It’s been on my mind for quite some time but the recent acquisitions of Entrust and IdenTrust have prompted me to put it into words.
Someone is wrong about where the authentication market is heading, and only time will tell who it is. While in time the answer will be of interest, right now more interesting is the question and the dynamics behind it. It’s not a singular question, but a multi-faceted one that makes it so interesting.
Stating the obvious:
- Awareness that passwords are terribly exploitable and increasingly organizations realize they need to move to something more secure.
- For years, it’s been both a debate and struggle to move to a solution that meets all requirements.
- Smart cards combined with PKI have been the holy grail in capability, but not in user experience, simplicity to deploy and manage.
- Huge lack of mass adoption – yet.
- Physical access vendors wanting to get into the “Logical Access” market drive forward off and on
- IT solution vendors tend to have stayed away from adopting this initiative to a larger degree. Why is this?
Lets take the latest acquisitions of Entrust and IdenTrust. Both were by physical access companies (or those focused on those markets, not IT). Also, if we look at prior market acquisitions of pure-play IT companies in the credentialing space, they too have been mostly (I can’t seem to remember otherwise) been done by physical access vendors. Last, the list of IT vendors pushing smart cards heavily is rather limited. Yes, RSA dabbled and got out. Then there was VeriSign where they had a partnership with Intercede, but it seemed more like necessity around specific deals requiring a smart card if the customer were to go with their certificates than marketing and delivering on a broader scale.
Regardless, it isn’t debatable that the mass market for smart cards (aside from the US Federal government by mandate or select foreign government initiatives around national ID or Healthcare ID) has shown itself as of yet. In order to have a self-sustaining mass market, year over year growth needs to be dependable and repeatable with new customers, and not only by mandate. This is why enterprise adoption is such a critical barometer.
With no scale in mass market outside US Federal Government (and that is falling off with budgets and most users being deployed) do the physical access vendors know something that the IT vendors don’t? It is interesting considering that the IT vendors that specialize in authentication presumably know their information security customer base better than a physical access vendor thinks they know them and still haven’t made anywhere near the overtures in this space that the other side has. Or is it the other way around where the IT vendors know that there won’t be a mass market for some time to the point where they don’t think they are missing anything?
I’ll be watching Symantec very closely as Symantec already has:
- Acquired two CA’s in past couple of years (TC Trust Center and VeriSign).
- A huge authentication offering via their VIP service.
- VIP takes a menu approach to letting end users decide on hardware and standards. As a result customers have many options while Symantec treats hardware as a commodity – placing emphasis (and R&D) on the service itself. (we really like this philosophy and approach).
However, Symantec has mostly One-Time Password (OTP) methods available in the VIP service and is short on other options. They have another set of services that offer PKI as a service (and on-premise) but if customers want to combine PKI with hardware devices with the same simplicity they’re out of luck.
If Symantec was really seeing the mass demand from the enterprise and SMB markets, one would think they would be addressing it by leveraging both of their capable services to offer customers a total solution – but we haven’t. I can’t help but to ask myself whether Symantec, with thousands of IT customers knows the answer to this, or they are overlooking a significant opportunity that others from outside their core market are seeing. It will be interesting to see what Symantec does as it will help answer this question.
Personally, I think that it is a mix. I don’t think Symantec entirely understands the smart card market and drivers and the physical access vendors touting “logical access” and “convergence” are still in a learning curve in understanding their IT targets along with the general market barriers before them that need to be resolved in order for it to be a much more desirable proposition (simplicity, cost, mobile, cloud, clientless, etc.).
In fact, I am betting this will all start to get answered right about the time when physical access vendors realize that none of their IT counterparts they are trying to sell to call themselves “logical access professionals”, and never have. At that point, we’ll know that they likely understand their target audience they are trying to sell to as well as their incumbent competitors on the IT side, and will see how companies like Symantec will react when it happens.
However, if Symantec was facing mass demand and did not have the capability to deliver, we would have seen something (or are about too?). RSA certainly hasn’t gotten back into the game with smart cards and they have their pulse on the authentication market as much as anyone. It will be interesting to see how all this shakes out.