This column originally appeared on SearchSecurity.com.
A month ago, EMC Corp. laid out its vision to create five distinct business units, each generating at least $1 billion in sales. At the time, the division probably furthest from that threshold was EMC's information security unit, which we estimate was running at about $100 million. On June 29, EMC took a huge step toward its goal, paying $2.1 billion for encryption software provider RSA Security Inc. But the deal didn't come cheap, valuing RSA three times richer than the market values EMC, at least in terms of sales.
EMC said it will pay $28 in cash for each of RSA's 74 million shares, or about $2.1 billion. RSA stock hasn't changed hands at that level in a half-decade. For its part, EMC's stock dipped in after-hours trading Thursday following the deal's official announcement, sliding to its lowest level since September 2004. Investors expressed concern about the price of the acquisition as well as the fact that it will lower EMC's earnings for at least the next year.
Although it is rather unusual for a company to do a 10-digit deal entirely in cash, we would note that EMC will likely generate about $2 billion in cash in 2006. At the end of March, EMC held $3.5 billion in cash and equivalents.
The acquisition of RSA continues a three-year shopping spree by EMC, during which time it has spent some $4.6 billion. RSA represents the largest single acquisition, topping the $1.8 billion that EMC paid for Documentum in late 2003 and $1.3 billion for Legato Systems a few months before that.
The RSA acquisition, which is expected to close in fall, came only after EMC outbid at least one other major bidder. Indeed, much of the price has to be attributed to a scarcity premium. EMC has often described its acquisition strategy as picking up a string of pearls. We're not convinced that RSA -- a company that hasn't grown revenue in four years, and that now finds itself under SEC investigation for alleged options backdating -- is much of a jewel. Even if we assume a bit of sparkle around RSA that hasn't been there recently, we find it hard to justify the price EMC paid. With no debt and $208 million in cash and equivalents, RSA garnered an enterprise value (EV) of $2.1 billion in the transaction. That's a rich seven times 2005 sales. For comparison, EMC currently trades at an EV of 2.3 times sales over the past four quarters, or one-third the rate it's paying for RSA. Even taking the projected sales of $370 million that EMC expects from RSA this year, the EV/revenue multiple works out to 5.6 -- nearly twice the level of most security software companies.
In order to sell its storage gear to certain customers, EMC needs to offer encryption to safeguard the information that's stored. Currently the company resells encryption appliances from companies such as Decru. But since last June 2005, when Network Appliance acquired Decru, EMC has found itself in the unusual and probably untenable position of relying on a key rival for part of its security strategy. Incidentally, NetApp's purchase of Decru makes the reported RSA deal look like a scratch-and-dent sale. At the time of the acquisition, Decru had booked less than $10 million in sales, but somehow convinced NetApp that it was worth $272 million in cash and stock.
While NetApp has been able to realize some return on its high-dollar investment in Decru, the other combination of storage and security software has yet to produce dividends. The pairing of Symantec, known mostly for its antivirus and firewall software, has struggled to convince the market about its plans for data backup vendor Veritas Software. RSA's authentication, authorization and encryption portfolio provides EMC with capabilities that both Symantec and NetApp offer to some extent, but EMC clearly believes that it now has a more holistic portfolio that secures data, and access to data, regardless of where it located or how it's stored.
The RSA purchase is the latest step in what has been an aggressive, acquisition-driven expansion of EMC's focus. Although its storage hardware business is still its core, during the past five years the company has evolved into a broad hardware, software and services play through acquisitions in areas such as data protection, storage management and more recently professional services. Moreover, its empire now extends beyond storage to incorporate other elements of the IT infrastructure: enterprise content management (Documentum), infrastructure virtualization (VMware) and IT resource management (System Management Arts). As well as providing it with ownership of some of the more interesting enterprise technologies to have emerged recently, this purchasing binge has allowed EMC to raise its profile as a strategic supplier to its core customer base of large, global enterprises.
Founded in 1986 as Security Dynamics Technologies, RSA took its name a decade later after acquiring RSA Data Security. Since then, the company has established itself as the clear market leader in encryption. Company founders Ron Rivest, Adi Shamir and Len Adleman (the RSA of RSA) invented its encryption algorithm, which is, among many other things, at the core of electronic commerce standards like SSL.
The bulk of RSA's business -- about $76 million of its total first-quarter revenue of $87.5 million -- is in the enterprise space. But while the numbers are much smaller, the consumer side is a key growth area for RSA, which has made some bold moves recently that are beginning to pay off. In the past six months, RSA bought anti-fraud and two-factor authentication vendors Cyota for $145 million and PassMark Security for $45 million. The purchases set up RSA nicely to move into the hot consumer antifraud, antiphishing and antispam markets.
EMC says that it will integrate all RSA products into the EMC product line. RSA's large suite of authentication and access management products both adds value to this storage picture and provides EMC with a solid business in its own right. RSA shipped 1.7 million units of authentication credentials in the first quarter of 2006, 11% more than during the same period a year ago. RSA products include its SecurID strong, multi-factor authentication products (hard and soft tokens); access management; federated identity; and single sign-on products. All these parts also make it possible for EMC to extend its Common Security Platform more quickly and effectively. EMC says RSA's identity management systems will in effect become the Common Security Platform's architecture.
The identity and access management market is intensely competitive, with nine large enterprises besides RSA producing full suites of products, and a number of surviving makers of point products for provisioning, federation, virtual directories and password synchronization. The suite vendors include IBM, CA Inc. BMC Software Inc., Hewlett-Packard Co., Oracle Corp., Sun Microsystems Inc., Microsoft, Novell Inc. and Beta Systems Software AG.
The EMC acquisition is unlikely to greatly change RSA's position in this market. While RSA may have an edge in integrating advanced storage key management into its access management suite, there appear to be few barriers preventing the other IAM suite vendors from entering the market. Sun, HP, Oracle and CA, as well as EMC, have partnerships with Decru. We expect to see storage key management become a check-off item like, for example, self-service password replacement in IAM suites. Customers using a particular IAM platform will not be thrilled at the prospect of changing to another one for the sake of storage key management requirements. To whatever extent that proprietary advantage may drive sales today, experience suggests that interfaces between key storage repositories, storage systems and IAM suites will be standardized in a year or two.
Nick Selby is a Boston-based analyst covering enterprise security for The 451 Group. Also written by The 451 Group analysts Brenon Daly and Simon Robinson.