Business & Marketing
Q&A with Bill Conner, CEO, Entrust
Originally a spin-off from Nortel Networks, Entrust is most closely associated with encryption, digital certificates and PKI security. Its client base is largely public sector, but the company is looking to grow its private sector business and make a bigger splash in the physical/logical access space by getting more of its technology on to smart cards. Entrust CEO Bill Conner recently spoke with SP&T News about growth plans and the decision to take the company private.
By Neil Sutton
SP&T News: What’s the background on Entrust? It used to be an Ottawa-based company, and then moved to Dallas.
Bill Conner: It actually was part of Nortel. I too was at Nortel. Entrust was created because we needed an ability to keep information sensitive. We have about 120 patents now. That development group started out in Ottawa and frankly today is still going on. I probably have 180 people out of 325 still in Ottawa. It’s our largest centre. I’m in Dallas and that’s our headquarters. What we did was carve it out from Nortel and IPO’d it in 1998. Eighteen months ago, we took the company private with a company called Thoma Bravo.
SP&T News: What led to that decision?
Conner: Being a $100-million software company, where about 45 to 50 per cent of your business is government. It’s very hard to predict revenue streams in the government sector. That was one issue. The amount of Sarbanes-Oxley and SEC oversight and cost was just incredible. Literally, the amount of time that I spent with just regulations and oversight versus doing what a small $100-million business should do, which is innovate and grow. We shopped it and went private 18 months ago as a result of that.
SP&T News: Can you talk about any business you’re currently doing in Canada?
Conner: We do a ton of business with the government. Entrust is standardized within the Government of Canada. We’re standardized in the Ontario government as well. We do quite a bit of work with CRA and people like the RCMP and DND. Just like in the U.S., we’re pretty much the standard for what I’ll call logical access control within the government and across it.
SP&T News: Entrust is probably best known for its encryption technology but you also play in the physical security space as well.
Conner: Yes. We call it physical and logical security, coming together. Certainly your readership knows that Entrust has done stuff for governments and banks around the logical side of security via corporate assets and IDs and those kinds of things. If you look at the technology for the cards that you would use to go into a building or your office or your garage you realize those things have 30-year-old technology in them. In fact, they’re not too secure. I can walk by you and duplicate the security code on that card in minutes, replicate it and then have building access. I think one of the stats that I found amusing was that if you covered four blocks in New York City, you could probably go into multiple buildings with that one card, or multiple floors even.
We clearly do a lot with passports. Half of the digital passports issued today use our technology inside. There are two versions. There’s the one that the U.S. and the U.K. use today and then there’s a next generation that will have more biometric information and protect that on an RFID chip.
In March of last year, I announced with the Secretary General of Interpol the ability for an Interpol agent to use one physical card with an RFID chip in it. You can use the card at the border, as a passport, or as a visa waiver to get into countries where they’ve accepted that. The second thing we did for them was make them able to use that with their desktop or their network.
The last thing we did was replace their separate card for building access with our capability to do that on the same chip. There’s one chip with three different kinds of logical and physical access on a next generation platform.
You could also have a card with health information on that same chip. You’ve gone to PIN and chip on credit cards in Canada. Ultimately, you could have that same kind of system set up so only people with jurisdiction or the right credentials could see or read that information, whether it’s your identity, your passport, your health information.
SP&T News: Are you partnering with companies to go to market or competing with the likes of HID?
Conner: It’s co-opetition. We can use the HID chips, as an example, in our cards. But then in the same sense, we compete with them. They traditionally come at it from a facilities standpoint. That’s a very different organization and group than a CIO or CISO or chief risk manager for a company. Our customer set has been the CIO, the chief risk guy and chief security person. Us bringing this card to them allows the CIO to say, “I can pick up the cost for building access under my domain and get rid of these multiple cards which no employees like.” It gives them a cost opportunity rationalization as well as a better end user experience, and it’s more secure because the facilities stuff is not secure.
SP&T News: With HID, you’ve got them coming from the physical space and going more towards the IT space and credentialing and things like that. You’re coming at it from the other direction. Is there any advantage to doing it your way?
Conner: Yeah, I think there’s 100 per cent advantage because most facilities guys don’t understand logical. All CIOs can understand that, “If I put it on a chip I can now enable that.” A lot of chief information officers are being pressed already to get out of just logical security and into physical security. I think there’s a natural evolution here — at least for this early piece where you bring physical and logical security together on a common card — for the CIO and chief security officer to take it over. It’s antiquated technology with very high price points with high risk. I like our approach. HID is 100 per cent channel, so they’re not directly dealing with an end user.
SP&T News: Do you experience resistance or skepticism from users who are more entrenched in the physical security market?
Conner: We knew as we got into this that they were literally two separate markets; two different end users — two different technologies to a certain extent. Smart cards and RFID chips have been a promise of the future for 15 years, so why now? But when someone like the U.S. government says, “We need a new model, you’ve got to bring these things together.” And you look at the ability of the current technology and our skills; it’s a different game.
The market isn’t going to be here tomorrow, but it’s not too soon after the day after tomorrow. We think there’s a very nice business here, and it’s just ripe for the picking. When we got into authentication for an enterprise, the average seat price for an RSA token was 40 or 50 bucks. We’re putting them out for five bucks. We think there’s a similar discontinuity with the technology and with the cost and value point now with a common physical/logical card.
SP&T News: Is there room for more players to enter this market or are we inevitably headed towards convergence?
Conner: I think we’re definitely headed towards convergence. We’re one of the leading people who jumped in and said, “Wait a minute, there’s a better way to do this.” I think it’s going to be very interesting to see how the bigger multi-billion dollar companies respond to very agile small software people that kind of have a different way to do it.
SP&T News: Is there any concern about using RFID as a standard? In past years, there have been concerns that data stored on RFID might be stolen using readers at close proximity.
Conner: If you look at the passport technology in Europe and soon to be in Asia, it really limits your ability to take that data. We use a public certificate and a private certificate. So, unless that reader has a certificate that’s allowed to read that data, it will not let it go. So unlike RFID where it wasn’t encrypted using certificates, or digitally signed, you could get (that data). Now what we’re doing with second-generation passports and what we’ve done for Interpol is, you can only get that information if you have the matching key to unlock it. That’s what’s changed from five years ago with RFID.