Working to make the internet safe

By Maggie Shiels
Technology reporter BBC News, Silicon Valley

VeriSign helps protect the global net

As the need for security on the internet continues to grow, one of the the guardians of the networked world lays claim to an enviable record.

In its 13 years in business, VeriSign says it has maintained a "100% up time" service in operating the infrastructure that controls the internet.

The firm has a crucial role in the day-to-day operation of the internet - it manages two of the world's 13 root servers, which direct global internet traffic; it routes every web address ending in .com or .net; and it issues secure digital certificates to protect more than 900,000 web servers on the net.

In a rare insight into just how VeriSign works, the company invited the BBC into one of the main data centres where security is at the heart of everything.

The building itself is one of hundreds that dot Silicon Valley's landscape; bland and unremarkable on the outside.

This is our most secure room. VeriSign has more than 4,000 employees worldwide and there are only six people in the whole company who have access to this space Ralph Claar, Verisign, on the inner sanctum

There is no fancy corporate sign on the manicured strip of lawn to hint that it is owned or operated by VeriSign. Steps up to the entrance were deliberately built to ensure nobody would try to ram the building. Cameras and motion detectors are everywhere to be seen. The reflecting windows on the outside are fake.

Inside is altogether more of what you would expect.

At each stage, at least two forms of authentication are required to enter various parts of the building, including door passes and fingerprint or handprint scanners.

"We are a regulated industry with the biggest banks in the world as our customers, so everything we do here has to be secure," says Mike Kirwan, vice president of production services.

Trust

This data centre, for all its facelessness, is responsible for ensuring confidence in the internet as a place to do business.

The way that is done is through a product VeriSign sells called an SSL certificate, or secure sockets layer, which is a key part of the internet's security infrastructure.

The SSL is a protocol which was developed to transmit private documents via the internet.

Its existence helps consumers guard against imposter websites by verifying and providing information about the identity of the certificate owner. It also verifies that the certificate owner has the right to the domain name it is using and allows sensitive information like bank details or social security details to be encrypted during online transactions.

For most people an SSL simply translates into either a padlock - displayed at the lower right hand corner of the browser window - and the change to "https" in the URL address bar.

When we issue a certificate the process is pretty vigorous to check you are who you say you are and that you are legit Mike Kirwan, Verisign

"When you go to a website with an SSL, you know you can trust it. When we issue a certificate the process is pretty vigorous to check you are who you say you are and that you are legit," says Mr Kirwan.

First stop

The first stop on my tour is the operations centre. From the front door it takes about 10 minutes to get there via three separate security hurdles. Here, a half a dozen people sit watching computer screens on their desks and massive monitors on the wall.

This is where all the computers that carry VeriSign's security products are closely scanned. For most of us that means when we buy something online, it is here that the integrity of that site is maintained.

On the wall monitors, numbers ratchet up and down with a coloured flag next to them.

Verisign employees cannot access secure areas alone

"What we have on display is a status of all the systems and all the services we run and if something goes untoward these guys get an alert and they can react to it," explains Mr Kirwan.

"It you take a look at the centre screen we are looking at network status and it tells you... there are green flags and so there is nothing down and everything is working. That's what we like to see, those green flags."

An amber or red sign might simply mean that the host system is overloading and needs a simple reboot. Similarly, it might be a memory leak has developed or a piece of hardware has failed, but Mr Kirwan says at this centre the operators can drill down and find the exact location of the problem and fix it remotely.

Crown jewels

Our next stop is the actual data centre which is split into two pods and houses all the computers and telecommunications equipment. It's where your www.bbc.co.uk address is translated into a numeric address and routed.

Mr Kirwan says: "VeriSign handles upwards of 33 billion requests a day."

It needs two people to access the locked server racks that hold that information. Each person has one half of a secure combination to get into it. Mr Kirwan stresses it's all about ensuring confidence in the system and the product.

"Not even the boss of VeriSign can get into this data centre. He has to be escorted here, so it is a need-to-know basis."

Mr Kirwan says the security of this area is tested regularly and if one pod goes down the other is able to pick up without any disruption of service. Similarly data is transferred in real time to a secret bunker on the east coast and is ready to roll into production if, say, an earthquake hits the west coast or there's a massive cyber attack.

This is also where SSL public and private keys, which ensure the authenticity of websites, are contained.

He adds: "If someone stole those keys, they could maybe spoof another site. They are our value of trust and if they are compromised that trust has disappeared. They are the crown jewels of VeriSign."

But the true inner sanctum is the grandly titled Key Ceremony Room, where actual physical keys that can be used to access the SSL certificates are created and kept.

Entry is only through trusted keyholders from the cryptology business section. Ralph Claar and Christina Holterhoff, two of six people who work in the department, escort us.

Iris scan

Their irises are scanned for authentication as we wait for the door to unlock.

Everything in this room is recorded on video. Sensors monitor everybody's location in the room. Everything that is touched is monitored and documented.

An audit of brightly coloured keys is under way with two other members of the cryptology unit being overseen by a shareholder, a company employee who acts as another layer providing checks and balances.

Inside this room is the safe room where more than 5,000 keys are stored in 120 safety deposit boxes. Again, everything is videoed and recorded and Mr Claar says only a handful of people have security clearance to come in here.

He says: "This is our most secure room. VeriSign has more than 4,000 employees worldwide and there are only six people in the whole company who have access to this space.

"Each safety box is assigned an individual in the team and every time it's accessed, it's documented and authorised by two people on the cryptographic business team."

Asked if keys have ever gone missing or been stolen, Mr Claar is almost insulted. "VeriSign started in 1995 and I have been here since 1997 and we have never lost a key. It's just not a reality."

VeriSign says it's that dedication to security that has made it number one in the business. The company boasts a roster of Fortune 500 companies as well as the world's 40 biggest banks.

VeriSign recently passed an important milestone - the deployment of its one millionth SSL.