Karen Wendel - Identrust
ISSUE 15.7, Apr 06
Karen Wendel,
Identrust
Despite friends in high places, New York-based security solutions vendor, Identrust, is still looking to hit the big time. Will a new name and some fresh faces make it happen? Tom Alford puts CEO, Karen Wendel, in the spotlight.
For the cynical, rebranding is often seen as a way out of a period of stagnation. But Identrust, which suffixed a letter ‘T’ to its name on the 1st March 2006 to become Identrust, feels its new image really is the start of the big push to become the de facto global standard for real-time identity authentication.
‘Our new name places that trust front and centre,’ says the company’s CEO, Karen Wendel, with conviction. But if Identrust is going to be a star, it is going to need more than just an extra ‘T’ to convince the world it has the right product.
The grand idea was, and still is, to bring about ‘certainty and security’ to high value all inclusive B2B internet-based e-commerce. For an in-depth look at the technology used to establish an electronic identity, refer to the IBS feature on electronic payment security in the October 2005 edition. But essentially, the Identrust model enables member financial institutions to issue unique PKI-based digital certificates and digital signatures to enable business to not just trade securely on the internet with other similarly certified member organisations, but also exchange documents and encoded messages.
The product has indisputable benefits, but as the current burst of organisational activity implies, Identrust is seeking more traction in the markets.
In the old Identrust model, just about every C-level job was executed by Wendel. ‘It was sort of Karen’s consulting firm,’ she jokes. ‘I was CEO, CTO, CFO, chief bottle-washer, paper-hanger, and the janitor at weekends.’ In an attempt to bring in a management team that will supplement her industry and consulting expertise, Identrust has seen some recent high-ranking appointments from the corporate world.
John Sculley, an ex-CEO of Apple, president and CEO of Pepsi, and a partner with venture capitalist, Rho Ventures, has been drafted in as chairman of the board. Sculley and Wendel together appointed Jean Lavigne, who brings VP and CEO-level skills fresh from Motorola in Europe, to take responsibility for development of the company in that region. Wendel believes these appointments will deliver. As she says, ‘we wanted to bring in people that were experienced in building companies’. Sculley and Lavigne’s corporate sway will also act as a counter-balance for Identrust’s rich banking lineage.
‘I was CEO, CTO, CFO, chief bottle-washer, paper-hanger, and the janitor at weekends.’
Because I now have people on board that can make certain the company is running properly, I can focus on the two things that I think are really important,’ she explains. ‘I’m focusing on strategy, and making certain that we pressure test it. And I am spending a lot more time on direct customer interface.’
When it was founded in 1999 (by a number of major financial institutions including ABN Amro, HSBC, Barclays, Citibank, and Bank of America), Identrust was dependent on these banks to create and drive a market for it. ‘Identrust was originally just responsible for creating the rule-set and the framework under which the identities were issued,’ notes Wendel. ‘It was never expected that it would have any direct contact with the customers.’
But it became abundantly clear as the project evolved that the organisation would eventually need to focus on the end-customer. Wendel explains: ‘Identrust identities, by their very nature, are interoperable. They can be accepted by any bank that is part of the community, which means the end-customers - the corporates - can ditch the 50 different identities sitting in their desk drawer.’
But interoperability needs a rule-set covering as many countries as possible for it to work (it now operates in 82 different countries). Of course, this comes up against a diverse and massively complex range of legal conditions. The policy, legal, operational and technical rule-set for global identity management originally consisted of more than 4000 pages of text. It has now been pre-digested into a manageable set of essentials that can be approached when needed, not up front. This means the contract for global interoperability with Identrust is now only a four page document. ‘It reduces the pain and agony of on-boarding,’ says Wendel. ‘Where it used to take anywhere from six to nine months to join Identrust, it can now be done in four to eight weeks.’
Even so, many banks counter-argued that until their customers actually started asking for this degree of interoperability, they weren’t interested. In fact, the first ever Identrust implementation at Bank of America (BoA) hit early problems because of the perceived lack of market demand for interoperability. The project, overseen by one Mack Hicks, BoA’s then VP of corporate information security, was canned in 2002. Hicks, an advocate of the technology, has recently been appointed as Identrust’s CTO. His move from bank to vendor is shrewd. Wendel says the corporates are now asking to replace their multitude of tokens and ID tools with something more efficient. With their powerful voice ringing in the banks’ ears, she says, ‘it is making them listen to the Identrust differentiation much more closely.’
Planning the next move
For Identrust, this is why its technology, its new administration, and everything the extra ‘T’ stands for, must start to coalesce into an effective
unit.
Action started last September, with a $20 million cash injection from Rho Ventures and Enterprise Partners Venture Capital, with participation from existing leading investor, Zions Bancorporation. Then, excited by the likelihood of new technology coming out of the deal, Tom Buschman, treasury development manager at Shell International, and Twist chairman, began openly describing Identrust’s potential as ‘a major catalyst for supply chain automation’.
The relationship between Identrust and Twist moved up a gear a month later when the two organisations set up an identity working group, chaired by Sarah Jones of HP, to discuss fraud issues. They called it the Bank Mandate Working Group (IBS, March 2006).
As an example of the issues being discussed, a corporate, such as Shell, will bank with as many as 50 different institutions around the world, and has multiple signatories. If one of those signatories needs to be changed, the process, under KYC rulings, demands a lengthy and complex series of documents be completed. It can take anywhere up to six months for just one alteration. Further muddying the water, each bank has a different format and set of requirements for making any such changes.
Under the sponsorship of Twist, an Identrust team, guided by CTO Hicks, is creating an XML standard message, capable of going between the corporates and the banks, that will contain everything needed to change a bank account. Users can write a standard API for interfaces with both corporate and bank systems, and use Identrust identities to give the request credence. Six months will be reduced to a couple of minutes, says Wendel. So far, eleven corporates and six banks have signed up. When it goes into production, Identrust will then become one of the first public key infrastructures to support XML. ‘It’s a really sexy application,’ she says, ‘because everybody gets it.’
Twist has agreed to integrate Identrust’s identity validation rules into its own open standards portfolio. But it won’t be in one big rush. ‘We’re very big on the ‘do-think-do’ model,’ says Wendel. ‘You don’t want to go out and boil the ocean, you want to take a concept, test it and then feed that back into the standards group.’
With this in mind, Identrust will be progressing individual projects under its Proof of Concept scheme. The first is running from the middle of April to the end of June with Citibank. Although no details can be given as yet, it will involve four other banks and six corporates. Citibank will provide the project code, whilst the corporates will submit any changes deemed necessary. Citibank will then notify the other banks of any change. The results will then be fed back into the Bank Mandate Working Group. Having completed this, another Proof of Concept project using Twist standards will be set up, with different banks and corporates. The umbrella project will roll through to at least the end of this year.
In supporting this degree of co-operation, Twist clearly shows its desire to bring about interoperability for electronic communication between corporates and their banks. A working partnership with the members of Twist will bring ‘a lot of opportunity’ for Identrust. It certainly moves the corporate dream of a fully automated supply chain a step closer each time Identrust, through such projects with Twist, brings another user into the community.
‘My goal for this year is to have 50 banks in the mix,’ says Wendel. It currently has 20. Danske Bank and Bladex, a major LatAm bank, signed recently - the latter will operate as an Identrust representative in the region. The Twist connection is starting to pay off, with a further seven banks waiting to sign up, having participated in the various schemes. It has also just taken on board one of the largest banking groups in the world. Details are currently off the record, but it is a massive sign of support for Identrust.
Swift
For every force, there exists an equal and opposite force. In this case, the major fly in the ointment for Wendel’s plans for global domination is Swift. With its bank membership and exclusive payments model, it is diametrically opposed to
Identrust’s open and inclusive approach. Unfortunately for Identrust, it is also more than an equal force at the moment. As far as Swift is concerned, Wendel says
Identrust is ‘not really on their radar screen’.
But Swift is bank only, and limited in its scope. It was primarily built for very high volumes and specific types of messages. ‘It does a great job at what it does,’ concedes Wendel. Tactfully she agrees that ‘we are just different’.
Identrust is genuinely open to anyone engaged in B2B commerce. It can be used for authentication in payments, contract signing, invoicing and so on. It also encrypts information to minimise exposure of sensitive material, and it provides digital signatures that are legally binding and non-repudiable. ‘Swift doesn’t really do these three things,’ notes Wendel. Swift provides authentication when you are working within the Swift community, but outside it doesn’t. ‘You lose it once you exit the payment channel,’ she explains.
Swift might claim that it has 99.999 per cent availability, whereas Identrust uses the notoriously unpredictable public network. ‘We have had 100 per cent availability for the past 24 months,’ retorts Wendel. ‘Public networks can and do have access problems, but our experience has been that the problems do not lie with the network per se. Where there have been problems with people not getting into the Identrust network, the problem has been with their individual ISP providers.’ Argue that this still means access is prevented, no matter what the cause, and Wendel is quick to counter with the revelation that Identrust will set up a dedicated line between the client and the network where ISP problems have been encountered.
Part of this high availability stems from Identrust bringing its own infrastructure back in-house. It used to outsource, but Wendel took the decision in 2004 to reclaim it. ‘We needed to have complete control,’ she states.
Surely she must agree that Identrust is a threat to Swift’s dominance? She has stated in this Journal (IBS, September 2005) that Swift would view Identrust as a ‘tiny gnat, out there in the garden’. But with its recent developments, she upgrades Identrust to a more harmful creature: ‘I think we’re more like a mosquito now.’
But Wendel refuses to be drawn into attacking the Brussels-based giant. She openly states her intention is ‘absolutely not to compete with Swift’. ‘I’m not going after the payments space, I’m not going after the funds transfer space,’ she says. ‘I’m dealing with all the things that fall outside the bandwidth of that, where there is a huge market demand where we can make a big difference. My intention is to define the areas not covered by Swift.’
In explaining Identrust’s interests, she cites a case that concerns a supply chain being run between HP, its main bank HSBC, and Office Depot, the world’s largest office supplies company, that also buys from HP (IBS, October 2005). Electronic invoices and remittances are being sent back and forth between the two corporates with no problem, but HSBC is using Swift, and Swift cannot handle the invoicing data that is sent with the message so it is lost, breaking the chain. Because HSBC’s payments to Office Depot cannot contain the invoice data, the recipient has to go back to the bank to find out what each transaction relates to. It is time-consuming and expensive. Identrust would be able to incorporate the data and the identity in one message.
‘My intention is to define the areas not covered by Swift.’
Despite the obvious benefits to corporates, in the rich and fertile garden of Swift’s own territory, Identrust may struggle. But Wendel is on record as saying Swift is uncomfortable with something that could replace the MA-CUG. It is not the place to discuss how credible a system Swift believes its MA-CUG to be, or what the corporates think of it, but Wendel now believes Identrust has become a really good alternative to it anyway.
Could Identrust work with Swift? ‘In an ideal world,’ says Wendel, ‘it would be wonderful if Identrust and Swift could work together, because there are some clear and obvious synergies between the two entities.’ It is unclear to her whether this would be possible right now. ‘Swift pays attention to things when there is a huge market demand. They respond to very concrete messages they are getting from their banks,’ she says. ‘Right now, I think we are still too early in the process of addressing some of these items to have enough pressure, power or energy to get Swift to do anything about it.’ Once Identrust gets traction, Wendel feels she can go to Swift and say, ‘let’s talk about how we can make this work’. This, she admits, is at least 18 months away.
The message
Wendel is utterly convinced that what she, and her new team, are offering is the best identity solution. ‘If you are looking for a secure, reliable, globally applicable identity mechanism that will give you the ability to grow over time, come talk to
Identrust.’
She is bound to say that, but having stayed with it for so long (and seen some big players from the banking, and now the corporate world) start to take notice, you can’t help but lose the cynicism when it comes to believing how much that extra ‘T’ really means to Identrust.
