Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘Verisign’

Friday, September 3rd, 2010

Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .

A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.

There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.

I will post my feedback on the official website, but a few of my suggestions are as follows:

  1. Build on top of existing standards. The feds should rally those working on things like Project Higgins, Shibboleth, Liberty, Web Services, Microsoft Geneva, OpenID, etc. Getting all these folks marching in the same direction early will be critical.
  2. Get the enterprise IAM vendors on board. No one has more to gain — or lose — than identity leaders like CA, IBM, Microsoft, Novell, and Oracle. Their participation will help rally the private sector.
  3. Encourage the development of PKI services. PKI is an enabling technology for an identity ecosystem but most organizations eschew PKI as too complex. The solution may be PKI as a cloud service that provides PKI trust without the on-site complexity. This is why Symantec bought the assets of Verisign. The Feds should push Symantec and others to embed certificates in more places, applications, and devices.

There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.

The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.

The DNSSEC Opportunity

Friday, August 13th, 2010

DNSSEC is nothing new. The initial RFC was written in 1997 and the first specification was published in 1999. In spite of these efforts, secure DNS languished during the early 2000s as it wasn’t a requirement for most organizations.

Things have changed, however. DNS security has been called to question many times through cache poisoning attacks and the infamous Kaminsky vulnerability. To address these security weaknesses, DNSSEC efforts are underway. The DNS root servers have all been signed, as have the .gov and .edu Top Level Domains (TLDs). The other TLDs will be signed soon. These efforts will eventually establish a root/chain of trust for all sub-level DNS servers.

Yes, DNSSEC will take years before it is fully deployed, but the foundation is nearly in place. The U.S. federal government is leading the transition to DNSSEC, which means that federal system integrators and leading technology vendors will follow suit. In terms of the market at large, ESG believes that the transition to DNSSEC means:

  1. Lots of DNS server turnover. Most DNS server implementations are pretty basic, anchored by either Windows DNS or BIND. These will need to be upgraded or replaced. Windows 2008 DNS and BIND 9.0 support DNSSEC.
  2. The DNSSEC appliance market should grow. Many organizations understand the value of DNS appliances, but never had a compelling reason to swap out software-based DNS for an appliance alternative. DNSSEC creates this opportunity. Good news for appliance vendors like Bluecat, BT, and Infoblox.
  3. Managed DNSSEC services become a viable alternative. DNSSEC may improve security, but it also demands certificate and key management, adding cryptographic complexity to DNS operations. Rather than learn new skills, many organizations will decide to punt and outsource DNSSEC to cloud providers like Neustar and Verisign.

This migration will mostly fly under the radar, but it will be a lucrative opportunity for smart vendors with the right products and services at the right time.

What Will Symantec Do Next With Verisign?

Wednesday, August 11th, 2010

Symantec’s acquisition of the Verisign security assets closed earlier this week. This frees Symantec to tell the world what it bought and the role the Verisign services play.

Good thing. Symantec caught a lot of flack for buying a legacy SSL certificates business. In truth, this deal could be much more–a SaaS authentication and PKI offering to broker trust relationships in B2C and B2B transactions.

I believe this could be a very good acquisition, but Symantec can’t assume that anyone other than PKI nerds understand this. To satisfy Wall Street and maximize the ROI on this deal, Symantec must:

  1. Pound home the vision. Symantec hinted at some potential use cases for Verisign when it announced the deal. From now on, it needs to do this more consistently, strongly, and frequently. PKI is a mystery to most people, so Symantec should think in terms of over communicating.
  2. Hint at a roadmap. Where does Verisign fit in the Symantec portfolio? Symantec needs to come out with a statement that details this soon. For example, will Symantec put a X.509 digital certificate in each copy of Symantec Endpoint Protection (SEP) to seed the market? If this is part of the plan, Symantec needs to tell the world when this will happen and why.
  3. Take the message to the channel. Corporate presentations and analytst briefings aren’t enough. Symantec needs to get its direct and indirect sales on board ASAP. This means sales training, corporate support, incentives, etc.

Symantec needs to prove to the market (and especially Wall Street) that it can back vision and money with execution. The Verisign deal was fairly significant, around $1.2 billion. Symantec needs to execute ASAP to demonstrate that this deal was well thought out and that the money was well spent.

Symantec/Verisign: The Latest Chapter Of the Colossal Demise of Verisign

Friday, May 21st, 2010

I am pretty bullish on the upside of Symantec’s acquisition of Verisign. Frankly, I don’t understand why Gartner is such a downer and focused on SSL alone. Oh well, to each his own.

Regardless of whether you think this is a good or bad deal, Verisign’s divestment is just the latest sad chapter for a company that once had a market cap in the tens of billions of dollars. I know that this was a long time ago during the Internet boom. Heck, even GiantLoop, the fly-by-night CLEC I worked for raised about $200 million back then with no business plan.

That said, Verisign survived the Internet boom and bust cycle and GiantLoop was appropriately sent to the failed startup dust bin. So what did Verisign do? It diversified like crazy into a series of unrelated businesses. Perhaps company executives started reading 1970s business school case studies about conglomerates like Textron. That’s the only explanation I can fathom.

Ultimately the market has verified what I always believed, that Verisign’s moves didn’t make business sense. Furthermore, the company’s execution has been spotty even in its core businesses.

One reason why I believe Symantec can wring more value out of Verisign’s business is that I’ve heard anecdotal stories for years about Verisign’s poor execution. Having acquired lots of companies, I think Symantec can fix this over time.

The technology industry is programmed to look forward in a constant search for what’s next. That’s a good thing in general but let’s not forget about the lessons learned from the past. It’s worth examining the troubled history of Verisign as a case study of what not to do.

Symantec + Verisign = Cloud Security

Thursday, May 20th, 2010

When Symantec bought Veritas, a lot of people didn’t get it. After all, what did server backup have to do with PC antivirus software? In fact, storage and security work hand-in-hand in something the feds call Information Assurance. Symantec saw this synergy before most of the market.

Fast forward to yesterday’s news about Symantec acquiring Verisign‘s security business. Yes, SSL certificate sales drove Verisign security revenue, but Symantec gets a heck of a lot more with this acquisition. Add Verisign to PGP and Symantec, and you get:

  1. End-to-end trust. Symantec can now create an infrastructure where any user or node can set up a trust relationship with any other user or node. The SSL and PKI parts are not new, but when Symantec bundles a digital certificate in every Norton desktop, you have the potential to bring PKI to the masses.
  2. PKI as a service. In a related way, Symantec has the scale and reach to marry the security power of PKI with a global SaaS service. In my opinion, this is a home run as it capitalizes on PKI’s trust model while eschewing its onerous deployment and management. Furthermore, Verisign can now act as a CA for PGP keys as well. Authentication? Digital signatures? Non-repudiation? Symantec has the opportunity to take these geeky terms and apply their goodness. We’ve been talking about the “year of PKI” for 15 years; Symantec now has the opportunity to make it happen.
  3. Key management SaaS. While PKI is used for authenticating users and signing documents, PGP can act as the backend data encryption/decryption for large files. PGP’s onsite key server can also leverage Verisign in the cloud. Afraid to manage keys? Need a key escrow service? Call Symantec.

Finally, it is fashionable to talk about cloud computing and how cloud security is the long straw. If you it boil down cloud security, however, some of the key components are identity management, data security, and compliance management. Verisign covers the identity piece, PGP handles data security, and Symantec already has a leading IT GRC platform. Symantec can now sell you the pieces or provide the whole enchilada as a SaaS cloud service.

If this isn’t an exciting security business model, nothing is.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site