RealTime IT News

Andre Durand, CEO, Ping Identity

Andre Durand Andre Durand and his staff at Ping Identity are a little lonely these days, given the slew of identity management software providers that were snapped up in the last two years.

With Hewlett-Packard's acquisition of Trustgenix earlier this month, Ping found itself the last software outpost along the identity management mile called federation.

Federation software lets corporate customers link multiple accounts with different providers on the Internet so that secure user authentication occurs only once.

While Ping competed with Trustgenix on a head to head basis, it was strikingly different. As the founder of commercial instant messaging firm Jabber Inc., Durand offered software for free under open source, then sat back and watched the product wow companies into buying more advanced functionality to scale.

Durand took a similar approach when he created Ping in 2002, letting corporations download and test the security software under an open source license, then charging once a company wants to expand the number of transactions it needs to complete. Customers like American Express, Nokia and Sprint have come calling.

The executive discussed Ping's efforts to survive and thrive in a shrunken market, where large suite vendors have bought most of the available technology and talent.

Q: What was your goal with Ping from the outset?

I took note through the Passport days while I was still at Jabber that this whole identity thing was really interesting and really fundamental. When I decided to leave Jabber and start something new, I started blogging. I wrote two or three articles and woke up one day and realized that there was a common theme: identity sits underneath these ideas. You couldn't do any of the things that I was talking about without an identity construct.

Our goal was to build an identity network that allowed end-users to be recognized anywhere. Think of it as the EZ-Pass for life. Your car can go through the turnstile. Think of all the places that you type in user name password where that friction of re-identifying yourself exists. The idea was to build a network where your identity was recognized everywhere and where you had control of your identity. What we backed into was an infrastructure provider for these identity transactions. Hopefully, we'll someday end up getting to where we wanted to be from day one. It may take several years.

Q: Large companies seem to appreciate ID management software. In the past few years, HP, CA, BMC, Oracle and others have all filled gaps by acquiring your rivals or partners. How does it feel to be one of the last startups of this ID management space?

It's one of those things where you get bipolar about how you feel about it. Should I be ecstatic, or should I be really scared? The start-ups in the space always tend to be a bit more of an economical choice than the big vendors because they're not pushing a lot of suite software. They're pushing best-of-breed solutions.

Startups also don't have these gigantic field sales organizations where the bids come in at six, seven figures. The competitive bids that large vendors tend to put in for federation projects tend to be higher than our bids because they're selling more than just federation. They're trying to sell their whole suite. For example, a lot of suite-selling vendors today tie federation with their access control, so it's actually not possible to buy federation standalone. In some cases that's appropriate, but sometimes customers end up purchasing more than they need.

Q: And you guys still sell it standalone?

Yeah, we're the last pure-play best-of-breed player. Having Trustgenix now in HP eliminated the best of breed, pure play standalone options. We've won several deals from Fortune 100 customers that had relationships with companies like IBM and Sun and others. When it came to federation, they chose Ping because they didn't want the federation tied to anything else.

Q: After acquiring Phaos, Oblix, OctetString and Thor Technologies in the last two years, do you worry that Oracle will decide to buy Ping?

I don't worry about that. Over the last year or two, we've had a few companies come sniffing around. The big suite vendors knew federation was coming and they all kind of gave lip service to it. But I think the management of those companies kind of thought it was somebody else's problem. I've lived through four years of the fight and we're not going to worry about it.

We're a little bit different from the others that got acquired for a few reasons. One is that we have raised a fair amount of money from quality institutional investors. I suspect that people know that we're not a cheap company to purchase. Trustgenix was self-funded. I really admire those guys for what they did. As an entrepreneur that takes a lot of discipline. So I suspect that whether it's Oracle or others, there are just very few players to fill out their product suites with.

There actually are still several companies that haven't yet made their play in the security space. For example, SAP has done nothing, though they actually did make an investment in Ping in their last round. There are several companies that have not yet made their play.

Q: How do you see the ID management space evolving over time?

I see 2006 to be a slightly less interesting year than 2007, 2008. In 2006, you'll see a lot of big vendors doing suite consolidation. Acquiring companies and getting people in the right places, and figuring out who's on first base and getting your product roadmaps aligned. At a big company that just doesn't happen overnight. The focus is on getting your suite stack all integrated and getting the pricing structures and sales channels organized. I see a lot of that happening through '06 with the string of acquisitions these companies have made.

The next five years might be characterized by the entire ID management stack becoming standardized, where the interfaces between everything are standards. What's interesting about all of this is while you have a tightly integrated, proprietary suite from the vendors on the one hand, which is very self-serving, on the other hand, you have almost the opposite thing happening: a modular, loosely-coupled stack with standards in between.

With this, companies can pick and choose best-of-breed authentication and tie it to best-of-breed policy, where all of the vendor products are interoperable. Therein lies the big, long-term opportunity for Ping because we started at the beginning of this modularization.