A Texas-based company with Canadian roots may be one of the few that can take comfort in the chaos of corporate networking.
Entrust Technologies Inc., one of a growing horde of companies offering ways to secure information on the Internet, intranets, and various permutations thereof, says it is the only one capable of delivering the whole package of data encryption, digital certification, key management, and other intricacies.
Other companies formidable in electronic commerce, like International Business Machines Corp., GTE Corp., and Verisign Inc., have staked out positions as digital certificate suppliers, a crucial function in the authentication of on-line buyers and sellers, or financial institutions and their customers.
But no other data security vendor has "the ability to do enterprise certificates for internal needs and to support all applications," said John Ryan, president and chief executive officer of Entrust Technologies, which is based in Richardson, Tex.
"You can buy the security once and use it as an enterprise architecture, which is very attractive. We also allow you to buy one piece at a time and grow to a multi-application level and to an entire enterprise management system," he said.
Depending on the size of an organization, this brand of comprehensive security, which Entrust markets as the complete public key infrastructure, can cost from $75 to $159 per internal user. Large corporations are probably looking at a $2 million to $5 million investment over two to five years.
It is an investment that more highly networked companies, particularly in the financial industry, are willing to make.
"Virtually every major bank is a customer, and now we're hitting brokerage and investment companies," said Mr. Ryan. Customers include the Government of Canada, Bank of Nova Scotia, J.P. Morgan & Co., Salomon Brothers, Visa U.S.A., the NYCE electronic banking network, and the Swift international bank communications network.
"Our original target was government and banking," he said. "While we're going to continue to focus on financial services globally, we're looking at telecommunications, health care, and Fortune 500 companies."
The priority attached to data security was evident in Ernst & Young's fourth annual survey on the subject for Information Week magazine. It indicated that 78% of North American companies had suffered security- related financial losses in the past year.
Yankee Group has predicted that sales of information security products and services will exceed $4 billion in 2000, up from less than $250 million today.
"Although it's a brand-new market," Mr. Ryan said, "we've got mature technology"-in an industry where three years of product development constitutes maturity.
Entrust Technologies began in 1993 as Nortel Secure Networks, a division of the Canadian telecommunications giant Northern Telecom Ltd. At the end of 1996 the unit was spun off and renamed, with Northern Telecom retaining a 73% stake.
The rest is divided among J.P. Morgan Investment Management, T. Rowe Price Threshold Funds, Societe Generale, Olympus Partners, and Donaldson, Lufkin & Jenrette Securities Corp. The outside investors bought $26 million of common stock.
Entrust makes its appeal to banks and other organizations seeking a single security infrastructure to which all information technology applications can be connected. Entrust offers "tool kits" to ease implementation. For example, said Entrust senior cryptologist Michael Wiener, Internet banking transactions can be secured end to end.
The company has earned profits every quarter this year. It expects 1997 revenue to more than double last year's $14 million."Our forecast is that the PKI (public key infrastructure) management system is growing by 100% a year," said Mr. Ryan. This would make it a $500 million market opportunity by 2000.
Mr. Ryan, who began working for Northern Telecom in 1981, attributes Entrust's growth to three recent events:
The availability to 75 million browsers of a public key infrastructure based on the X.509 digital certificate standard.
The emergence of the credit card industry's Secure Electronic Transaction protocol for Internet payments.
The adoption by firewall vendors of the public-key-based Internet Protocol Security standard, or IPSec.
Since January, Entrust has opened several offices and moved its Canadian base in Ottawa to a bigger facility. The company will employ 250 by yearend. In August, Entrust chose the Dallas suburb of Richardson as its North American headquarters. It has sales offices in New York, San Francisco, Raleigh in North Carolina, McLean in Virginia, and London.
Entrust says it has 370 customers, many of which are financial institutions that do not want their names disclosed.
As is common throughout the information technology industry, Entrust has a long list of alliance partners that can blur apparent competitive boundaries. They include IBM; Hewlett-Packard; Tandem Computers and its parent, Compaq; Lotus; Netscape Communications; Worldtalk; JetForm; Control Data; Bell Global Solutions; Digital Equipment; and General Motors.
According to Gartner Group, the Stamford, Conn., research and analysis company, Entrust's security technology is 12 months ahead of that of Microsoft Corp. or Netscape, which have therefore become allies. Entrust Web CA (for certificate authority) works with both Netscape and Microsoft Internet browsers. Netscape Communicator 4.0 will be Entrust-ready when it becomes available in the first quarter of 1998, and the current version of Microsoft Exchange incorporates Entrust.
Another partner through which Entrust's cryptographic technology is filtering out is KyberPass Corp. of Nepean, Ontario. J.P. Morgan recently selected KyberPass to provide virtual private network technology, public key authentication, and data encryption.
"If you want to run on-line banking on a public network, we need to assure that 'A' has the authority and that it is 'A' that is logged on," said Ron Walker, founder and chief executive officer of KyberPass. "What we do is special. We secure the transaction and link the transaction to the individual. The software at either end of the transaction is where the magic is."
The financial sector is adopting public key infrastructure today, he said, whereas next year the insurance and medical communities will move in. "The adoption of PKI by financial institutions is a year ahead of where we thought it would be. The way we do banking today is about to change."
Bank of Nova Scotia, one of Canada's Big Six banks, implemented Entrust Direct software last month as part of its Scotia Online and Discount Brokerage service.
The public key cryptography eliminates the need for proprietary browser security and gives the bank direct control over the security of its Internet services, said Paul Wing, the Toronto-based Scotiabank's vice president of security.
The system's "single sign-on" capability lets customers use the same password to pay bills, do on-line banking, and move between banking and brokerage services.
"We looked at the competition and what they were doing with traditional PC banking" with software diskettes and upgrades, said Albert Wahbe, executive vice president of operations at Scotiabank. "But we saw that there were low costs and ease of use with the Internet. We believed the Internet was the way of delivery of the future but it had to be secure.
"There was a void in the market in Internet security, and Entrust was the first to come up to bat."
Within six weeks of going live with Entrust's PKI products in September, Scotiabank sold 29,000 applications, and 10,000 certificates were implemented.
"We expect to have 100,000 users within a year," said Mr. Wahbe. With the structure in place, he said it will be easy to extend it to mortgages and mutual funds.
"We believe Scotiabank has the most advanced implementation of public key technology in the enterprise environment," said Mr. Ryan. In fact, the bank has separate certificate authority infrastructures for internal purposes and for customer interfaces.
The government of Canada is still Entrust's biggest customer and "there is no question that North America is ahead on public key infrastructure," said Mr. Ryan. But he called the growth in Europe "extraordinary," with banks there looking to use PKI in conjunction with smart cards. Entrust said its recent sale to the bank-owned Swift cooperative, based in Belgium, will be the first of many international "wins."
One U.S. financial institution that likes to think it is leading the drive toward integrated security infrastructures is Salomon Brothers.
"The driving force was to cost-justify our desire to participate in electronic commerce on the Internet," said Edward J. Jestin, senior operating officer of global information security services at the investment bank, an Entrust customer. "In the age of the digital certificate, encryption, and authentication of users, security is more necessary."
He added, "Firms need interoperability and standards as they move to leading edge Web-Internet technology. Worldwide clients want to transact on the Web with a single user identifier."
Mr. Jestin said the alternative to PKI, relying on manual management of encryption keys, might be less expensive. But it cannot be managed in one place, does not "scale" well as system demands grow, and does not bring the enterprise-wide efficiencies of public key infrastructures.
"The robust nature of the key management component was a determining factor" in the choice of Entrust, he said.
"As you grow in the number and complexity of applications, your administrative costs become burdensome and you're faced with account- administration staff growth unless you automate it," Mr. Jestin said. "We needed a foundation on which we could build for identification, authentication, and entitlements."
"What's holding up the expansion of our product," said Mr. Walker of KyberPass, "is the extension of PKI. Now everyone is waking up to its value and seeing that it's solving a problem."