Well just when I was surprised by Datacard’s bold move in acquiring Entrust, HID acquires IdenTrust.
I didn’t use the word “follows” because acquisitions don’t happen overnight, so I highly doubt this was in response to Datacard but rather an effort that started some time ago and independently of it. If any overall message from the coincidence is to be concluded, it is that the market is maturing for physical access vendors to finally realize and adopt (still to be determine if they will embrace) more mature security principles and validated trust ecosystems. Regardless of specific opinions of the acquisition itself, it’s a VERY good thing. It will be interesting over the longer term to see if the companies doing the acquiring become IT solution providers themselves or still a physical access company trying to compete more effectively in the IT space.
I am not going to reiterate my last post since most of what could be said for the Datacard/Entrust acquisition applies to this one as well – almost verbatim. However, there are some additional factors to consider if one truly wants to attempt to make sense of it and see how well their crystal ball functions when they look back at it in the future. I’m game…so here is my assessment.
Nothing new to HID
HID has already been playing in the “secure credentialing” and “Identity Assurance” space for some time. (Note that these are marketing term that HID has chosen to adopt, not necessarily D6 Research’s view as to whether their credential solutions have been secure or not). They have made a series of attempts (via acquisition and licensing) over the years to gain success and scale in the IT authentication space – and overall have yet to demonstrate consistent growth and scale in this area. To understand where they may be going, you have to first look at where they have been.
Their first push into these areas was their decision to create a line of smart cards. On paper made sense, they are in the card (and reader) business. But what they seemingly didn’t see is that this segment is largely software, infrastructure and services driven. It goes against all best practices in interest of customer success to choose a card before getting the rest of the pieces sorted out – pieces that HID didn’t have, nor the expertise in delivering.
Next, they started building out this capability with an authentication client targeting windows login. HID was adamant that IT should have a contactless user experience by touching an iClass card to a reader to login to a desktop. While the use case is better than inserting a contact chip card into a reader, everything else about it (at the time) was quite the opposite of what the mature enterprise required of their security vendors.
Too many issues to go into on this post but bottom line is that it didn’t catch on due to lack of core capability and security requirements that when transferred from physical to IT don’t measure up the same way. Second, windows login is only one functional requirement of an enterprise, and for many, intentionally not in scope. Encryption and signing tend to be more desirable, which iClass (without some significant workaround that may question best practice for security) cannot perform. Third, the overall NaviGo solution didn’t perform many of the issuance, management and lifecycle functions that an enterprise would require.
All of these critical misalignments with the market should have been foreseeable but appeared (opinion) they were seemingly looking at it from a physical access company thinking they understand computers (because they use them every day) and not as information security professionals such as those they are trying to sell to.
NaviGo second generation
After contactless failed to catch on in mass scale, they went in the direction of offering PKI capable solutions by adding some more capabilities in NaviGo and yet another separate client. I personally looked at the product on behalf of a client and it overlooked many best practices in how cards are to be managed, core functionality, and operational issues that made me conclude that it wasn’t reasonably to be considered as viable solution for reasonably demanding enterprises. Again, this should have been another thing that was easily identifiable before proceeding in the design, execution and quality assurance process – but it seemingly wasn’t.
In 2010, HID acquired ActivIdentity, one of the leaders in this space. (Disclosure, I used to work at ActivIdentity). ActivIdentity has the longest sustained tenures and largest list of customers in the smart card management market and arguably the broadest product and IP portfolios, not just limited to smart card software. On paper, it was again a good acquisition. However, ActivIdentity has always had a few things about their business that were barriers to their growth:
1. Highly dependent on government business concerning card management.
3. Solutions were very complex, required services with deep technical expertise to deploy. Only large organizations could reasonably justify embarking on such a project which contributed to a challenging growth proposition in the enterprise (and more significantly SMB) markets concerning smart card management products (their token products had much less of a dependency here).
4. Due to #3, challenges in developing a scalable and competent channel for sales and delivery.
5. Persistently challenged by a lack of demand for smart card solutions. It isn’t like selling VPNs, anti-virus or physical access systems where all companies already know they need to have a budget for it as a common procurement item. You are lucky if less than 5% of the market takes up investigating such a project and a subset of those actually fund and deploy.
6. Profitability. ActivIdentity had sustained consecutive quarterly losses the majority of the time for years and growth overall had been minimal or stagnant when carving out revenue from acquired companies.
Measuring Past Success
HID does not provide any transparency in their financial results as to how their “Identity Assurance” business, as derived from the ActivIdentity acquisition is progressing post-acquisition. So it’s hard to state beyond opinion and estimation by what we see in the market as how it is working out.
What we can say is that most of ActivIdentity’s issues prior to the acquisition don’t seem like the type of challenges that HID was better equipped to solve for them since they are fairly specialized. And while we don’t have such visibility into the numbers, we don’t see the ActivIdentity solutions scaling through their existing channels that might address some of the challenges (on paper anyhow). HID appears to be in the midst of a renewed effort on this front so it may only be only be fair to reserve opinion here until enough time lapses and can see how it effective it was.
Notably, on another front, they did come out with an appliance and a service to help simplify things for their potential (new) customers. However, there is no evidence that the appliance has gained scalable adoption. Also, their service offering has since been discontinued while the NaviGo product has quietly disappeared from their public website.
Reasonably, with more capable products now, it would make sense for NaviGo to fade into the sunset as it offers little that ActivIdentity doesn’t and executes a big improvement in overall security, issuance and management – so it becomes a moot point to continue marketing it.
However, it is hard to overlook that the appliance and services measurably offered to decrease complexity and reduce the barriers customers may have had for the solutions to be able to scale – and still could not be successful with them.
Many of the certification authorities offer different types of certificates and typically user certificates (ones generally used for identity) make up a very small portion of their business (generally somewhere in the neighborhood of less than 10%). They are much more dependent on selling SSL, device and code-signing certificates. While we do not know IdenTrust’s specific product revenue breakdown, we do know they offer SSL certificates so I can reasonably assume that their user certificates are only a part of their focus as well. Since HID is focused on Identity (user) it does come to mind to ask whether their SSL, device and code-signing business will get enough attention, be leveraged, or fade away.
IdenTrust had announced in September of 2013 that they had been acquired by a private equity group. However, private equity firms generally aren’t looking to flip acquired companies like properties in real estate. It could be nothing at all, but with the lack of information in the public domain as to what occurred here, or why, I cannot help to wonder what was behind their being sold for a second time in almost as many months.
The Potential Upside
Without reiterating the same measures that were outlined in our opinion of the Datacard/Entrust acquisition, HID’s acquisition of IdenTrust is almost as favorable, the only difference being that Entrust had a broader portfolio with more global reach and scale. None the less however, IdenTrust too has a very strong pedigree, solution portfolio and a reputation for deep expertise in what they do.
HID will gain tremendously from this acquisition if they leverage the expertise of IdenTrust in running large datacenters with rigid policy if they are to look toward rebuilding their services offerings.
Also, HID has always been tremendously proprietary in their credential approach in physical access (and still makes overtures toward pushing these approaches in the enterprise IT sector) while making a habit of overstating security strength and standards compliance. This acquisition has the capability to change this direction and become more in line with the information security principles that enterprise IT already requires where it is gaining more ground in the physical access space too.
While there should be unique considerations as to how technology is deployed in different environments, such as logical and physical, there should be absolutely zero difference in actual principles of security itself (for example the handling of key material, how they are stored, secured, disclosures and auditability of such policies). IdenTrust brings this mature practice to the table and if customers will benefit if HID finds a way to inject this philosophy (and its people) into building products and practices that are more in line with generally accepted security principles while letting go of some of the legacy practices.
If HID decides to get back into the services offering space (such as IDaaS) then IdenTrust’s skills could be leveraged to operate the datacenters, policies, and serve as the internal CIO, CSO, or CISO’s especially since there isn’t one listed as part of their management team on their website (for a company their size in the security industry, is somewhat unusual). Using IdenTrust’s products for their internal infrastructure, if not already using similar products) to secure hardware, communications and infrastructures would make it a more “trusted” vendor in the market, not just by brand or self-asserted statements of such, but from a technically verifiable standpoint. In acquiring IdenTrust, they now have these capabilities. How will they use it internally as opposed to just extending IdenTrust products externally will remain to be seen?
PKI at the Door
Another potentially advantageous area could be if HID exploits their previous Core Street assets (acquired when they acquired ActivIdentity) and recently acquired Code Bench assets. By combining IdenTrust CA and PKI at the door infrastructure, bridged by an enhanced service to make deploying and managing the two significantly simpler, could help the government migrate quicker while enticing the enterprises that are growing leery of proprietary credentials with symmetric keys stored local readers go this route as well.
It is our prediction that in the near to mid-term, HID will avoid marketing this capability to enterprises and push “SIO” instead while only making physical access PKI generally available to government. We see little evidence of them doing so in the enterprise since they continue to invest and market aggressively their newest products of their own creation. US Federal government requires technology that meets their specification (which currently doesn’t specify for proprietary offerings).
Much of IdenTrust’s approach doesn’t align with HID’s traditional approach to the market, but if they can mesh it together across their entire suite of solutions while letting the customers choose what is desirable to them to deploy it can be significant as they are inarguably in the best position to bring about change on the largest scale. While HID has perhaps the most experience with acquisitions in this area, they have only proven to not see the obvious at times and struggle to demonstrate measurable success by scale in the market (or provide the transparency to see otherwise). We will have to wait and see if they have learned from past experiences that will lead to a visibly different outcome and if they are met with increased demand when they get there.
As one of my very smart clients that manages their own PKI infrastructures had once said, “Doing PKI is easy, doing it well is VERY hard”. HID has definitely upped the stakes in terms of what can potentially be achieved but is met with potential impact that is equally significant if they don’t get it quite right. We’ll be watching closely.