Name: Gabriel Dusil Title: Director Partnerships, EMEA Division: VeriSign Security Services Location: Europe, Middle East, Africa Interview: 30th November, 2004
Talk about your history at VeriSign.
I joined VeriSign back in August 2000 as the Marketing Director for EMEA. I was recruited from Motorola, where I was managing a small team of marketers. When I first joined VeriSign, EMEA affiliate expansion was in the middle of all its glory, but I needed to adjust to the change in corporate culture—from Motorola to what was at the time a “medium-sized U.S. corporation—and to the one-man-band aspect of my new role. VeriSign had recently bought Network Solutions earlier that year, and was busy with that integration. It was an exciting time. I soon learned that I was the first marketing hire outside of the U.S., and overall, the sixth employee in EMEA. So the position had good exposure within the organization, and a great opportunity for me to prove my capabilities. I also learned that I was joining a team of people who were the best in the industry. Working among the best of the best helped me raise my own bar.
With around 800 employees now outside of the U.S., it is now easy to forget that five years ago we were truly a European start-up. It has been amazing to see our growth over the years.
What’s a typical day at work like?
There is one common theme to my work day at VeriSign – each one is different. For my first three years, it was about delivering marketing programs and supporting our affiliate partners across the region. In the past year and a half I have taken on a sales position which has led me to pipeline management, customer expectation management, and overseeing the sales life-cycle to closure. I find that an integral part of this process often involves building and maintaining the customer’s confidence in buying from VeriSign, and ensuring a successful installation. In a recent Unified Authentication Services (UAS) deal, where we were offering two factor authentication services, we had no less than 25 critical issues to solve. And any one of those issues could have collapsed the deal. A team effort is the only way to ensure all these issues are solved, and this is exactly how we were successful in closing the deal – and today the customer is extremely happy with our performance. In fact the prospect was our first retail bank installation in the world – Alpha Bank, Greece, via our partner Adacom.
I spend about 50% of my time on the road. My days start at 9:00 and often finish as late as 10 p.m. My curse is that I can’t go to bed without clearing my email inbox!. Time zones play an important role in our daily activities. I speak to the Middle East and Eastern Europe during the morning which is 2-4 hours ahead of the U.K., then start discussions with the U.S. East coast by mid- afternoon, and talk to Mountain View, California in the evenings (8 hours behind the UK). Many of us in the European organization say that we “live VeriSign”. If you love your job then hard work is balanced by satisfaction.
What do you like the most about working at VeriSign?
As a self-proclaimed tech geek, one enjoyable aspect of my role at VeriSign is learning about IT, the Internet, and the security industry. Whether it’s sales or marketing, I have found that both disciplines give me the freedom to learn more about technology, in as much detail as my aging mind allows. I feel that VeriSign is on the leading edge of securing critical infrastructure. So I can experience a multi-faceted approach to learning new areas of our portfolio–whether it’s Anti-Phishing, cloud based authentication services, managed security services (MSS), or any new and exciting service coming down the line from our product managers. From the sales perspective, I like the discovery phase of learning the customer’s requirements, and how they are positioning their infrastructures to the future needs of their target market. It seems to be more of an art than a science. For example, listening to what is not said is a much harder challenge than concentrating on what was said. The devil is always in the details, and learning these nuances has also been fun. With my marketing hat on, comparing this street-level data to what the analysts are saying about the market is a great comparison. The markets where VeriSign plays allows for an incredible scope of learning, to as much detail as I choose.
What does “One VeriSign” mean to you?
“One VeriSign” for me is about people, and how we develop relationships within the company, departmentally, geographically, or by product portfolio. Of course, we have a “One VeriSign” corporate vision, but it’s the trust relationships which we develop at the street level where the vision is realized.
What are some of your hobbies, volunteer efforts, & outside interests?
Not to shock anyone, but I suppose one of my hobbies is fitness (trigger for Souheil Badran to laugh out loud). I call it a “war with my body” – which some would agree is something I am losing. I believe that balancing the mind and the body are important to one’s health and happiness, and, for me, daily exercise counter-weights the daily intellectual challenges of work. Much of my recreation is now spent as a parent. Watching my two boys—eight months old and three and a half years old—grow and develop. My children have been a life changing experience, as any parent can attest. I suppose the extent of my volunteer efforts is in babysitting my kids so that my wife can go out with her friends.
Tell us one thing about yourself that your colleagues wouldn’t have guessed!
I suppose a shocker to most people is that I am a black belt in Shotokan Karate ((???). Although I have not been training for the past 10 years, I still release my pent-up energy on a punching bag twice per week at the local gym — another aspect of balancing my mind and body.
About the Interviewee
Gabriel Dusil is VeriSign’s Marketing Director responsible for the Europe, Middle East and African region. Mr. Dusil’s role includes the management of Channel and Direct Marketing, as well as Marketing Communications. His responsibilities also include the development of product strategies and market positioning throughout the emerging markets.
Prior to VeriSign, Mr. Dusil had been with Motorola for six years, as their EMEA Marketing Director for its Internet and Networking Group. He has over 10 years of experience in the communications industry, and over nine years of international marketing experience. Mr. Dusil has a degree in Engineering Physics from the University of McMaster, in Canada.
The Internet’s rapid growth brought forth a multitude of innovative service offerings. In it’s early life cycle the Internet experience defined new products, and ultimately new market segments. One of the most important of these markets in recent years has evolved around the consumer demands of “Trust”, and the value of trusting the Internet. The industry answered this demand through a market segment now called eSecurity, and vendors worked hard to clearly differentiate themselves in this space. Each providing either a service or a product that clearly distinguished their value proposition from competitors. But in the last few years eSecurity has blurred the distinction between various products and services as it evolves and accelerates as the fastest growing market segment in cyberspace. The sub-segments within this market such as firewalls, virtual private networks (VPN), anti-virus, and authentication services have become critical components of a security policy. eSecurity continues to rapidly evolving to the demands of eCommerce, as transaction based services is expected to infuse new growth trends. This is a reflection of the increased importance that consumers give to confidence, and in the value of trust with the vendors they wish to do business. Recent awareness towards managing and protecting privacy is a further reflection of how consumers value their supplier relationships. Governments have also stepped up to the plate throughout Europe in finalizing legislation around the protection of privacy and the legal recognition of electronic signatures. All these dynamics are raising the fundamental awareness of eSecurity, and the importance of high security, of which the PKI (Public Key Infrastructure) sub-segment plays a critical role. PKI has grown beyond the traditional offering of a eSecurity, and is now considered a basic enabler of new eBusiness revenue streams. Early in its life-cycle PKI establishes itself with a clear value when compared to it’s neighbors;
Firewalls established the fortress for a corporation, of which intrusion detection served to enhance this capability
Antivirus protected hosts and desktops to the threat of infection;
VPN’s ensured secure communications over public networks;
PKI steps in to provide application level security, and removes the inherent weaknesses of ID’s and passwords, by linking the identify of users to their Internet hosts through digital certificates
But PKI goes further, and crossed the boundaries of security by enabling a host of services which were not previously enabled due to the lack of infrastructure;
Digital Signing of electronic documents
Electronic supply chain management
Electronic (e)Ordering & eProcurement
Online eGovernment Services
Healthcare & National ID Services
These are only a few examples of new applications which were not previously acceptable on the Internet, but have enabled new services due to the enhanced security offered of PKI. How do we bridge the gap from our current IT infrastructure, to enhanced security using PKI? This article outlines two fundamental implementations referred to as in-house PKI and outsourced (cloud-based) PKI solutions. The purpose of this article is to describe the value proposition and intrinsic differentiation of these two approaches.
Setting the Stage
PKI is one of the few technologies today which integrates the disciplines of Legal Practices & Information Technology. This results in several unique challenges in deployment, but also is a reflection of the distinctive nature that PKI serves the Internet. Namely, our ability to identify the existence of a company, recognize individuals through the use of digital certificates, and legally binding digital signatures to the same validity as a hand written signature. To overcome the legal and technological obstacles, implementing a PKI solution has resulted in two fundamentally different approaches, described as follows:
In-house PKI
This involves the implementation of a managed in-house PKI solution. In this approach the customer purchases PKI software and hardware which is used to deploy digital certificates to individuals in the company. Dedicated staff are responsible for defining their own certificate practices and policies for the creation and distribution of digital certificates throughout the corporate infrastructure. Companies perceive that this approach offers inherent “ownership” and flexibility. But typically this option requires a large upfront investment in both time and money.
Outsourced PKI
This cloud-based approach is analogous to the service provider market whereby the ownership of infrastructure is with an external entity know as a Certificate Authority (CA). The CA is responsible for setting policy, managing information technology (IT), and owning liability on behalf of the customer. But we don’t stop there. The advantage here is control of their certificate issuance, co-branding, and management, while moving the responsibility of maintenance, scalability, and policy management to the back-end (commonly referred to as the processing center).
Furthermore, outsourced solutions cover all aspects of the PKI infrastructure such as:
Legal
Certificate Policy Statement (CPS), Certificate Practices (CP) which establishes the legal framework of PKI. In Europe conformance is to the EU Signature Law Directive.
Technical
The CA maintains the ability to migrate PKI to new standards. Since the PKI processing center is upgraded once in the back-end, all customers take advantage of new features simultaneously. This also applies to technological upgrades such as the up-in-coming XKMS standard developed jointly by VeriSign, Microsoft and WebMethods, allowing for an open standard for PKI in XML environments.
Human Resources
Project management, Policy management, and certificate deployment costs are often lost in the overall cost of ownership model. All of these costs are substantially reduced when outsourcing, since the expertise of PKI deployment are off-loaded to the CA.
Outsourcing has becoming increasingly attractive as it removes the burden of a large upfront investment, and takes the emphasis off licensing as the main revenue stream. This has become even more important during times of economic difficulty, as cost-cutting becomes a primary concern. “The primary benefit of this [cloud] business model for end-user businesses is avoiding the administrative, project management and IT integration demands that an in-house implementation would require without relinquishing control over the solution.” Data monitor
Spending
Figure #1: In-house PKI Investment
Decisions around eSecurity spending are often compared to metrics of lowing cost, flexibility, control, and deployment speed. In-housed deployments are sold on the perceived merits of greater control, flexibility and lower costs in the long term. In-house certificates are expected to be issued and revoked quickly, and security policies tailored to business needs. Ironically, outsourced solutions are up and running in a much shorter time-frame, result in lower capita and operationall investment, when the total cost of ownership (TCO) is taken into account. In fact, allowing companies to outsource their security gives them more flexibility to concentrate on their core business. IDC estimates that the global IT management services market will expand from 95.3 billion US$ in 2000 to 214.9 billion US$ in 2005. This is a compounded growth rate of 17.5%. The trade-off is often judged on “up front costs”, since proponents of in-house solutions have the customer compare their proposal cost to that of a cloud-based service provider.
Figure #2: Outsourced PKI Investment
Customers are often caught up in the shadow of proposal costs, ignoring tangible factors such as Total Cost of ownership, and Investment Protection of a given solution. For certificate services, total deployment costs can be grouped into four main areas:
Human Resources
Project management costs to deploy the overall infrastructure and services
Operational & maintenance support includes costs associated with application integration
Costs of managing the Registration Authority and Certificate authority should not be overlooked
Human resources need to build PKI expertise and maintain these in-house systems
Infrastructure
Hardware and Software costs which form the basis of the PKI infrastructure
Secure Processing facilities are critical to ensure that the root key (or CA private key) is protected against theft or fraudulent threats.
Upgrades due to technology evolution and scalability
Services
Training costs should be taken into account,. Both during the initial deployment as well as further education needed as legislation and this technology evolves.
External consultant services are often require significant investment for an in-house solution.
Security Audits are required to ensure compliance to national or internationally recognised standards.
Legal & Policy Requirements
Trust practices which include legal conformance to local signature laws as well as establishing PKI policies and procedures
Liability to the company in the event of a legal dispute
Figure #1 shows the inherent costs associated with an in-house solution. All components of a. Services, b. Human Resources, c. Infrastructure and d. Legal are the responsibility of the customer. In this cost analysis the thickness of the bars is a relative representation of the cost incurred to the customer. This figure shows a total cost of ownership when all costs are taken into account. When the same analysis of total cost of ownership is applied to the outsourced model, we arrive at the analysis in Figure #2. In this model, the customer incurs a much smaller investment in human resources, consultancy, and infrastructure since the bulk of the investment lies in the Certificate Authority (CA) Infrastructure. As part of this service offering, the customer takes advantage of the CA infrastructure as part of the service provided by the Trusted Third party. The ownership of a carrier class processing facility, operations, and maintenance, and the legal framework become the responsibility of the CA. As a result, when combining the various components of cost – outsourcing results in a 40% to 60% savings in cost over a three year period when compared to an in-house solution (Figure #3).
In the in-house model, the customer must manage their own root key, private keys of deployed certificates, and audit logs. In other words, since the infrastructure is not protected by a highly secure facility, there is a high risk of the CA being compromised. This could result in fraudulent activates such as false certificate issuance, private keys being stolen, or digital signatures not being legally binding. Also, since the company has set their own policies and practices, there is no inherent trust established with any other company which may have set different standards. This is a fundamental flaw in what is to be consider a “trusted” environment between companies wishing to establish a business relationship. If a true layer of trust is to be realized, then the customer must rely on a CA or Trusted Third Party (TTP), which ensure that common standards are enforced. Policies and procedures are managed outside of the organisation – within the TTP. Therefore, if two companies utilize the same standards of PKI from the same TTP, then they can inherently trust each other. In-housed PKI vendors do not sell policy infrastructure as part of their PKI solution. Customers generally need to determine their own policy – then document and implement it. This results in customers taking the risk and responsibility of certificate issuance and authentication. Outsourcing PKI has the customer offloading this risk to the TTP.
Figure #3: In-house vs. Outsourced PKI Total Cost of Ownership
Proponents of in-house solutions attempt to convince customers that outsourcing may be viable in the short term, but there is lack of flexibility in moving to an in-house solution over time. In fact, this is a contradiction in logic, since flexibility is lacking in the in-house approach. Customers are locked into a proprietary solution which often results in continuous hardware upgrades as more users are added, or software upgrades are needed as new standards are implemented. An outsourced solution transfers the responsibly of managing scalability and evolving standards to the TTP, without dramatic changes to their infrastructure. In the outsourcing model the TTP is located at the top of the trust hierarchy, which may branch to smaller CA’s managed by individual companies. At the tail-end of this hierarchy is the end-user community, which might consist of distributors, suppliers or manufactures in business to business (B2B) or individuals in a business to consumer (B2C) market. This hierarchy imparts the underlying value which a TTP provides. All uses within this umbrella have comfort in knowing that one consistent standard of trust are utilized.
“Outsourced PKI solutions provide a multitude of benefits for businesses. Although the underlying idea for businesses is to transfer the ‘headache’ of having to implement, maintain and administer a PKI solution to a service provider, there are significant strategic and financial advantages in outsourcing security in general and PKI in particular.” Datamonitor
Outsourcing Value Proposition
Figure #4: In-house vs. Outsourced Revenue Growth
Further support for the cloud-based PKI model can be found from various analyst reports. According to Datamonitor this market is expected to grow at 110% CAGR (Compounded Annual Growth Rate) over the next three years. By the year 2006, outsourced PKI market share is expected to be 60% compared to in-house deployments. The importance of Outsourcing can be summarized as follows:
Customers can focus on their core business – Leave the expertise of PKI to the experts
No need to buy hardware & software since the infrastructure is owned by the CA
There is a reduced Total Cost of Ownership – No hidden costs are incurred by the customer
Liability is transferred to a trusted third party (TTP)
Seamless scalability – Upgrades to infrastructure due to additional users and technology changes are owned by the CA
There is a reduction in training, hardware, and software investments. Expertise is left to the CA, so only minimal training is required to administer certificates.
Minimize consultancy fees are needed, due to faster project implementation
Trust is enabled with other companies. The value of the TTP provides a common denominator of trust for all companies.
About the Author
Gabriel Dusil is VeriSign’s Marketing Director responsible for the Europe, Middle East and African region. Mr. Dusil’s role includes the management of Channel and Direct Marketing, as well as Marketing Communications. His responsibilities also include the development of product strategies and market positioning throughout the emerging markets.
Prior to VeriSign, Mr. Dusil had been with Motorola for six years, as their EMEA Marketing Director for its Internet and Networking Group. He has over 10 years of experience in the communications industry, and over nine years of international marketing experience. Mr. Dusil has a degree in Engineering Physics from the University of McMaster, in Canada.
