Even in the midst of conducting a thorough smart card identity credentialing market report, and pondered that the market would reach strategic maturity when major CAs started to get acquired by vendors focused on credentialing, I didn’t see this one coming.
Overall, it is a fantastic move on the part of Datacard. If you are going to make a serious play at the identity and trust market, why not acquire a company at the top of the trust hierarchy with one of the best pedigrees in the business? Entrust isn’t just ta CA, but has expertise in a variety of authentication methods and has been building their own smart card infrastructure solution in both SaaS and on premise flavors for a couple of years. In addition, there is a great deal of expertise on how to engage and operate the back-end infrastructure and the programs related to certificates, key management, compliance and integration.
Datacard picked up a great deal of talent in addition to products. However, many other physical access vendors (or ones that have components and services related to physical access as in the case of Datacard) have made acquisitions of ISV’s to make a play into the IT identity and authentication market and most have measurably failed.
If pondering how this acquisition will play out, the most immediate questions to be asking is how will Datacard execute so there is a different outcome? And if so is there really a scalable market to meet their success criteria? Lets review some factors that come to mind when trying to predict the answer to that question.
Entrust is an incredibly complex business and the question remains if Datacard can successfully manage what they have acquired. The way certification authorities are built, operate, and are managed involved many legal, compliance, and technical disciples tailored for these infrastructures and it is not uniform across various geographies and customer environments. Entrust in particularly has one of the broadest global offerings so managing all of these is a huge undertaking.
There is also very little room for error. When dealing with authentication (via OCSP or CRL), key management, escrow and other unique capabilities of a mature CA, anything that goes wrong will definitely be felt by customers -at best temporarily and potentially permanent. This isn’t a printer part that can just be RMA’d and replaced. Customers might not be able to access systems, decrypt critical documents, or worse yet become vulnerable to hackers.
Managing all of this is a whole separate undertaking from market and strategy planning and execution. Datacard is going to have to rely on Entrust’s expertise to continue to aggressively and enthusiastically operate this part of the business and to do so; overall retention of Entrust personnel is key.
Past failures and few successes
While a really good tactical choice, when looking at similar acquisitions in this space, it must be asked whether this was as good of a decision strategically. The physical access space has been chasing their way into the IT credentialing and authentication arena for years, unsuccessfully by any transparent measure. From an analyst standpoint, and someone that has been involved in a few of these myself, the primary reasons tend to be:
- Physical access vendors tend to underestimate the complexity of the IT side
- Overestimate the demand and value proposition of their proposed solution to IT.
- Do not thoroughly understand InfoSec’s requirements and core principles of operation.
- Reliance on “convergence” messaging that doesn’t have clear definition or demand from IT
- Fail to see the dependencies of cards in IT and overcome them before it is too late
- Attempts to translate their channel methodology into how they will sell their newly acquired solution.
Unfortunately, they are two entirely different markets, channels and capabilities and typically don’t prove repeatable to sustain a scalable business. This isn’t just from a sales side, but post-sale delivery is very complex in the areas of certificates, smart card infrastructures and key management. Only the most experienced can typically successfully delivery projects at scale that meet dynamic requirements and best practices. Each side are not necessarily at the same maturity level or follow the same practices and principles. This is typically the biggest area of impact where such acquisitions seem to have a perception of promise falter. It shows itself in the sales cycle, post-sale and customer satisfaction/frustration overall.
Keys to success and what to look for
D6 Research is working on large research efforts that will help find answers to the questions regarding if this market has enough demand in scale, and if so in what areas and what those requirements are. Truthfully, we won’t have this data for a few months so in the meantime, we have to put this question in the margin as truly unanswered beyond just opinion and assumption. We will be sharing preliminary data in a few weeks so stay tuned. By the way, if you have deployed smart cards in your organization and are open to contributing, please get in touch with us (we’ll give you a free copy of the report when it is done as a courtesy).
So what we need to really look at are the other elements apart from this for the time being. Here are some things I feel will both determine and serve as indicators as to whether Datacard can be successful here:
1. Retention: Entrust employees must be retained to enthusiastically continue the operations and planning of their IP and infrastructure.
2. Voice: They need to do what few of the companies that have failed before them do – give the acquired company a seat at the table with voice – and listen. Entrust knows their business very well, Datacard needs to take this direction, not filter and second guess it through layers of management. Where they are trying to leverage Entrust into their existing portfolios like bank card issuance, printers and services, collaborate with them openly.
3. Sales & Delivery: Physical access personnel and channels haven’t been terribly successful selling to IT or on large complex identity credentialing projects (that involve digital high security credentials). They should have a focused effort on retaining Entrust sales and professional services personnel (not just the leaders) and train the rest of their employees to be able to interact with customers and channels while realizing that existing sales and delivery personnel are not going to become experts in these new areas. Enough to get conversations going and then turning it to the experts to manage, set expectations and deliver.
Last, and perhaps most important that will guide the previous is mindset and culture:
If one visits Datacard’s website, it is clearly in the mindset of hardware, widgets, components and services around them with buzzwords about identity, credentials and access that quite frankly are hollow in depth and legitimacy.
Datacard really needs to embrace not only the technical solution portfolio prowess of what they have acquired but the people and culture as well. If they can do these things, then it will at minimum be more than what others have done in their acquisitions in these areas and gets them to reasonable ground toward collaborative execution.
Overall, if Datacard can be successful here, it will be incredibly beneficial to the market as it adds a culture of best practice in security, privacy and process to a physical access and credentialing market that has long been terribly proprietary without flexibility for enterprises and foreign governments to be reasonably successful. They can actually change the market for the better by extending out their process of having practice statements and demonstrated controls outside a CA and into the credentialing production side that currently drives the lack of legitimacy for physical access companies selling to IT.
Datacard now has a platform to tackle this with the capability for mass scale, but the question remains if they will do it, and if the market demand exists for them to take advantage of it when the do so. Personally, I am rooting for them as the outcome both in capability and its tendency to drive competitors to up their game is good for the customers all vendors endeavor to serve.