Electronic Commerce: Data Security Vendors Banking on Alliances

It did not take Equifax Inc.'s information security subsidiary long to get into the swing of the teamwork that has come to rule the public key infrastructure market.

Equifax Secure Inc., which officially introduced its digital certificate service Jan. 5, was back about a month later to announce the formation of the Equifax Secure E-Commerce Partners Program.

In the group at the outset were nine companies active in various aspects of on-line commerce and network security. Along with Equifax's previously announced alliance with International Business Machines Corp.-which is providing the VaultRegistry certificate issuance and management system and including Equifax in its own formidable lineup of "Integrated Security Solutions" allies-Equifax Secure is signaling its intent to be a major mover in this emerging business.

The Atlanta-based credit information company's new business unit is also asserting support for the seemingly universal principle that when it comes to securing the wide-open digital spaces of the Internet, no one company can do everything.

Equifax, IBM, and digital certificate specialists like Entrust Technologies Inc. and Verisign Inc. are increasingly trying to communicate that they can put all the security pieces together. But they do so, in most cases, by assembling components they don't themselves possess, from public key encryption infrastructures, or PKIs, and network firewalls to smart- card authentication devices and consulting assistance.

The aspiring integrators of data encryption and certification infrastructures have healthy philosophical disagreements but are unanimous in their allegiance to the need for issuing and verifying individual and business credentials on the Internet. All view certification as a key to on-line commerce growth and "enterprise security," controlling proper systems access by employees and customers.

The vendors frequently strike relationships with consulting firms and system integrators such as Andersen Consulting or the major accounting firms. Several of those on Equifax's list are active in virtual private network technology. Verisign boasts relationships with more than 400 Internet service providers and 150 independent software vendors for its global "Affiliate Services" program and "PKI backbone."

GTE Cybertrust, stressing speed of deployment of desktop security in its "Accelerator Program," lists Microsoft Corp. and Netscape Communications Corp. as allies, plus smart card and security hardware vendors Gemplus and Datakey, and Entegrity Solutions Corp., a San Jose, Calif., company that itself specializes in what it calls "rapid deployment of secure applications."

Entegrity is a member of a large class of alliance joiners. At the recent RSA Data Security Conference in San Jose, an event sponsored by the data encryption technology leader RSA Data Security Inc., Entegrity also declared itself a member of the "IBM VaultRegistry Family" and announced cooperation agreements with Verisign, Valicert Inc., and others.

Valicert, another Silicon Valley company, offers certificate validation technology that, by definition, must operate with any and all digital certificate authorities, or CAs, to verify that credentials have not expired or been revoked. Valicert has struck up relationships with most of the majors.

"PKI neutrality" is also espoused by Shym Technology Inc. of Needham, Mass., with its PKEnable program. Sales vice president Bill O'Brien described it as "the first company to focus exclusively on allowing enterprise applications to 'snap in' PKI-based security services."

The praises of alliances are widely sung.

"Enterprise security is an expensive and complex problem (that) will only get more complex as customers roll out e-commerce applications," Jamie Lewis, president of the consulting firm Burton Group, said when IBM unveiled its strategy at the RSA conference. "Without an integrated security solution, customers can't effectively apply and then audit security policies throughout the enterprise.

"IBM is addressing a clear customer problem, enabling a more comprehensive approach to e-business security."

Of Cybertrust Accelerator, Yankee Group senior analyst Matthew Kovar said, "The program delivers a competitive advantage to corporations that are in need of proven solutions for secure enterprise applications (with) an accelerated time to implement and the option to outsource certificate management."

Through its Entrust Worldwide confederation, Entrust Technologies of Richardson, Tex., is "opening the doors to new methods of electronic communication among businesses and individuals," said president and chief executive officer John Ryan. "Entrust is proud to be the first company to unite both certification authority service providers and enterprise-based CAs under one PKI networking umbrella."

For Entrust Worldwide, Digital Signature Trust Co., the certification subsidiary of Zions First National Bank of Salt Lake City, was selected as "trusted third party" for CA and repository services. Mr. Ryan said DST earned its stripes in a similar trusted role for the automotive industry's virtual private network, the Automotive Network Exchange.

ABAecom, the American Bankers Association's for-profit certificate venture, also signed on to Entrust Worldwide as a registration authority.

"Interoperability between companies has historically been a tremendous barrier to widespread e-commerce," said DST president and CEO Scott Lowry. "The formation of Entrust Worldwide and the trusted-third-party support of DST effectively eliminate the necessity for members to repeatedly engage in cost-prohibitive and time-consuming solutions to policy and technology interoperability."

Entrust has tried to seize the interoperability high road. "I don't know how you get more open than saying, 'everybody,'" said Mr. Ryan.

But there are still plenty of kinks to work out.

"Are we truly working toward interoperability?" said Richard Yanowich, Verisign's vice president of marketing. "On the technology level, there is a lot of convergence on standards. The differences will be in business operations models and in the certificate policy and CA arenas."

Verisign has come out with a cross-certification service "that a technology company not managing a certificate authority cannot" match, he claimed.

Ironically, the companies vying to sell simplicity and ease of implementation may just be adding another layer of confusion for buyers, at least until there is time to sort out all the options.

Bill Burnham, electronic commerce analyst at Credit Suisse First Boston in San Francisco, said electronic commerce in general is plagued by the need to assimilate dozens of software applications and capabilities at once.

"In the Internet security sector, 10 to 15 different products and services (such as firewalls, privilege managers, and certificate authorities) are needed before a network can be said to be truly secure," Mr. Burnham wrote in his mid-January "EC Authority" review.

But he said the Internet security sector may be a bit further evolved than e-commerce over all. "In the absence of standards, a number of companies, including Network Associates, Axent, and Security Dynamics Technologies (the parent of RSA Data Security), have instead embarked on an acquisition tear, trying to create a single security solution that they can sell to an over-taxed client base."

Some analysts have been skeptical of "total solutions" pitches. "Most of today's 'suites' have serious deficiencies," Ted Julian of Forrester Research has written. But he said security buyers searching for easier and more comprehensive answers are open to the possibility of vendors' making improvements-which puts the onus on the fast-growing companies in the field and their spate of alliance groupings.

"As with most outsourced services, the cost (of Equifax Secure's) varies depending on the customer requirements," said Vijay Balakrishnan, the Equifax unit's vice president of marketing. "However, the solution suite does offer low-cost entry that eliminates the need for investment in expensive in-house architecture, including hardware, software, people, training, and physical security."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER