, self-hosted options.
HashiCorp Boundary	Identity-based access proxy for infrastructure; Terraform-friendly.	Teams already deep into HashiCorp stack (Terraform, Vault, Consul).
Tailscale	Zero-config mesh VPN using WireGuard, device and identity-based.	Smaller teams wanting secure connectivity without complex policy engines.
AWS IAM + SSM Session Manager	Managed session access to EC2, no SSH needed.	AWS-only startups optimizing for native cloud tooling and cost.
Google BeyondCorp / Cloud IAP	Zero Trust access to apps and some infrastructure via Google Cloud.	GCP-centric teams standardizing on Google’s security model.
Cisco Duo Network Gateway	Zero Trust access to internal web apps and SSH/RDP via Duo.	Teams already invested in Duo for MFA and device trust.

Who Should Use It

ScaleFT-style access (Okta ASA) is most useful for:

Growth-stage startups (Series A+) with multiple environments, regions, or clouds.
Fintech, healthtech, and B2B SaaS targeting enterprise customers or under regulatory pressure.
Remote-first engineering teams where secure, consistent access is critical.
Companies already using Okta for SSO/MFA who want to extend identity to servers.

It is probably overkill for very early-stage teams with a handful of engineers and a single cloud environment, where simpler approaches (managed SSH, basic VPN, or lightweight tools like Tailscale) may suffice.

Key Takeaways

ScaleFT’s technology now lives inside Okta Advanced Server Access; that’s the product you’ll actually deploy.
It replaces static SSH keys and VPNs with ephemeral, identity-based certificates and centralized policies.
Strengths include security, compliance readiness, and operational simplification, especially as your team and infrastructure grow.
Costs and complexity are justified for security-sensitive or scaling startups, but may be heavy for very small teams.
Main alternatives include Teleport, HashiCorp Boundary, Tailscale, and cloud-native options from AWS and GCP.

URL for Start Using

ScaleFT as a standalone brand has been absorbed into Okta. To start using the technology typically referred to as ScaleFT, sign up for Okta Advanced Server Access here:

https://www.okta.com/products/advanced-server-access/