Guest Post: Tyler Knight from Arbor Advisors.
Ping Identity, the company that commercialized the idea of Intelligent Identity, recently filed its preliminary prospectus with the intent of being listed on the NASDAQ under the ticker PING. Goldman Sachs leads the consortium of underwriters for what is expected to be a $100M IPO.
Getting its start in 2002, the company offers an enterprise identity infrastructure that allows for real-time authentication. In the face of modern enterprise security risks, Ping leverages artificial intelligence and machine learning to analyze device, network, application, and behavioral data to automate security control decisions.
An example would be if you are browsing Bank of America online banking and click your Merrill Lynch brokerage account portal, Ping recognizes that you should also have access to Merrill’s platform because the accounts are linked.
Ping’s software can be deployed across all IT infrastructures ranging from cloud, hybrid, and on premise.
Additionally, they offer a suite of turnkey API integrations that enables millions of identities and thousands of cloud / on premise applications to be secure in one single deployment.
The S-1 states that as of June 30, 2019 their platform secures over 2 billion identities.
Headquartered in Denver, Colorado the company currently employs 897 people with five domestic offices and seven international. Impressively, Ping boasts over 50% of all Fortune 100 clients and has drastically scaled the number of enterprise size accounts by implementing successful a land and expand strategy.
Nathan Latka has had the opportunity to interview Ping CEO, Andre Durand, twice since it was acquired by Vista. Let’s dive into the S-1 and Nathan’s interviews to learn more.
Recent Company Milestones
• 2010 – founded the leading identity industry conference
• 2013 – introduced access security solution
• 2016 – acquired by Vista Equity Partners for $600m
• 2016 – acquired Unbound ID
What Products Does Ping Identity Sell?
Ping’s Intelligent Identity Platform is comprised of six solutions that can be purchased individually or as a set of integrated offerings for the customer, employee, partner or IoT use case.
The solutions include:
• Single Sign-On (SSO)
• Multi-Factor Authentication (MFA)
• Security control for applications and API’s (Access Security)
• Personalized and unified profile directories (Directory)
• Data governance to control access to identity data (Data Governance)
• Artificial intelligence and machine learning powered API security (API Intelligence)
Because Ping caters to both cloud and on-premise IT environments they need to have different products specific to each.
What is Ping Identity Cloud Offering?
PingID: A cloud-based, MFA solution that drastically improves security posture in minutes. With adaptive authentication policies, security is enhanced in high-risk scenarios and streamlined for low-risk users and applications. PingID protects applications accessed via SSO, integrates seamlessly with Microsoft Azure AD, Active Directory Federation Services (AD FS) and Windows Login, and embeds branded MFA functionality directly into mobile applications.
PingOne For Enterprise: Built for large enterprise clients, it delivers one-click access for any user, to any application, on any device. It’s the simple and fast way to provide single sign-on (SSO) to an unlimited number of applications.
PingOne For Customers: A platform for developers to rapidly embed secure identity services into the application that allow users to conveniently register, log in, and manage their data.
PingCloud Private Tenant: Provides a highly configurable global authentication authority and versatile SSO federation hub with practically limitless configuration options. It allows enterprises to offer a consistent way for customers, employees, and partners to sign on to their diverse applications and resources while supporting multiple standards and different authentication flows.
What is Ping Identity Software Offering?
PingFederate: Provides seamless access to data and applications without the hassle of multiple sign-ons and passwords, which boosts employee productivity and makes customer experiences more convenient. With automated provisioning capabilities, MFA support, user self-service, and features both security and convenience are enhanced at the same time.
PingAccess: A centralized access security solution with a comprehensive policy engine. It provides secure access to applications and APIs down to the URL level, and ensures that only authorized users access the resources they need.
PingDirectory: A high-performance, extensible data store for customer, partner, and employee identity data. It helps enterprises build a unified profile from multiple data sources with the ability to manage hundreds of millions of entries at high performance during peak usage.
PingDataGovernance: Provides access controls for data protection and filtering for regulatory compliance and consent management. It has a graphical user interface for business users to collaboratively build, test, and enforce access control policies to data across user directories and APIs.
PingIntelligence for APIs: Uses artificial intelligence (AI) to automatically discover APIs, and it can automatically detect and block threats. It also provides deep API traffic visibility and reporting to enhance the enterprise security posture.
How Do Users Engage With Ping Identity?
Customer: The platform helps enterprises better engage with their customers by providing a consistent, modern, omni-channel user experience through personalized access to all digital services. This enhanced digital experience improves brand loyalty and drives additional revenue, while also strengthening security.
Employee: The platform allows enterprises to provide their employees with seamless and secure access to all of their cloud and on-premise applications and APIs to enable better employee productivity.
Partner: The platform helps enterprises rapidly connect with partners and manage their access privileges when onboarding and offboarding users.
IoT: The platform helps enterprises rapidly connect with partners and manage their access privileges when onboarding and offboarding users.
Additionally, Ping offers over 1,500 identity access management integrations.
Identity Management Will Be A $9 Billion Market By 2023
Ping was designed to address the broader Identity Access Management (IAM) market by maximizing security and enhancing user experience in a distributed and highly-connected digital world. Since being started in 2002, extensive digital transformation has dissolved traditional network perimeters and expanded the attack playing field.
Ping plays ball in between legacy products that lack IT environment flexibility and cloud only products that lack the required granular functionality of large enterprises. Ping’s management believes the focus of cybersecurity will continue to shift to the user as targeted attacks against users and their credentials increase. As a result, they believe that IAM will represent a larger portion of future security budgets, which they believe they are well positioned to capture.
Here are the three market drivers that Ping discusses:
Enterprises are Undergoing Digital Transformations and Embracing Technology Trends:
• Digital Transformation is Critical to Driving Competitive Differentiation – Enterprises are investing in technology to grow their digital presence, create new revenue streams, transition business models and increase customer engagement
• Enterprises are Embracing Cloud Computing, SaaS and Mobility – Enterprises are transitioning a portion of their IT budgets to invest in cloud computing to build new services, shorten time-to-value and drive cost efficiency
• APIs and IoT Devices are Dramatically Expanding the Number of New Connections – APIs have become critical to software development and act as gateways to other digital services by facilitating the connection and data sharing between heterogeneous systems and applications.
According to IDC, the global market for (IAM) will grow from $6.6B in 2018 to $9.0B in 2023, representing a modest CAGR of 6%.
Ping’s management believes that across all use cases the total market opportunity is closer to $25B. A significant driver of growth moving forward is the widespread adoption of IoT devices and the critical nature of their security.
Installed IoT devices are expected to grow from $23B in 2018 to over $41B in 2025, creating demand for a suite of products to address the scale and complexity of intelligent authentication across device and API connections
API’s, Hackers, and Getting Cloud and On Prem Working Together
• Cloud, Mobile and IoT Have Expanded the Attack Surface – Identity has become the most common vulnerability that hackers seek to exploit. According to a 2017 Verizon report, 81% of hacking-related breaches leveraged stolen and/or weak passwords
• New Technology Adoption has Created Complex Hybrid and Multi-Cloud IT Challenges – Enterprises are increasingly reliant on both cloud and on-premise applications, which is creating complex hybrid IT infrastructures. As a result, demand for IAM products with flexible deployment capabilities will increase. The IDC expects more than 90% of enterprise IT organizations will commit to multi-cloud architectures by 2020
• The Rise of APIs has Created New Security Vulnerabilities – The rapid proliferation of APIs has created new security vulnerabilities due to their connectivity with critical systems and access to data
The Identity Landscape is Large and Evolving:
• Identity and Access Management – Solutions that store user information and enable the authentication of a user and the subsequent access management and security control of that user as the user attempts to access applications, data, and APIs. As enterprise employees and customers expand across mobile, device, application, and IT environment authentication solutions that cater to each platform and use case are becoming essential
• Privileged Access Management – Solutions that help organizations secure, control, manage, and monitor privileged accounts or privileged rights. Privileged accounts and rights are pervasive throughout large enterprises and there is an increasing need to differentiate users by unique privileges
• Identity Governance and Administration – These solutions are designed to encapsulate the governance and policies that a company uses to meet its identity management related audit and compliance obligations. With inevitable attacks comes looming liability, IGA products ensure compliance and consistency across an organization limiting the likelihood of an internal security breach
Where Does Ping Identity Fit Among Competitors?
As mentioned before, Ping is unique to many other IAM providers because of flexible IT environment deployment capabilities. They are able to offer a suite of products for on-premise, hybrid, or cloud infrastructure while largely maintaining adequate functionality throughout. Below they list the shortfalls of many existing legacy and cloud only solutions.
Legacy Platform Issues:
• not being designed for cloud environments, mobile and IoT devices or APIs
• being cumbersome and expensive to deploy
• providing poor administrative and user experience
• being built with closed, proprietary and siloed architectures
• being designed for access administration, not access security
• having a tendency to experience stability problems
• being at or near end of life
Cloud-Only Vendor Issues:
• lacking in-depth enterprise features and robust integrations across on-premise applications
• primarily being focused on the employee use case
• having an unproven ability to scale
• only meeting minimal security requirements
• being unable to provide off-line authentication when cloud services are unavailable
• having manual, policy-driven decision-making
Among the legacy providers the company lists CA Technolgies, IBM, Cisco, and Oracle. These typically offer proprietary architectures and thus are not “one size fits all” or scalable across multiple organizations. Cloud-only vendors such as Okta and OneLogin cater towards small and medium-sized businesses that have their IT infrastructures entirely in the cloud.
Most large enterprises have a hybrid structure partially on the cloud and on-premise and therefore neither the legacy nor cloud-only vendors are able to deliver a single comprehensive solution across the organization.
Microsoft also competes in the IAM market and Ping recognizes that other hyper-scale cloud computing companies like Google and Amazon are likely new entries.
Who Pays for Ping Identity Software?
Ping’s customers are security-focused, typically operate in regulated industries, have hybrid IT infrastructures, require turnkey integrations, and have demanding scalability requirements. As shown in the image below, the 12 largest U.S. banks, 8 of 10 largest bio-pharma, 4 of 5 largest healthcare, and 5 of 7 largest retailers trust Ping as their IAM service provider.
From 2017 to 2018 Ping grew from 144 customers paying more than $250k per year to 202 customers paying $250k/yr, a 40% increase YoY.
16 of those were new clients who started at $250k+ annual contract values and 42 were existing customers who expanded their account to over $250K.
In Nathan’s 2017 interview, Andre disclosed gross revenue churn to be 12%.
A few months ago Andre mentioned that it is about the same in 2019. Executing on a land and expand process, Ping’s sales teams target a specific solution and use case initially and then implement strategies to grow the account through additional solutions, use cases, and number of identities over time.
Judging by their net revenue retention (NRR) over the past few years it is safe to say they have been largely successful in doing so.
2017, 2018, and June 2019 LTM saw NRR of 123%, 116%, and 115% respectively.
Only 13% of 1,275 Customers Use More Than 3 Ping Products
This represents a large cross-sell opportunity moving forward.
I think it is likely that the current 115% number will creep back up the next few years as they push to sell the value of their solutions cohesively working together. World class net revenue retention is 140% according to Latka SaaS Database.
In 2017, annual revenue per user (ARPU) was $90K. Because we know Ping has 1,275 customers and June 2019 TLM revenue of $198M, we can arrive at a current ARPU of $155k.
Growing ARPU by 73% over a two year period is impressive.
We know Ping’s customers have a lifespan of 8.3 years from the 2017 interview. Now that we have ARPU we can multiply the two together to get an average lifetime value (LTV) of about $1.3M.
With a well-diversified customer base across Financial Services, Healthcare, Public Sector, Retail, and manufacturing, no customer accounts for more than 5% of total revenue.
How Does Ping Identity Market and Sell To New Customers?
Ping primarily uses direct sales to sell their solutions, organized by size of organization, solution, and deployment. The inside sales team focuses on cloud-based offerings and the most common solutions / use cases.
Mentioned in the most recent interview and reiterated in the S-1, Ping leverages collaborations with channel partners to increase the efficiency of the direct sales effort. In 2018, 60% of new business was influenced by channel partners.
What does that mean?
Essentially, Ping uses mutually beneficial relationships with partners to aid with lead sourcing, pre-sale processes, and even reselling their solutions.
Andre tells Nathan that they are willing to spend $1.2 to gain $1 of annual subscription revenue. Because he has cohort data dating back to 2002 he can accurately predict life-time value (LTV) by cohort. Therefore, he can strategically place a customer acquisition cost (CAC) number on each cohort to keep the unit economics favorable while optimizing growth.
The company’s marketing strategy is designed to increase brand recognition through a mix of content marketing, social media, SEO, events, and public and analyst relations.
Sales and marketing represents 33% of total operating expenses, which management expects to increase moving forward.
How Much Cash Is Ping Identity Making?
The largest determining indicator of a premium valuation for SaaS businesses is revenue growth. TTM ARR from June 2019 was at $198M and $159.6M the year before representing 24% period-over-period growth.
For context the average revenue growth rate for SaaS IPO’s in 2018 was just under 40%.
92% of Ping’s revenue is recurring subscription; however, only 27% of total revenue is pure play SaaS.
65% is still license software derived.
SaaS derived revenue is more coveted and will be valued more favorably. Gross profit margins are about what you would expect from software businesses at 77%.
Cash from operations decreased slightly from June 2018 TTM and June 2019 TTM from $13M to $8M.
Take a look at the ARR bridge below that displays how Ping’s revenue has grown since the end of 2016. Because we know net revenue retention, gross churn, and ARR we can calculate how amount of expansion revenue (upsell), revenue lost to churn, and revenue from new customers for each year.
The only tricky part was accurately estimating ARR in 2016. If we knew the amount of new customer revenue in 2017 we could just subtract new revenue and upsell and then add churn to get to 2016 ARR.
Because we don’t, I took the average % of total revenue attributable to new client revenue in 2018 and 2019 (4.1%) to get $4.6M.
We also don’t know 2019 year end ARR. To get there I simply kept YoY growth constant at 24% to get to $227M.
What Could Screw Up Ping Business?
A major challenge facing Ping moving forward will be converting license software customers to the cloud. Because of the hybrid-IT environments of most large scale enterprises part of the equation will be how quickly these companies convert to cloud only IT environments.
The other question is: Can Ping replicate the granular functionality of their license offering in cloud form?
What Is Ping Identity Worth?
TechCrunch reported that Vista is seeking a valuation somewhere between $2B and $3B on IPO day. The Bessemer Cloud Index (BCI), which tracks the 75 most publicly traded SaaS businesses, shows the average EV / Revenue multiple for these businesses is currently 10x.
If Ping received a multiple in line with the BCI average it would be consistent with Vista’s expectations (multiple of 2019E revenue).
However, I don’t see how they get there – even in this frothy market. Ping would be one of the smaller companies on that list and is growing at a relatively modest pace compared to some on the list with higher multiples.
Only two companies have multiples over 10x with growth rates under 30%. Moreover, as mentioned before, the heavy license software derived revenue vs. cloud SaaS derived should discount the price a bit. Also, the Identity Access Management total addressable market (TAM) is only expected to grow at a 6% CAGR from 2018 to 2023 ($6.6B to $9B).
Ping’s strengths are its brand name logos, customer lifespan, product functionality and flexible deployment capabilities, and the opportunity to cross-sell solutions and use cases moving forward to increase wallet share of its enterprise cohort.
Taking everything into account I think Ping gets somewhere between 6x-8x on moving day.
That’s IF they end up actually IPO’ing.
Wouldn’t surprise me to see another Qualtrics-like scenario where a strategic buyer comes in and makes a compelling acquisition offer for Ping pre IPO day.