Symantec's stunning decision to put $1.28 billion in cash on the table to buy most of the security services within VeriSign is a gambit that is drawing mixed reactions in the analyst community, but Symantec insists the VeriSign certificate and authentication services are key elements in what's shaping up to be one of the biggest self-transformations ever in the security industry.
It even comes down to the Symantec logo, which will be changed to a new one that includes the telltale VeriSign check mark that's embedded in the VeriSign name today, according to Francis deSouza, senior vice president in Symantec's enterprise security group. "Symantec is getting the well-known VeriSign check mark," deSouza says, once the deal is completed as expected in the next few months.
But it will be understandable if there's some initial confusion regarding this mammoth industry re-shuffling, since the company VeriSign, stripped of its certificate and authentication services, will still go on selling domain names, while Symantec will be also be using the name VeriSign, which Symantec says is an important brand, to continue selling VeriSign's SSL certificates and authentication services. Symantec also gets ownership stake in VeriSign Japan.
The Symantec deal to acquire most of VeriSign's security businesses (VeriSign keeps the iDefense unit) comes just a few weeks after the April 29 announcement that Symantec is also buying both PGP and GuardianEdge Technologies.
Analysts are offering mixed reactions to Symantec's VeriSign deal.
"We're not very positive on this," says Gartner senior analyst John Pescatore. "When Symantec bought PGP, Gartner said they needed to avoid the distraction of going after the commoditised SSL server certificate market. Here they are buying VeriSign, whose revenue on SSL certificates has been dropping because of the SSL market being driven by low prices. The SSL cert business isn't even strongly related to any Symantec business areas -- it will bring some near-term revenue to make Wall Street happy but long-term dilute Symantec resources from its main markets."
But Jon Oltsik, principal analyst at Enterprise Strategy Group, was hugely upbeat in his blog for Network World, writing that when you "add VeriSign to PGP to Symantec," you get several strengths, including, "Symantec can now create an infrastructure where any user or node can set up a trust relationship with any other," and "Symantec has the scale and reach to marry the security power of PKI [public-key infrastructure] with a global SaaS [software-as-a-service]," plus "VeriSign can now act as a CA [certificate authority] for PGP keys as well."
"Authentication? Digital signatures? Non-repudiation? Symantec now has the opportunity to take these geeky terms and apply their goodness to the masses," Oltisk enthused. "We've been talking about the 'year of PKI' for 15 years. Symantec now has the opportunity to make it happen."
TheInfoPro's managing director of security research, Bill Trussell, was also generally positive about the deal.
"Between PGP and now VeriSign, Symantec has filled a void in their product portfolio that left them at a disadvantage in its competition with McAfee," Trussell says, adding, "Our data indicates that the enterprise community is ripe for a viable alternative to token-based systems. This would also serve well in a cloud-based service environment."
Symantec's deSouza says about 900 employees from VeriSign are expected to join Symantec's enterprise security team, and that by happy coincidence, Symantec and VeriSign are located near each other in Silicon Valley. While PGP and VeriSign are both in the PKI business, VeriSign's focus is on hosted PKI and authentication, deSouza says.
The strategy in the VeriSign acquisition is to further "identity-aware" security, de Souza says. "The certificate becomes a foundation for identity."
The VeriSign certificate services match up well with Symantec's Critical System Protection for hardening client and server installations and Protection Suite for Servers, Symantec is eager to point out. Symantec appears ready to embark on many projects in the future to show how PKI and certificate-based authentication services can be used in novel ways.
In a conference call with analysts and press, VeriSign executive chairman Jim Bidzos, himself an industry veteran of public-key encryption development in his long years with RSA, now owned by EMC, bid a short farewell to VeriSign's certificate and authentication services.
"The security market is rapidly changing," Bidzos said, asserting that it's in favor of large-scale providers with lots of channels, and that it was fitting VeriSign's security business go to this very large security provider, Symantec.