Can VeriSign deal make Symantec the Web's identity broker?

With its acquisition of VeriSign's authentication business, Symantec is making a big play for a piece of the market for services that validate the identity of users and content on the Web.

The $1.28 billion cash deal--the third encryption-related purchase for Symantec in three weeks--would seem to be a natural extension of its desktop and server security offerings, several analysts said. But other observers question how well suited one of the leading antivirus providers really is to become the identity broker for the Internet.

"Where's the synergy?" wondered Avivah Litan, an analyst at Gartner, in an interview late Wednesday. "Certainly everyone wants to own identity (management), Facebook, Google, PayPal, and they have a much better shot at it because they own more content and more users...Symantec (now) has the technology infrastructure, but it's not a technology problem, it's a business problem."

Symantec Chief Executive Enrique Salem didn't have to look far to expand his Mountain View, Calif.-based kingdom. "When I look over my shoulder I see the VeriSign campus," also in Mountain View, he said during a conference call on Wednesday.

"I've been talking to Mark (McLaughlin, CEO of VeriSign) for the better part of a year and a half" about doing some kind of deal, he said. But there just wasn't a fit for VeriSign's domain name services business, so discussions directly leading to the acquisition of the authentication and identity unit took place in earnest over the last several months, he added.

Symantec plans to combine VeriSign's SSL (Secure Sockets Layer) certificate services--representing about 60 percent of the U.S. business market--with Symantec's protection suite for servers. The cloud-based VeriSign Identity Protection user authentication service will complement Symantec's Identity Safe capabilities within the Norton products to verify the identity of customers, employees, and partners on a variety of devices, according to Symantec. And VeriSign's hosted public key infrastructure (PKI) for managing the digital certificates will tie in with Symantec's recent acquisitions of PGP and GuardianEdge.

The deal will allow Symantec to broaden its reach into corporations and will offer all sorts of cross-sell opportunities, executives said. To capitalize on the well-known VeriSign brand, Symantec will create a new logo that incorporates the black check mark that VeriSign used as a symbol of trust for its services, Salem said.

"We think it's a very logical, complementary fit," James Beer, Symantec chief financial officer, told CNET. "Our ability to secure the transactions across the Web is important, and part of that is being sure of the identity of who is transacting. That's going to be a key part of how security develops over time."

Several analysts agreed.

"Symantec is getting technology that is fundamental to the core business it's dedicated itself to, primarily information protection," said Scott Crawford, research director of security and risk management at analyst firm Enterprise Management Associates. "It's going to raise some challenges for its competitors for sure. The most directly affected will be RSA."

Paul Roberts, a senior analyst at The 451 Group, said the deal made a lot of sense on a number of levels.

"Symantec is already selling you protection to secure the server and you were just buying SSL tokens from VeriSign and now you've got one company to go to," he said. "Symantec gives VeriSign a lot bigger reach and hooks into the businesses that are already buying Symantec products, and these services are all interrelated."

"Having authentication, access management, and data protection was critical to Symantec completing its security stack," said Don More, a partner at Updata Advisors, a Manhattan-based mergers-and-acquisitions advisory firm focused on information technology deals. "It doesn't directly impact McAfee in the sense that they don't compete in the PKI space, but it challenges other big security players because Symantec is signaling that they want a soup-to-nuts offering."

But Litan and a colleague at Gartner questioned the move for a variety of reasons, primarily because the margins on SSL certificates are so low, with competitors charging as little as $16 a year for a basic Web domain certificate.

"The SSL certificate business is really commoditized," said John Pescatore of Gartner. "VeriSign's average unit revenue, the price per certificate, is dropping due to competition from Go Daddy and Comodo. That's really taking the bottom out of the pricing."

He also suggested that Symantec overpaid for a declining business. The price tag of $1.28 billion seems high when the overall market is only expected to reach $1.6 billion by 2013, according to IDC figures, he and Litan said.

Meanwhile, VeriSign's SSL business appeared to have declined slightly over the past few years, according to VeriSign figures from its analyst day in November 2009.

"There has been downward pressure on SSL certificates for years, with other providers gaining market share," said Litan, who provides more analysis in her blog post on the deal.

One thing none of the analysts could answer was what the deal means for VeriSign, which was a spin-off from RSA in the mid-1990s before acquiring the domain infrastructure and registry business of Network Solutions in 2000. It later sold off much of the Network Solutions business.

"That's a good question. They have a nice monopoly type business but it's not entirely clear to me where they grow," said More.

Said Crawford: "The question is 'whither VeriSign' at this point."