Electronic Commerce: Bank Tech Pioneer Turns Attention to Web

John Atalla, the proud inventor of one of banking's most durable security technologies, wants to leave at least one more lasting impression.

As chairman of Tristrata Inc., Mr. Atalla is trying to tame the Internet security monster.

What he did in the 1970s with what became known as the Atalla box-a simple data encryption device that keeps most of the world's automated teller machines safe from criminal hacking-he wants to repeat in the Internet world.

Of course, a quarter century has passed, and Internet transactions seem a bit more complicated than verifying personal identification numbers.

But maybe not all that much different.

Mr. Atalla-Dr. Atalla to his friends-is two months shy of his 75th birthday. Yet he will introduce himself to a potential tennis opponent not much more than half his age, and state with total conviction: "I will beat you."

That is the intensity he brings to selling Tristrata and its Secure Information Management System. The system is defined as "a protective layer for an enterprise's existing computing and network infrastructures, assuring a trusted environment to conduct business anywhere on the Internet."

Similarly reassuring descriptions can be heard in one form or another from scores of vendor companies in high-tech corridors around the world. But the "end-to-end security" claim has provoked skepticism because of the headaches that have come with it.

Vendors would offer to do all the heavy technological lifting for clients-pulling together such complexities as public key infrastructures, digital certificates, firewalls, authentication tokens or smart cards, and even biometric identification. But buyers often encountered new problems of management and coordination. Forrester Research of Cambridge, Mass., had declared many of the highly touted "security suites" dead on arrival.

Mr. Atalla sympathizes, saying buyers cannot cope with the proliferation of "point solutions" - specific systems and techniques that fail to integrate into a larger, consistent whole.

He claims to have the end-to-end formula down and to be delivering on it. Otherwise, he says with characteristic aplomb, he never would have announced his product.

"Only when we had an end-to-end solution did others start talking this way," he said in a recent interview.

Tristrata offers to be whatever a customer wants it to be, whether a pure software seller or a service and support provider. "We have nothing" in the way of products-except when a void is perceived that has to be filled, Mr. Atalla said. "We will use any available products that meet our requirements."

Buying into no single data encryption system or orthodoxy, Mr. Atalla and Tristrata have not endeared themselves to some experts in their field. Security standards are sensitive topics in Silicon Valley, and Mr. Atalla prefers to make business cases first.

Banking, an industry for which he holds great affection, is only now beginning to get serious attention from Tristrata and its 100 employees- three years since the founding of the Redwood Shores, Calif., company. Mr. Atalla said he has some bold ideas for tackling the emerging electronic bill payment and presentment market, for example, but before he goes public with them, "we need to establish credibility."

"That has been fundamental to our company from the beginning," said Don Adams, vice president and principal security architect.

"We will discuss it as appropriate with top companies under nondisclosure agreements, and pilot it privately," he added. "When it is proven, then we go out and tell the world."

The Secure Information Management System came out in March as version 2.0, but Mr. Atalla called it "a veteran of a product. We have been running pilots for one and a half years with major corporations."

A key ally, PricewaterhouseCoopers, "has showcases of our system in several places around the world. That has helped us get it into banks, retailers, telecommunications companies," Mr. Atalla said. A 2.1 version is "coming quickly," and 3.0 is to be out by yearend.

That is essential speed in Silicon Valley. But the three-year march to version 2.0 seems relatively long, and Mr. Atalla's historical sweep is even longer.

He remembers the days when savings banks had the edge in retail banking technology, in the form of on-line teller terminals. While commercial banks were still relying on daily batch reports to verify customer balances, thrifts had on-line inquiry systems that enabled customers to get access to their funds from any connected branch office at any time.

The problem was that the customer identifier-the signature card-was on file in only one place. Atalla Corp. devised the PIN verification technology that made consistent, systemwide customer service possible.

Atalla did the same for ATMs, which began in off-line mode and were plagued by fraud. Atalla was influential in bringing ATM networks on-line and managing PIN security in a way that enabled cardholders to withdraw cash halfway around the world from home.

"There was nothing technologically fancy" in the Atalla box, Mr. Atalla said. "But it's a total solution."

That is what it will take to sell end-to-end electronic commerce security, he said, because "banks are sick and tired of improvisation."

In 1990, Mr. Atalla decided to retire. He had sold his company to Tandem Computers Inc., which in turn got acquired by Compaq Computer Corp.

A few years later "a couple of guys from the banking industry came to me," he said. They were looking for the kind of help that led Mr. Atalla to think about ending his "semi-retirement" in the south of France.

Those guys were Richard M. Rosenberg, then chairman of BankAmerica Corp., and William F. Zuendt, the former Wells Fargo & Co. president, who now sits on Tristrata's board.

"They suggested that I un-retire and look at the Internet and its problems," Mr. Atalla said. "I did look at that for one year, and formed Tristrata two years after that, in February 1996."

Anyone so self-assured is bound to raise hackles.

Making the rounds on the Internet have been critiques by Bruce Schneier, president of Counterpane Systems in Minneapolis and a recognized authority on the data encryption technology at the heart of advanced information security.

Mr. Schneier suggested last fall that Tristrata was more hype than substance, and he criticized its public documentation as inadequate for full scientific evaluation. "We are very skeptical about the security of the Tristrata system," said one of Counterpane's on-line "Crypto-grams."

In the interest of efficiency, Tristrata has tried to work around the drawbacks of public key infrastructures, or PKIs. That is one reason banks have not been prominent in Mr. Atalla's marketing plans until now-they are very much bound by PKI practices, and Tristrata is not.

To Mr. Schneier, that amounts to "ignoring the past 20 years of research into public key cryptography and its advantages."

But Mr. Atalla has some weighty allies, including prominent venture capitalists David Beirne of Benchmark Capital and Thomas Perkins of Kleiner Perkins Caulfield & Byers, who are Tristrata directors.

"John Atalla is one of those visionaries who, if he starts a company, will have people follow him," said Glenda Barnes, a former banker who is director of financial services marketing at Cybersafe Corp., an Issaquah, Wash., company also in the enterprise security business.

Former Hewlett-Packard Co. president John Young is on Tristrata's board. An adviser to the company is Donald Hollis, a one-time senior operations executive at Chase Manhattan Bank and First National Bank of Chicago.

Dorothy Denning, an eminent computer scientist and Georgetown University professor, has declared the Tristrata system "a breakthrough in secure information management for organizations and their extended enterprises."

In a paper on Tristrata, Ms. Denning praised system components such as TESS-the Tristrata Enterprise Security Server-and the Private Access Line, or PAL, protocol that is designed to maintain high levels of performance.

Whereas Counterpane criticized Tristrata for developing and excessively emphasizing its own encryption algorithm, Ms. Denning contended that encryption is in proper perspective: "an integral feature, but coupled with access control, authentication, and auditing."

Jim Hurley, managing director of Aberdeen Group's information security practice in Boston, shrugged off the contentiousness as nothing more than "competing technologies going after the same pieces of the pie."

He said Tristrata "brings a fully integrated solution. Its model is based on the supposition that one can unify a lot of component technology."

Critics wondered what it meant when Paul Wahl, who came to Tristrata as president and chief executive officer with great fanfare last September from SAP America Inc., departed in May to become president and chief operating officer of Siebel Systems Inc. in San Mateo, Calif.

There were whispers in the Valley about excessive "burn rates," but Mr. Atalla professed to be staying the course. He did acknowledge that after a period of rapid staff growth "we are trying to slow down and catch our breath for a while."

Like many leaders out on the technological edge, Mr. Atalla spends a lot of time trying to educate his market. He said he built Tristrata around a few plain-English guiding principles:

All information must be secure at all times, whether in storage or transit.

Access to any information must be subject to the rules and controls of the owners of the data.

Security operations must be controlled centrally, with a real-time audit of all processes.

These ideas, Mr. Atalla said, appeal especially to large-scale enterprises in banking and telecommunications. He also claims to be undercutting others' prices and promises to complete system installations in as little as three days, thanks to the flexible server architecture and reliance on open technical standards.

Mr. Atalla argues that any clean-slate security design should do without public key infrastructures. Public key encryption was originally "predicated on non-network-centric systems," he said. Administrative complications can prevent PKIs from keeping up with the speeds required for electronic commerce.

Mr. Adams recalled how a law firm Tristrata deals with wanted to encrypt e-mails according to the S/MIME standard. "Of 62 pages in the user manual, 52 were about issuing and maintaining digital certificates," he said. "The lawyers didn't get past that."

"There is real pain here," Mr. Adams said. "We are hoping to make that pain go away. A real-time, positive assertion is necessary that a certificate is currently valid."

"With our system, you can revoke the authority of anyone globally with one click," Mr. Atalla said. "That is very difficult to do in a PKI that is off-line."

Tristrata is not alone in saying it can provide such responsiveness, with the security virtually "transparent" to users and easily administered centrally. Mr. Atalla is eager to put Tristrata to the test.

"I have a vision to make this happen, and we are the most qualified to do it," he said.

Banks pose a challenge because their PKIs and Tristrata's alternative do not automatically mix.

The pitfalls were typified by SET, the MasterCard-Visa Secure Electronic Transaction protocol for Internet payments. It suffered from "design by committee," Mr. Atalla said.

SET, based on a public key infrastructure for digital certificates, is "a very elegant process," he said, "but it doesn't scale to thousands of transactions per second." Those volumes are what credit card networks deal with, and Tristrata contemplated them in its designs.

Mr. Atalla said he has developed a way to integrate his system with PKIs. Therefore, "we are ready to tackle banks. I am devoting my time to that," seeking out test sites, for example.

To some observers, bankers seem laggards in understanding information security and turning it to a business advantage. Mr. Atalla said their influence is yet to be felt, and will be significant.

"Once banks settle on something, the standards issue is resolved," Mr. Atalla said. "The banks are the ones that made DES (the federal Data Encryption Standard) a standard. The same thing will happen again.

"When they get it together, it will be a package, not a discrete point solution attacking little problems," Mr. Atalla said. "Vendors have point solutions. The banks want total solutions."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER