COLUMN

RSA not content to grow slowly

By Nick Selby 25 May 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

-----------------------------------------------------------------------------------------------------

In discussions since releasing its first quarter 2006 numbers last month, Bedford, Mass.-based RSA Security Inc. has clearly stated its intention to grow equally in all three of its main business areas: enterprise, consumer (by which it means its sales to businesses that concentrate on consumer authentication and access needs) and developer.

To be sure, the bulk of RSA's business is in the enterprise space -- about $76 million of its total first-quarter revenue of $87.5 million. It's worth noting, however, that first-quarter consumer growth of 20% from the year-ago period isn't without appeal. As we prepared this piece, RSA announced a deal with Financial Fusion Inc. to provide RSA's risk-based authentication to its consumer and corporate banking products.

About The 451 Group The 451 Group is an independent technology industry analyst company focused on the business of enterprise IT innovation. Visit The 451 Group's Web site.

In the past six months, RSA has bought antifraud and two-factor authentication vendor Cyota for $145 million, and, well, antifraud and two-factor authentication vendor PassMark Security for $45 million. The Cyota purchase sealed several high-profile new consumer deals, including E*Trade Financial Corp., which bought RSA's antiphishing and Adaptive Authentication products; Barclays Bank plc, which upgraded from RSA's FraudAction to Transaction Monitoring; and Susquehanna Bancshares Inc., which signed on to RSA FraudAction antiphishing services. These additions were part of what RSA says were two dozen such deals last quarter.

First-quarter results
RSA said that in the first quarter of 2006, it shipped 1.7 million units of authentication credentials, 11% more than during the same period a year ago. And while it said growth is roughly equal in all its sectors, it said 623,398 of those credentials were in the consumer space -- up 20% from the fourth quarter of 2005. Part of that surely is attributable to the addition of E*Trade.

Revenue was up 15.7% to $87.5 million, from $75.6 million in the year-ago period, with earnings of $5.3 million, or $0.07 per diluted share. The company noted that in the year-ago period, net income of $7.2 million, or $0.10 per diluted share, did not include stock-based compensation charges. Non-GAAP earnings of $0.14 beat Wall Street expectations by a penny. At the end of the first quarter, it had about $57 million in cash and cash equivalents.

One-time passwords
RSA is keenly aware that it trails Vasco Data Security International Inc. in the one-time password (OTP) business, and it has been establishing partnerships left and right to gain what it calls ubiquitous authentication. Essentially the idea is to make the shift from hard tokens -- those little plastic fobs that produce time-sensitive OTPs -- into the realm of deploying the RSA SecurID product on devices that customers already have. These devices include mobile phones, PDAs, trusted computing modules and smartcards, from vendors such as Microsoft, Motorola Inc., M-Systems Inc., RedCannon Security Inc., Renesas Technology Corp., Research in Motion Ltd. and SanDisk Inc. RSA and Pointsec Mobile Technologies, a wholly owned subsidiary of Protect Data AB, have announced that Pointsec has integrated RSA technologies into the Pointsec for PC product, using RSA SecurID SID800 USB-enabled authenticators and RSA Smart Cards for pre-boot authentication to Pointsec-protected mobile devices.

We think a clear and interesting acquisition target here for RSA is Diversinet Corp., which provides RSA with over-the-air self-service deployment of soft tokens on mobile devices. The Diversinet product line and expertise would allow RSA to greatly expand its abilities to provision mobile devices with OTP. Granted, RSA licenses these technologies today from Diversinet, and the question of 'why buy the cow when the milk is so cheap' comes up regularly when we talk about this, but some of the biggest markets for consumer OTP soft-token deployment are in Asia, and there RSA would do well to own, not rent: in April, Diversinet announced a deal with SK Infosec, which will distribute Diversinet's OATH-compliant MobiSecure software tokens and MobiSecure Authentication Service Center (MASC) provisioning service in Korea. RSA has also launched recent forays into the Korean market -- who needs the distraction of competing against another OEM player? Plus, we think this technology is disruptive: if that's true, the last thing RSA wants to do is depend on a company with extremely low revenue and high cash burn to carry the ball.

The price is probably as appealing as the technology -- Diversinet shares trade in the $0.70 range, and it has a market cap of about $17 million. It posted 2005 revenue of $1.1m and first-quarter 2006 revenue of $473,000, up 33% year-on-year and 197.5% sequentially. The company narrowed its net loss to $730,000 ($0.03 per share) from $1.3 million ($0.07) in the first quarter of 2005. Diversinet also slowed its cash burn rate from $1.2 million in the fourth quarter of 2005 to $406,000 in the first quarter of 2006. Its expertise in the mobile area and its ability to innovate make it a ripe acquisition target. The 52-week trading high of $0.86 would seem to be the top end of a take-out price range, making a purchase price around $21m about right.

Biometrics
One of the interesting aspects of the PassMark acquisition was the company's biometric capabilities. These are based on its claimed ability to provide biometric authentication for password resets using a voiceprint taken via telephone (PassMark acquired the assets of Vocent Solutions, which developed the technologies, in August 2005 for an undisclosed amount). Leaving aside for the moment questions about whether the narrow audio bandwidth of a telephone line permits authentication strong enough to be trusted with the contents of, say, a checking account, RSA's attitude toward biometrics has been clear for some time: interesting stuff, we're not sure about the business case for it, we're looking into it.

However, consumer understanding of the need for two-factor and bi-directional authentication has been rising, while the prices of fingerprint readers have been falling at the same time as their quality has improved. Clearly, RSA -- the leader in authentication and access management -- must be doing more than thoughtfully rubbing its chin. We've commented on purchases in this space by Viisage Technology Inc., such as the pending $770m acquisition of Identix Inc., which will make Viisage the only U.S. company to sell a full complement of multimodal biometric recognition offerings for iris, finger and face, including biometric devices, software applications and services. But that's high tech stuff used by police departments and the military.

For banks, meanwhile, it makes good marketing sense to provide "good enough" security -- an extra layer providing a not-so-strong additional factor (a case in point being PassMark's search for a secure cookie or Flash object on the user's machine to use as a second factor, or indeed PassMark's use of telephonic voiceprint as a biometric third factor). Banks are thus able to inform their customers that they are doing everything to secure accounts (RSA tells us the E*Trade deal was driven by the company's marketing department, not its security officer). RSA might entertain the acquisition of some smaller biometrics players. These needn't even be players like UPEK Inc., Cross Match Technologies Inc., SecuGen Corp. or AuthenTec Inc., with a Bioscrypt Inc. Bioscrypt Core and a scanner licensed from any one of those vendors, a clever integrator -- and there are hundreds of those, ranging from tiny to fairly large -- could be of great interest.

We therefore don't think that it is out of the question to ponder whether RSA might consider layering its offerings by acquiring a sophisticated fraud detection company.

Risk-based authentication
We're convinced that RSA is not done buying in this space yet, and we don't think that some product overlap with its existing portfolio would matter too much: to an extent, PassMark duplicated certain functionality of Cyota, but RSA was interested in it regardless, and remains interested in similar plays for the simple reason that it wants to be the undisputed leader in risk-based authentication products. We therefore don't think that it is out of the question to ponder whether RSA might consider layering its offerings by acquiring a sophisticated fraud detection company such as Business Signatures Corp, Cydelity Inc., Digital Envoy Inc.'s Digital Resolve unit and The 41st Parameter Inc. (which closed an $11.2 million series B funding round on May 8 led by Kleiner Perkins Caufield & Byers, with participation from its series A investor Norwest Venture Partners).

Conclusion
In the UK, consumers have been alarmed by reports of fraud involving chip-and-PIN card readers, which provide point-of-sale processing of credit and debit cards using a four-digit PIN in place of a signature. It's an old-fashioned skimming job -- the scammers copy the magnetic card details rather than the chip -- but it's a sexy story and the media is running with it. We're not saying that this news makes RSA rub its hands gleefully, but purchases made using cloned debit and credit cards are just the kind of thing that the antifraud, risk-based security vendors have been claiming to be good at stopping (RSA says that of every two transactions highlighted by its Cyota antifraud technology, one turns out to be fraudulent). When the Tesco supermarket chain is forced to re-case 2,000 ATMs to prevent fraudsters from attaching skimming devices to the card readers, RSA would certainly expect someone at Tesco to give it a ring.

To be able to provide some concrete answers once that call comes through, RSA will have to keep buying innovators in antifraud, risk-based security, biometrics and one-time passwords.

Nick Selby is a Boston-based analyst covering enterprise security for The 451 Group.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Two-Factor and Multifactor Authentication Strategies,  Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research Two-Factor and Multifactor Authentication Strategies Two-factor authentication, vigilance foil password theft Security on a budget: How to make the most of authentication tools Best Authentication Products Best Identity and Access Management Products Are 'strong authentication' methods strong enough for compliance? PCI compliance requirement 7: Restrict access PCI compliance requirement 9: Physical access Best practices: How to implement and maintain enterprise user roles Changing times for identity management RSA researcher Ari Juels: RFID tags may be easily hacked Vendor Management: Negotiations, Budgeting, Mergers and Acquisitions M86 buys Web security gateway vendor Finjan McAfee survey finds faults in midmarket enterprise security Cisco acquires SaaS security vendor ScanSafe Email archiving vendor sues Gartner over Magic Quadrant Analyst calls Barracuda-Purewire deal proof of cloud dominance Barracuda acquires Purewire expanding Web security reach McAfee, Verizon Business partner to develop cloud security services Security vendors can learn from ConSentry Networks demise Security on a budget: How to make the most of authentication tools 2009 Information Security magazine Readers' Choice Awards

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary