In Web We Trust

VeriSign sees plentiful riches in securing internet identity

VeriSign likes to refer to each of its two main data centers as "the Fort Knox of the Internet" because of their tight security and restricted access.

But if it was said with a smile before, the analogy became morbidly serious after Sept. 11. In the days following the worst terrorist attacks ever against the U.S., VeriSign, like many other service providers across the country, increased physical security at its network operations centers in Mountain View, Calif., and Herndon, Va., and placed its Internet security teams on high alert. It posted additional security guards and increased restrictions on who could enter the facilities. Access to the buildings was already controlled by several tiers of security, including handprint scanners and 24-hour video camera surveillance. The centers are designed to back each other up in the event of fire, floods, earthquakes — and explosions.

Stratton Sclavos, VeriSigns president and CEO, says such security precautions are integral to the companys mission to be the most trusted provider of identity and authentication services on the Internet. "Were the seat of trust, so weve always had to go above and beyond the security measures of other Internet companies," he says.

During the past two years, Sclavos has successfully expanded VeriSign beyond its roots as a provider of digital certificates into domain name and secure payment services. VeriSign now operates the root servers of the Internets Domain Name System — without which dot-com, dot-net and other domain name addresses would not function — a business it entered via its $15 billion acquisition last year of Network Solutions Inc. (NSI). It counts 50,000 merchants customers for its online payment processing services. And it has preserved its dominant market share in Web site security certificates: VeriSigns "certs" are used by more than three-fourths of all e-commerce sites.

What these different businesses have in common is that they are "signposts for trust," Sclavos says. In the offline world, institutions like banks, governments and telecommunications carriers provide various payment, identity verification and communications services. On the Internet, VeriSign wants to be all of those institutions rolled into one.

"Were re-creating the trusted environment of the physical world in the digital world," Sclavos says.

Now, perhaps unexpectedly, VeriSign is gearing up for a phase of growth — even in the midst of the yearlong dot-com slump and, after the terrorist attacks, the likelihood of an economic recession. Financial analysts believe VeriSigns revenue could increase 50 percent annually in the next two years; they estimate VeriSigns 2002 revenue at $1.4 billion to $1.5 billion, up from a projected $980 million for 2001.

Sclavos says VeriSigns lines of business — or "engines," as he refers to them — are "woefully underpenetrated." He estimates the various markets VeriSign plays in are 5 percent penetrated overall. Couple that with the fact that VeriSigns systems are only at 15 percent of capacity, according to the company, which means it can handle significant amounts of new business without spending huge sums to increase infrastructure. And analysts expect that will yield higher operating margins.

"Theyre in a good spot for weathering the slowdown," says John Pescatore, Gartners research director for Internet security. "They have a lot of pieces that fit together using security as an enabling thing, as opposed to selling security stuff to security guys."

And there are some surefire growth drivers for VeriSign, as well. One is the introduction of additional top-level domains, starting with dot-info this month, followed by dot-biz, dot-name and as many as four other TLDs by the end of the year. The new TLDs are an effort by the Internet Corporation for Assigned Names and Numbers, the not-for-profit organization that has taken over authority for the DNS from the U.S. government, to stimulate more competition; VeriSign inherited a virtual monopoly on domain names when it bought NSI. Nevertheless, the expansion of the DNS name space will benefit VeriSign, which is certain to get a good portion of the 6 million to 8 million names — by VeriSigns own conservative estimate — expected to be registered under the new TLDs in the first year.

On another front, VeriSign has announced a partnership with Microsoft, under which it will provide authentication and security technologies that support Microsofts .Net Web services initiative. Analysts expect to see growth in security technologies for Microsoft .Net and other Web services that use XML. "More and more services on the Web are using SSL [Secure Sockets Layer] for application-to-application communication," says Pescatore.

However, even more important than individual technology silos in the eyes of VeriSign executives is the companys ability to bundle services and start extending them and combining them in innovative ways. For example, VeriSign is developing convergence technologies, including a "voice registry" that would allow callers to speak a business name into their phones and be connected automatically, and WebNum, a numeric Web site addressing scheme designed for wireless phones.

"You can see the cross-selling opportunities; its about cross-servicing customers," says Anil Pereira, senior vice president and general manager of VeriSigns enterprise and service provider division. "When you talk about offering a suite of services, the other players in domains fall off the cliff."

But if trust is VeriSigns business, any breakdown in that trust could be ruinous — and thats precisely the painful situation the company encountered earlier this year. In March, VeriSign discovered it had incorrectly issued two Microsoft digital certificates to someone posing as a Microsoft employee. Sclavos says those were the only two certificates in the history of the company that were issued improperly, and he says the VeriSign staffers responsible for the blunder were fired. VeriSigns procedures for issuing digital certificates have been revised and now, in some cases, there are triple redundancies to confirm the identity of a customer.

"We spend inordinate amounts of time and money making sure our procedures are effective," Sclavos says.

VeriSign also faces ongoing scrutiny in the politically charged domain name arena. Competitors in the domain name registration business grumble that VeriSign still maintains a lock on the mother lode of the DNS: the dot-com registry. Originally, regulators were intent on forcing VeriSign to separate its registry and registrar functions — that is, the back-end database operations and the customer-facing name registration business.

But this May, ICANN approved a deal that lets VeriSign continue to operate the dot-com registry until at least 2007, and extended VeriSigns agreement to operate the dot-net registry until June 30, 2005. VeriSign collects an ICANN-approved $6 fee on every new dot-com, dot-net and dot-org name registered, and also levies a $6 fee if another registrars customer wants to switch its dot-com or dot-net registration to a new registrar.

"My impression is that I havent seen much change since VeriSign bought NSI," says Michael Froomkin, a professor of the University of Miami School of Law. "They were ruthless and clever about profiting from the DNS before, and they still are."

Last month, VeriSign hired a new executive to lead its registrar business and other retail efforts. W.G. Champion "Champ" Mitchell, who has headed several telecommunication equipment firms, is general manager of VeriSigns mass markets division. Mitchell says he will provide a stronger marketing focus — and recapture some business that VeriSign has let slip away in domain names.

With new sales and marketing machinery in place, VeriSign expects to double or triple in size in the next few years. By no means, Sclavos says, does the loud popping of the dot-com bubble mean the Internet is a passing fad.

"We believe the Net is about to enter its second phase — which is truly about communications and commerce," he says. "And thats when the things we make are more critical."