VeriSign uses cloud to protect against DDoS attacks

December 15, 2009

Listen to the second half of our interview with VeriSign’s Adam Geller and Nick Piazzola.

Today we continue our conversation with VeriSign’s Adam Geller, vice president of Enterprise & Government Authentication and Nick Piazzola, vice president of Government Programs.

On alleviating security concerns

Nick Piazzola: We provide PKI for federal agencies as a service. They have already defined for us security standards in the forms of policy.

For example, PKI has to follow the same business certification and accreditation requirements that you have for a federal agency.

Also, we have to get annual external audits to be able to demonstrate for the federal government that we are operating our services and are compliant with their standards.

So, for some of these security services, we are doing exactly what the federal agencies have to do for their own systems.

That’s intended to alleviate the concern that a federal agency might have about outsourcing their services to somebody who’s got a security service in the cloud like VeriSign’s.

Adam Geller: We’ve been having this classic debate with people — and we’ve been having it for a dozen years already. It’s not really new to us when we have these kinds of discussions.

I do think that there is a softening of stance, but, probably a lot of what it comes down to is, and this may sound funny, but there are standards out there — there are even government guidelines and recommendations to use managed services in certain areas, including PKI — but a lot of it, ultimately, comes down to personalities and people who are in positions within agencies or enterprises. At the end of the day, people still have a little bit of a religious feel to — do I want to outsource services or do I want to tightly control them?

I think where there’s the most hold-up or hang up about it is still probably just related to legacy.

But . . . almost anywhere you can look at an application or use case, you can now find an example of it being done as a cloud service in a very secure way for a major organization.

You can also find somebody who will do the opposite and say — I’m a major organization and I refuse to use it.

But, all the proof points are starting to line up — and they are there — with major organizations making these decisions.

On a VeriSign specialty for the federal government

NP: We provide a major piece of the Net Service for dot com and dot net.

We recognized years ago that we weren’t going to be able to provide 100% availability that was required for that unless we could do something to mitigate and protect against distributed denial of service (DNS) attacks.

What we did was we went ahead and we developed the capability that we provide for our DNS and all of the services that we provide in our data center.

Then, we’ve recently taken that service and made it available as an in the cloud offering for federal agencies.

Now, federal agencies can buy from VeriSign the same services that we use to protect ourselves for mitigating distributed [DNS] attacks