Symantec Deal for VeriSign Security Unit Brings Challenges

Analysts are generally approving of Symantec's $1.28 billion acquisition of VeriSign's authentication business, but difficulties may lie ahead.

Symantec's plans to buy VeriSign's identity and authentication unit have been greeted with largely positive reactions from industry analysts, but analysts still see some challenges ahead.

After a day of rumors, Symantec confirmed the $1.28 billion deal and outlined where VeriSign's technology fits in its strategy. However, while the company touted the buy as bolstering its identity and authentication story, Gartner analyst John Pescatore questioned whether there is enough synergy.

"The people who buy the SSL [Secure Sockets Layer] certificates are very often not the ones that would buy higher-priced server security like Symantec CSP [Critical System Protection], just like the people who buy copier paper are very often not the ones who make the copier decisions," Pescatore told eWEEK. "The authentication part is tiny and trying to sell strong authentication to consumers has been a losing proposition for years. So Symantec gets a revenue bump, but from a commoditizing market that they will have to divert resources to in order to keep margins and revenue from dropping-[it] distracts from main Symantec security areas, [it] does not augment."

However, there is more to this deal than SSL certificates, noted Scott Crawford, an analyst with Enterprise Management Associates.

"Strong authentication and identity-linked encryption complement assets such as DLP and symmetric encryption," Crawford said. "For example, DLP can automate the enforcement of data security policy, by engaging tools such as identity-based encryption. Hosted PKI [public-key infrastructure] offerings will help make identity-based encryption more manageable, and will further bolster Symantec's hosted services and cloud initiatives, as will the certificate validation service. VeriSign's VIP service complements Symantec's Norton Identity Safe business in the consumer space, but will have more applicability in the enterprise."

Symantec has said it plans to combine VeriSign's SSL Certificate Services with Symantec CSP or Protection Suite for Servers to help protect Web servers, as well as use VeriSign VIP to complement the Identity Safe technology in Norton products.

"My one worry here is that as you start to divorce SSL (which is going to Symantec) from Domain Name Services (which is staying with VeriSign), Symantec will have the challenge of keeping that SSL business going and growing," Forrester Research analyst Jonathan Penn said. "The other businesses-managed PKI, VIP strong and risk-based authentication, and the trustmarks [or] seals-are areas where VeriSign has frankly been underperforming and Symantec can spark growth."

The seal and trustmark business will be an area where Symantec can now go head-to-head with McAfee, Penn added.

"The big picture here is that Symantec has concluded that its future (along with all of our futures) is in cloud-based computing and that demands some identity architecture that doesn't stop at the network perimeter," said Paul Roberts, an analyst with The 451 Group.

"Peeling off VeriSign's authentication business from the root server business allows them to step into the center of that ... from Symantec's standpoint, they are making a bet that they can grow the SSL business and that there's substance to their 'value add' argument-that enterprises will pay more for a cert from a serious security vendor that's bundled with other like services ... rather than running to the lowest-cost provider," Roberts added.