Mistaken Identity: The Meaning Of The Symantec-VeriSign Deal

Symantec's decision to spend $1.28 billion on acquiring VeriSign's identity and authentication business drew strong praise from technology analysts, but left some business-side thinkers wondering about the long term benefits of the acquisition. The deal will give Symantec VeriSign's Secure Sockets Layer (SSL) Certificate Services, the Public Key Infrastructure (PKI) Services, the VeriSign Trust Services and the VeriSign Identity Protection (VIP) Authentication Service. The iDefense unit stays with VeriSign. The move comes just a few weeks after Symantec announced its intent to purchase PGP and GuardianEdge Technologies.

With the VeriSign deal, the hope is that the combination of VeriSign's security products, services and brand will enable Symantec to bring PKI to the masses. More specifically, it positions Symantec to take advantage of the emerging battle over identity. "The company definitely needs this technology in order to solidify its focus on information-centric security, security from and for cloud computing and hosted environments, and identity-linked concerns," says Scott Crawford, managing research director at Enterprise Management Associates.

"Identity is fundamental to recognizing legitimate resources and differentiating who has authorized access to what. If Symantec bypassed the last identity boom, it has not failed to recognize the central importance of identity to the security of information with this deal, which is a much better fit with Symantec's primary emphases today," he says. But Michael A. Davis, CEO of Savid Technologies and an InformationWeek contributor, asks, does Symantec have other supporting services in standard computing and mobility to succeed at a broader identity play? Not really, he says.

Technology plays aside, the business may find that this acquisition to be more pain than gain. "We're not very positive on this," Gartner senior analyst John Pescatore was quoted as saying. "When Symantec bought PGP, Gartner said they needed to avoid the distraction of going after the commoditized SSL server certificate market. Here they are buying VeriSign, whose revenue on SSL certificates has been dropping because of the SSL market being driven by low prices. The SSL cert business isn't even strongly related to any Symantec business areas -- it will bring some near-term revenue to make Wall Street happy but long-term dilute Symantec resources from its main markets."

Symantec's move comes at time when the company has been struggling in some ways. "They are playing catchup to a degree," says Davis. "They realized their 'Own the IT infrastructure' play with Veritas didn't really work, and while that was going on, McAfee was building a strong and stronger security product portfolio. McAfee already has HackerSafe (VeriSign is a competitor), already has a threat labs (VeriSign is a competitor), but is not in the consumer SSL business. VeriSign was starting to make inroads into the cloud security space and McAfee beat them to the punch with the Cloud Security initiative and offering last month. This is all about catch-up." With VeriSign, the company acquires tools. such as enabling DLP to automate the application of data security policy that can also include identity-linked encryption and strong authentication, notes Crawford.Symantec also acquires a wider scope of tools for enabling cloud computing, where data security is one of the top inhibitors to adoption. "Streamlining the application of identity-linked data security controls gives organizations more control over sensitive information, wherever found. The certificate validation business also supports Symantec's cloud initiatives by giving it a resource that authenticates hosted services to users. VeriSign's services generally support Symantec's deepening investment in hosted security services, which are becoming increasingly popular among enterprises and SMBs," he says.

For customers and the market, the acquisition will present a number of problems. From a security standpoint, "do you want to buy the certificate for your security appliance from the same vendor that makes the appliance?" says Davis. "In security, separate of duties is key to many best practices." At the same time, though, the move may give existing and future VeriSign SSL customers piece of bind.  "It places these businesses with a dominant security market leader, so that may actually give them greater assurance going forward than they may have had with VeriSign, who has been actively seeking to sell off its security assets for some time," says Crawford.

Bottom line, the play gets mixed views. "The question is, 'does the consumer care enough about security yet?' I argue, yes, especially when it comes to social media and privacy," says Davis, "If Symantec can spin Verisign into a consumer-focused social media identity verification play, it could be a very interesting move."

"Symantec is the biggest winner, as this fills a number of gaps Symantec had in linking identity to what have become some of its primary security assets," says Crawford. "Symantec customers will have a wider range of tools for securing sensitive information and authenticating information resources. Symantec's competitors in data security will feel increased competitive pressure. For VeriSign, this is effectively the sunset of its role in security. Although it will retain iDefense, its day as an icon of the dot-com era boom is now passed."