Electronic Commerce: Data Security Vendors Banking on Alliances

Article excerpt

By JEFFREY KUTLER It did not take Equifax Inc.'s information security subsidiary long to get into the swing of the teamwork that has come to rule the public key infrastructure market.

Equifax Secure Inc., which officially introduced its digital certificate service Jan. 5, was back about a month later to announce the formation of the Equifax Secure E-Commerce Partners Program.

In the group at the outset were nine companies active in various aspects of on-line commerce and network security. Along with Equifax's previously announced alliance with International Business Machines Corp.-which is providing the VaultRegistry certificate issuance and management system and including Equifax in its own formidable lineup of "Integrated Security Solutions" allies-Equifax Secure is signaling its intent to be a major mover in this emerging business.

The Atlanta-based credit information company's new business unit is also asserting support for the seemingly universal principle that when it comes to securing the wide-open digital spaces of the Internet, no one company can do everything.

Equifax, IBM, and digital certificate specialists like Entrust Technologies Inc. and Verisign Inc. are increasingly trying to communicate that they can put all the security pieces together. But they do so, in most cases, by assembling components they don't themselves possess, from public key encryption infrastructures, or PKIs, and network firewalls to smart- card authentication devices and consulting assistance.

The aspiring integrators of data encryption and certification infrastructures have healthy philosophical disagreements but are unanimous in their allegiance to the need for issuing and verifying individual and business credentials on the Internet. All view certification as a key to on-line commerce growth and "enterprise security," controlling proper systems access by employees and customers.

The vendors frequently strike relationships with consulting firms and system integrators such as Andersen Consulting or the major accounting firms. Several of those on Equifax's list are active in virtual private network technology. Verisign boasts relationships with more than 400 Internet service providers and 150 independent software vendors for its global "Affiliate Services" program and "PKI backbone."

GTE Cybertrust, stressing speed of deployment of desktop security in its "Accelerator Program," lists Microsoft Corp. and Netscape Communications Corp. as allies, plus smart card and security hardware vendors Gemplus and Datakey, and Entegrity Solutions Corp., a San Jose, Calif., company that itself specializes in what it calls "rapid deployment of secure applications."

Entegrity is a member of a large class of alliance joiners. At the recent RSA Data Security Conference in San Jose, an event sponsored by the data encryption technology leader RSA Data Security Inc., Entegrity also declared itself a member of the "IBM VaultRegistry Family" and announced cooperation agreements with Verisign, Valicert Inc., and others.

Valicert, another Silicon Valley company, offers certificate validation technology that, by definition, must operate with any and all digital certificate authorities, or CAs, to verify that credentials have not expired or been revoked. Valicert has struck up relationships with most of the majors.

"PKI neutrality" is also espoused by Shym Technology Inc. of Needham, Mass., with its PKEnable program. Sales vice president Bill O'Brien described it as "the first company to focus exclusively on allowing enterprise applications to 'snap in' PKI-based security services."

The praises of alliances are widely sung.

"Enterprise security is an expensive and complex problem (that) will only get more complex as customers roll out e-commerce applications," Jamie Lewis, president of the consulting firm Burton Group, said when IBM unveiled its strategy at the RSA conference. …