Net: We see Microsoft combining the cloud and their massive installed base of Active Directory to bring in partners and go after the physical security space. It's a significant growth opportunity for the company. Shares are still undervalued relative to our $45 intrinsic valuation.
Physical security and access control is a $100B+ market still using outdated proprietary technology from big companies like Honeywell (HON), Johnson Controls (JCI), United Technologies Corporation (UTX), and Tyco International (TYC).
Now this market is starting to shift in earnest to more off-the-shelf digital technologies and we see Microsoft (MSFT) as a key beneficiary due to their existing Active Directory footprint and recent initiatives around global security operations.
A handful of factors are driving the shift:
- Proprietary access control and physical security systems are very expensive and many existing installations are decades old and need to be upgraded. This is money nobody wants to spend - in most cases it provides zero competitive advantage, just a cost.
- Large organizations have already invested in IT security infrastructure in general and Microsoft Active Directory in particular. Just as they merged the separate voice network and systems onto their IP networks they want to bring physical security and access control onto their existing IT security systems.
- All the technology pieces have now come together. Anyone who is familiar with the new Nest thermostat realizes that intelligent control systems are everywhere. Add to that cloud software, wireless networks and smartphones and all the components are readily available.
Microsoft has recognized the opportunity and has created the Microsoft Global Security Operations Centers (GSOC), which is a showcase for real-world solutions build on the Microsoft software infrastructure. The solution architecture takes the core of Active Directory and extends it out to different physical systems from doors to video cameras to smartphones to alarms.
Microsoft is wisely taking a partnership approach in building out the edges of these solutions instead of trying to build their own products for these areas. Today the Microsoft GSOC has 21 technology partners covering different parts of the solution.
These existing partners range from big firms like General Dynamics for system integration to smaller firms offering niche applications like mustering, video processing and security-focused analytics.
One general-purpose technology partner is Viscount Systems (OTC:VSYS), which provides the software that provides the bidirectional linkage between Active Directory and all the other components and services that need to work with it.
More on Enablers and Drivers
The Cloud - Today every organization is looking at Cloud architecture to save money and improve efficiency, whether through public, private or hybrid cloud models. The Cloud is all about eliminating Capital Expenses (CAPEX) in favor of improved ROI using Operating Expenses (OPEX) - or pay as you go. However, access control systems have large fixed CAPEX pieces, including control panel hardware and cabling, and software that is panel-based and cannot be Cloud-based. In effect, they simply cannot take advantage of the scalability of Cloud platforms.
Smartphones - Most access control systems involve costly RFID, biometric or "multi-factor" combinations of devices. New NFC enabled smartphones can be especially useful for new security and access control applications. Firstly, since they can hold the same information as an RFID credential, they can eliminate the need for a separate card. Secondly, because they are connected to computers, they can authenticate RFID, PIN, and biometric security data wirelessly. These developments severely threaten the control panel model since IT based systems can now perform security functions without the needs for panels, readers, or cards.
What's more, the smartphone is equipped with multiple ways to communicate with doors and readers - NFC, Bluetooth, WiFi, and 3G/4G. New entrants can develop applications that continue to lower costs while increasing security. Smartphone cameras can be used for biometric facial recognition while touchscreens create an opportunity for smartphone fingerprint biometrics. Cards and readers may continue to exist for a long time but the smartphone will be used for many access control applications.
Coincident with these technologies reaching maturity, several economic and regulatory forces are putting extreme pressure on companies to upgrade and improve their security and access control:
Regulations - After 9-11 the US Department of Homeland Security was created. An evaluation concluded that control panels, cards were not secure. With it came FIPS 201, an expansion of processes and regulations designed to update security. An expanded standard, "FIPS-201-2," is now in active drafting for future implementation. These regulations state that the vast majority of the existing access control infrastructure needs to be replaced or upgraded. This presents an enormous opportunity for new lower cost and more conformant technologies.
Cost - Physical access control is expensive. System costs vary widely but the average costs obtained from multiple sources put the per-door installed price in the $2,000 to $4,000 range. While hardware prices may decrease, total installed prices have been increasing over time due mostly to expanding installation fees for complex systems. An IP bridge-based system reduces typical hardware AND installation costs by 50% or more.
Customers will save more over time due to lower ongoing costs. The components are less expensive but the real savings come from reduced installation costs, and reduced management costs for proprietary systems. With enterprises having hundreds or thousands of access-controlled doors, the cost advantages of an IP-based approach are impossible to ignore.
Transparency - Modern governance and risk management requires greater integration and complete transparency. Proprietary access control systems are a classic "blind spot" in enterprise systems. These opaque proprietary access control systems (often referred to as "stove-piped"), are untenable. Data and events need to flow in both directions in real time.
Compliance - In order to comply with Sarbanes-Oxley and other rules and regulations, every large public corporate entity is required to have adequate security measures in place for the purpose of protecting IT data from tampering by unauthorized personnel. A component of this includes properly securing physical facilities as well as IT networks. Unfortunately, since control panels typically use a separate security database from IT, it is very difficult to relate usage of the systems for the purposes of audit and compliance. With a unified platform using Microsoft Active Directory, audits and compliance issues are simplified using a single set of IT logs.
This time the nature of the solution is easy to define and design, and the building blocks are more numerous, readily available and much more capable than those that existed to start the shift to IP telephony. In fact, we have already built out the infrastructure to handle access control for IT assets. Companies have already deployed products like Microsoft Active Directory to manage employee access to IT systems and applications. These applications have become sophisticated and offer both individual and role-based access control and privileges. Enterprises are also already using these systems to control physical assets like laptop computers and mobile phones. For example, most companies can "remote wipe" a smartphone of all applications and data and disable it in the case that an employee is terminated or simply loses their company phone.
Industry Dynamics & Competition
Physical security is a big, messy industry that was once highly fragmented but has gone through a consolidation process dominated by multi-nationals. We're going to break it down into segments and also touch on related areas like building automation.
Most of the competitors in this space are more like integrators and service providers that prefer to use their own proprietary technology because it is more expensive and gives them some customer lock-in. We'll go through some of the larger players and it's important to note that they also represent good potential partners for Microsoft since they could integrate solutions using the templates put together by the Microsoft GSOC.
The major providers today include Lenel, which is part of United Technologies Corporation , Software House, which is part of Tyco International , Honeywell , and Johnson Controls .
United Technology largely entered the security market through acquisition. Lenel was purchased for over $400M by UTC in 2005. Lenel continues to be a leader in providing security control systems. Lenel has advanced the state of their systems to allow more electronic control and web access and make them more "IT friendly," but they are fundamentally a proprietary system manufacturer. UTC also owns a number of related access control brands, including Chubb Security and Guardall. In 2009 UTC completed another benchmark deal, acquiring GE Security for $1.8B.
Tyco International has also acquired a wide array of security brands. Their flagship access control brand is Software House. Other access control brands include CEM Systems and Kantech. Like UTC, Tyco has several integrator divisions that install advanced technology including ADT and Simplex-Grinell. The range of Tyco products and services is so broad that there are many overlapping brands and companies even in their own portfolio. Having a captive product/solution integrator like Software House helps them put together coherent large systems.
Johnson Controls is another massive conglomerate with broad industrial businesses. Their primary access control brand is the P2000. They have a concentration in "building efficiency" which includes security and fire safety as one of the business lines. JCI is more of a total solution provider and integrator than a product company. Their strength is as a prime contractor to projects like the US Capital Building and the Pentagon.
Honeywell has their own security line of products and services inside a range that includes power management, building construction management, and process control. Honeywell also has many industry specific product and solution divisions. Their primary access control brands include the Pro2200 and NetAXS.
At the edge of the network are the electronic readers and locks that are supplied by companies like ASSA ABLOY and Stanley. ASSA ABLOY has been the most aggressive over the years and is now fairly dominant in the area of door control and "entrance systems." Key acquisitions included HID (in 2000), which is a leading provider of access control cards and electronic readers. ASSA ABLOY has made over 20 acquisitions in the space and has almost 40,000 employees worldwide. We would say they own the door control segment of the market.
Schneider Electric is a French based conglomerate competing with Honeywell and Johnson Controls in a range of segments, including building automation and energy management. The company acquired Pelco, one of the largest video camera suppliers, for $1.2B in 2007. The company's primary access control brand is Andover Controls.
Cisco Systems (CSCO) entered the physical security market several years ago, releasing both video and access control platforms. The company appears to have struggled with its access control system because, like other traditional providers, it is not an IP-based product but uses a cable network called CANBUS that has not received buy-in from their own IT channel.
IBM (IBM) has fairly substantive security business consisting largely of services and software. However, they are aimed mostly at IT security. Their physical security play is a set of tools to improve video analysis from surveillance cameras. They may have their own identity management system (à la Active Directory) that could also be used as a basis for combining physical and logical access control, should they choose to make that investment.
The smartphone is quickly becoming the preferred security "credential" for access control. These devices are already capable of strong security but will get even better. Apple is acquiring AuthenTec to increase the security features of future iPhones. It's not clear yet what Apple will be incorporating into the iPhone but it will likely include some biometric security like fingerprint reading and a secure "Passbook" application for things requiring authentication. We can expect similar identity capabilities to emerge from Google, Microsoft, Nokia and Samsung.
The cloud is coming to physical security and access control and we believe it will swallow up much of what we know today as the dominant solutions and players. Microsoft is a very strong position with their core Active Directory infrastructure and installed base.
Their Global Security Operations Center and partnering strategy will allow them to efficiently attack this very large and fragmented market without having to build all elements of the solution themselves.
For Microsoft investors the cloud security business is another positive growth driver of for the software and services business. Their massive investments in their own "Azure" platform provide leverage for this business as well.
Although a niche player in smartphones now these secure applications and infrastructure can help Microsoft devices gain market share, particularly among enterprises and enterprise-oriented consumers.
Microsoft is up about 10% so far this year but is still trading below our estimate of intrinsic value. We've used conservative numbers and a 12.5x multiple which gets us to $45 this year.