TheSecurityAnalyst

I am gratified by the encouragement and response from the several thousand unique visitors to the site TheSecurityAnalyst.com since I started it in May.  Since being picked up by Seeking Alpha at the end of June, I have been swamped with requests for a listing of the earlier blogs on the industry that are not currently on the website.  So here is the complete listing of our blogs in reverse chronological order.

 

07/02 – In An Economic Slowdown, Government Contracts Become Important for the Security Industry.  Four security companies demonstrating good growth in a bad economy, thanks to strong Government contract flow: FLIR, L-1, ICx Technologies, and China Security & Surveillance.  (Note:  ICx announced today yet another contract for its “Cerberus” surveillance towers, this time its first from the Secure Border Initiative).

 

06/29 – Has Single-Sign On Finally Hit “Prime Time” With Security End Users?  We may be at the inflection point of improved technology and enterprise end user demand for single-sign on solutions as part of the convergence of physical and logical security systems.

 

6/26 – China Security & Surveillance: Go-to-Market and Strategic Leadership in Security in China.  The leading domestic security company in China has developed a huge advantage (no channel conflicts between its manufacturing, installation, integration and monitoring businesses), in the world’s fastest growing security market (independent of the Olympics).

 

6/23 – “REAL ID” Controlled by a Foreign Entity?  Safran S.A. Bids Against L-1 for Digimarc’s ID Business.  With all of the hoopla over personal privacy and REAL ID, we just thought it a bit odd that an foreign entity, 30% owned by a foreign government would bid against L-1 for Digimarc’s ID (drivers license) business.  Oh well, at minimum they forced a competitor to pay $50 million more.

 

6/18 – Guest Blog: Risk of Critical Failure in Monitored Alarm Industry.  Guest blogger, and long-time monitoring industry consultant Lee Jones emphatically warns against industry laxness regarding false alarms and the looming threat of non-response without verification.  His point:  “The alarm customer and the police, the two most critical segments of the infrastructure, have been abused. We believe the alarm industry is losing the loyalty of both parties. Without the loyalty of the customer and the police, the entire infrastructure as we know it today, could collapse. “

 

 

6/15-6/16 –  Do Not Ignore L-1 Identity Solutions As the ID Market Grows.  The identification market (along with biometric technologies) is now sprinting in its growth and here is the undisputed market leader – like it or not.

 

6/12 – Stanley-Sonitrol: Strategically Smart, But with Franchisee Relationships to Fix.  Stanley Works is becoming a legitimate security systems integration threat to the likes of Siemens, ADT, and Securitas Systems (recently renamed Niscayah), with its acquisitions of HSM Security and now, Sonitrol Management (the leading brand for verified, quick response by police).  However, Stanley has also acquired some very frayed relationships with Sonitrol’s significant franchisee system, which will have to be fixed.

 

6/10 – ADT’s Growth Strategy Unveils its Underestimated Integration Business.  ADT now comprises the largest single entity of any of Tyco International’s revenues and over half of its EBITDA.  We think Wall Street analysts are missing a key development underlying ADT – its already well-regarded and now growing systems integration business.

 

6/4 – BHS Steady State Cash Flow Still High, per SEC Filings.  As a follow-up to our June 2 blog, with the SEC filing by Brinks Home Security on its proposed spin out from Brinks, several investors asked us to recalculate the 2007 steady state free cash flow of the company (SSCF being the most important metric besides attrition).  Taking on its own corporate overhead, BHS SSCD for 2007 falls to 178.5 million (36.8% margin) from our previous estimate of $191.3 million (39.5%).  However, that is still way above the margin of any other public monitoring company and virtually the highest of any public or private company.

 

6/2 – Sonitrol: Can the Vaunted Franchise System & Brand Hold Together?  With rumors in the industry that the Sonitrol business was close to being sold by its private equity owners, we issued a warning to any buyer of this verified alarm leader:  Fix the relationship with the franchisees.

 

6/2 – Brinks Home Security:  A Brief Look at “The Surprises.”  On May 30, BHS filed a “Form 10” with the SEC, representing its preliminary pro forma financials as well as its ongoing relationship with Brinks Inc.  Along with the financial pro forma’s, there are two “surprise” issues which popped up in the filing (you have to dig to find them):  (a) the loss by BHS of its “Brinks” brand in three years and (b) the royalties that BHS has been paying to Brinks – over $30 million in 2007 — which were formerly not reported (or at least never seen by me).  The ongoing royalty payments fall dramatically, however.

 

5/13 – Somebody Needed to Love Protection One.  Protection One has a great management that has fixed a disaster and stabilized the company, the third largest monitoring business in the U.S.   However, a thinly traded stock, lack of growth and a balance sheet that won’t allow a lot of acquisitions has investors snoozing on this name.  We still think investors may be asleep at the switch on this one.

 

5/13 – Video Standards That May Finally Mean Something.  On May 12, a consortium of Axis Communications, Sony and privately-held Bosch – three of the leading names in video surveillance, formed a group aimed at developing a standard for the interface of network video products. Currently, while there are video compression standards (MPEG-4, and the new H.260), there is no global standard defining how network video products such as cameras, video encoders and video management systems should communicate with each other.  Note: This blog actually generated a lot of comments around why it has even taken this long for open systems to emerge in video, along with skepticism that proprietary video systems (which are maybe good for individual companies, but bad for overall industry growth), can be “overcome” any time soon.

 

5/13 – FLIR Systems and Axis AB:  A Tale of Two Video Technology Companies.  Axis Communications (Axis AB, based in Lund, Sweden) and U.S. based FLIR Systems are the two leading companies in their respective technological niches in the $7 billion video surveillance industry.  Axis is the leading provider of IP network video cameras, while FLIR is the leading provider of infrared cameras for surveillance and thermographic (temperature control) use.  Unfortunately, for Axis, a couple of its key commercial markets are slowing due to the economy – and hurting its stock.  Fortunately for FLIR, its Government business is booming, as is the rapid expansion of infrared in non-military use – helping its stock.  We like both companies; investors will have to talk to their analysts to make their own timing choices.

 

The writer current holds positions in L-1 Identity Solutions, ICx Technologies, and is considering a position in China Security & Surveillance.

We’d like to thank our special “guest” assistant and end user sources for help on this blog.

 

SSO Becoming a Key Security Convergence Component.  With chief security officers at enterprises finding that physical security and IT infrastructure becoming more and more complex and harder for individual departments to manage, so-called “Single-sign On” (SSO) has become a hot topic in the IT world, leaking out to the physical world, as well.  Just like video analytics, SSO is not a new notion, nor has it been immune like video analytics from hype and subsequent end user disappointment.  However, the growth of SSO use among end users who accept what it can and cannot do, (similar to the growth of video analytics),  based on more realistic notions of what it can an cannot do, has created a much more accepting user community for the technology.  This is an important take-away as we begin to look at the market, the companies providing SSO solutions, and the possibility of who might want to team up with, or even acquire the better SSO providers.  We would reiterate, while we don’t ultimately view SSO as a “industry” unto itself, we see it as one of the very key components for end users in the move toward convergence between physical and logical security.

Compliance, Efficiency, Security and Total Cost of Ownership.  Not only can single-sign on help an organization in regulatory compliance (i.e., HIPAA and SOX) but it can also lower the total cost of ownership (TCO) of the security systems infrastructure being considered for upgrade or new installation.  For those that are just getting up to speed on this, SSO is a method of authentication which allows a user at the enterprise to log on to the security infrastructure once (primarily IT today, but becoming increasingly converged with physical systems) and gain access to multiple security systems without being prompted multiple times to “log on.”  By logging into the infrastructure once, the individual systems can take the infrastructure authentication and automatically apply it to their own individual authentication systems.

SSO environment can benefit a CSO along with their IT and physical security departments in many ways.  It can limit the complexity of the user provisioning process, if user information is stored in a single central area.  IT Departments will have more time to focus on pressing and high risk issues – for inst, as having an SSO can limit the number of help desk calls. (User: “Hello, I’ve forgotten my password to XYZ application”). This in turn can reduce IT costs. Additionally, (which is everyone’s favorite benefit) having an SSO will significantly decrease the amount of passwords a user is required to remember.

 

More benefits to SSO include Compliance Reporting – If all user data is in a central place, I can get a single report from the SSO environment rather than having to get one from each individual application.  This, in turn, reduces end-user time as they don’t need to log on every time.

 

Another important aspect of SSO is the “push” it gives to the convergence of logical and physical security environments.  Many SSO software packages allow for physical and logical security to work seamlessly together.  When a user’s access is terminated in the SSO environment, their physical access card can be automatically disabled, as well.

 

The ROI Issue. A recent end-user study by Spire Security LLC, found that SSO generated ROI by (1) substantial reduced costs and improved efficiencies on existing accounts, (2) reduced costs on new and departing employee account management.

The Hurdles that Have Prevented Major SSO installations up until now. 

So why hasn’t an obvious benefit to convergence been implemented en masse up until now?  The biggest and most obvious bugaboo for SSO is security.  Primary among them is authentication.  SSO environments must incorporate some sort of strong authentication mechanism. Without strong authentication mechanisms, risk of a security breach might be increased exponentially. For instance, if strong password settings are not established in the SSO system, a ‘hacker’ who discovers the IT administrator password could possible have a ‘key to the kingdom” and gain high-level access to not just the security system, but theoretically nearly all of IT systems.  This is why from a CSO’s point of view, reference-site based proof of strong authentication is so important. By implementing authentication mechanisms, such as smart cards, RSA key fobs, and biometrics, these risks to giving up the “keys” can be minimized.  The mechanisms for doing this are beyond the scope of this blog, but are certainly available from numerous consultants, ranging from individual practitioners like Steve Hunt to giant consultants, like KPMG.

One of the responses to the “keys to the kingdom” argument has been that SSO providers also provide much stronger password protection protocols, including eliminating common password selections, and various means to permanently prevent users from writing down passwords.  The mere fact that end users can focus on one password, one sign on , can eliminate the common passwords and ID’s that come from user-password overload.

Complexity.  In addition to the risks – and partially because of them, SSO environments are becoming increasingly complex and complicated to set up.  Typically organizations do not have a homogeneous IT infrastructure, and probably and even more piecemeal physical security infrastructure.  My former organization is a true leader in attempting to integrate logical and physical security, and yet that is a task that is far from completed.  An organization may employ multiple applications, on multiple types of environments with multiple security settings and parameters for both physical and logical security.  We have found in talking to end users that too many IT departments still treat each of these environments as silos and may lack the understanding on how to incorporate authentication technology between them – and this is before even tackling the physical/logical convergence issue.

Conclusion:  Despite the continued challenges of complexity and security facing end users implementing single sign-on, we believe we are now at a level of maturity, integration, and end user acceptance that we have not seen before.  We think after hearing about it for a decade, and watching large numbers of venture and private equity investors waiting (…and waiting) for returns on their investment, the time for this segment appears to be arriving.  We would not be surprised to see a wave of joint ventures and industry consolidation.

Here is a short list of companies that offer SSO, along with their leading investors:

 

Private Companies and their Major Investors:

Imprivata: (SAP Ventures, Polaris Venture Partners, Highland Capital Partners

Sentillion: (HealthCare Specific): Merrill Lynch Investors, Dresdner Kleinwort Capital,

            First Consulting Group, Intersouth Partners, Newbury Ventures

Passlogix: Hanseatic Corp., Union Square Ventures

Enterasys: Gores Group LLC, Tennenbaum Capital Partners

Courion: Questmark Partners, Riggs Capital, JMI Equity

Shibboleth: Internet2 Middleware Initiative, under the National Science Foundation

MetaPass: Sunnyvale, CA

Atlassian : Sydney, Australia

 

Public Company:

ActivIdentity (ACTI)

 

Divisions of Larger Public Companies:

Microsoft (Identity and Access Management Series)

CA (Identity & Access Management Solution)

Hitachi ID Systems

Novell

Oracle

SAP