Public-key infrastructure has taken its lumps for years, as have its users. But when CEO Fran Rooney walked out the door of PKI vendor Baltimore Technologies plc., in Dublin, Ireland, last week, many saw it as the beginning of the end for the technology.
Now more than ever, customerswho have watched Baltimore and other PKI vendors such as RSA Security Inc. and Entrust Inc. suffer endless ups and downsare wondering where all this turmoil is going to leave them and their costly PKI projects.
For many, the choice now is frequently driven not by who has the best technology but by who has the best support and the best chance of staying in business through the notoriously long implementation cycle. And for a growing number of IT shops, the choice has been to sidestep PKI entirely.
"We did the whole evaluation, but I wasnt overwhelmed," said an IT manager at a large East Coast financial services company. "I couldnt see the need because this is a technology that impacts everything across the enterprise, and there was no compelling application to drive it."
Even users willing to stay the course with PKI are now looking for more technology than vendors such as Baltimore have to offer. "When we went to make our decision, it came down to the fact that Entrust had a full suite of products and Baltimore had one," said a security specialist who asked to remain anonymous. "Thats their problem."
Entrust, of Plano, Texas, is working to diversify its offerings, moving into enhanced PKI services as well as token-based authentication and virtual private networks. CEO Bill Conner said that the time when a vendor could survive on PKI alone had passed.
"Customers are looking at what you can do with it," Conner said. "People arent just buying [PKI] by the boatload. You cant live on [PKI] alone."
To answer such critics, Baltimore is also moving quickly toward offering its services on a subscription basis in an effort to create a more predictable revenue stream and will likely expand its product portfolio. Sources said Baltimore is trying to reduce upfront costs by offering users a hosted service that can later become an in-house service. More announcements are due next month.
However, officials said the company must get through its current restructuring effort and CEO search before any significant strategy shifts can be put in place. Analysts say the company may be ripe for a buyout.
"Our immediate focus is to push forward with the restructuring to make sure that Baltimore is on a good footing," said Paul Sanders, Baltimores chief financial officer and interim CEO.
Baltimore, often regarded as having some of the best technology in the industry, has since the beginning of the year been caught in a spiral of falling revenue and plummeting stock value. Both have led to layoffs and a scramble to reshape the company. Baltimore officials plan to announce the details of the organizational changes in August.
"In my mind, theres no question Baltimore has great technology," said Baltimore Unicert user Dave Croston, president and CEO of MVPN LLC, in Warwick, R.I. "But the issue still is, it isnt easy to implement [nor is it] a low-cost expenditure upfront."
Rooneys departure is seen by many as a bad sign not just for Baltimore but for the PKI market in general. After buying Baltimore five years ago, Rooney transformed what was then a small security service company into one of the top players in the security industry. He was one of the chief evangelists of the virtues of PKI, but his sudden departure in the midst of Baltimores troubles is not a ringing endorsement of the technology.
Even companies such as Entrust, with more diversified product lines, have found customers unwilling to commit to costly and time-consuming PKI deployments without a full set of applications and support.
"We have 60,000 users, and I dont want to bring in an expensive infrastructure and then have to go back and redo my applications myself," the financial services IT manager said.