Data breaches and regulations are pushing enterprises to look at encryption more seriously, as vendors attempt to make the technology less expensive and easier to use.
Large security vendors are buying up encryption start-ups. Venture capitalists are putting money into young companies to spur the development of encryption products. New companies are launching products to help manage and simplify encryption.
With all this activity, is it safe to assume that companies are starting to embrace encryption as a pillar of their security infrastructures? Security experts and observers say yes, with the caveat that it’s a slow march toward full-blown encryption adoption.
With the threat of a data breach looming large over every corporation that handles sensitive information, encryption has become the No. 1 answer to the question, 'How do I protect myself?' Then there are the mandates -- the Health Insurance Portability and Accountability Act, Graham-Leach-Bliley, Sarbanes-Oxley, the Payment Card Industry data security standard, and other regulations -- that require data protection, for which encryption is again the obvious answer.
“All this stuff is making people responsible for losing data, and the only way to protect it is to encrypt it,” says Pascal Luck, managing partner with venture-capital firm Core Capital in Washington, D.C., which in 2005 invested in Trust Digital, which encrypts information stored on smart phones.
Add the fact that encryption products are getting less expensive and easier to use, and it makes sense that the findings of an August survey by Forrester Research indicate 62 % of corporate security professionals are increasing their encryption deployments.
Most companies, however, haven’t achieved encryption nirvana -- where unified policies are deployed throughout the organization that automatically encrypt sensitive data regardless of where it is stored or sent -- quite yet.
“We know we want to have [sensitive data] encrypted when it goes out the door, and we need certain policies to do that, we don’t want it to be willy-nilly” says Bob Gorrie, information security project manager with Bethesda, Md.-based USEC, a supplier of enriched uranium fuel for commercial nuclear power plants.
The company uses IronPort Systems' e-mail security appliance, which comes with some policies for encrypting the sensitive data found in outbound messages, but Gorrie says those policies need to be tested and refined. “Until you test them one at a time, you can set a policy and get a lot of false positives,” he says.
Still, some advances are being made that will help nudge companies toward wider adoption of encryption.
For one, encryption vendors have not evaded the consolidation that’s happening across the security industry, as larger companies make acquisitions. This is generally good for customers because it means encryption often becomes a feature of an existing product, as opposed to being a stand-alone offering that needs to be purchased separately and integrated on site.
Late last year IronPort– now a subsidiary of Cisco – bought e-mail encryption vendor PostX in an all-stock transaction, and has integrated PostX’s product on its e-mail security appliances. Earlier this month, McAfee snapped up hard-drive and file-encryption maker SafeBoot for $350 million, and plans to add the company’s technology to its data-leak prevention offerings. Last November Check Point Software bought Pointsec Mobile Technologies, provider of data encryption devices, for $586 million.
“Our view is, encryption is not a stand-alone thing that you have to get trained on and manage, you really want it to be a feature on an existing platform,” says Tom Gillis, IronPort’s vice president of marketing. “And we’re pricing it in a way that makes it much more affordable, so companies can do more of it.”
Gillis describes the company’s vision of its encryption technology becoming so easy to use that advanced e-mail features unrelated to encryption are possible, such as message recall and receipt notification. This requires the PostX e-mail plug-in to become omnipresent (one continuing criticism of e-mail encryption products is that the decryption mechanism on the recipient's end often is clumsy, requiring users to have a plug-in already or go through the process of decrypting from a Web site), but considering that Cisco owns IronPort and could embed decryption capabilities in its products, this scenario may not be so far-fetched.
Venture capitalists also are putting money behind encryption companies, particularly ones coming up with new ways to apply this decades-old technology.
E-mail and database-encryption vendor Voltage Security earlier this month received $12 million in venture capital from a handful of firms including Winblad Venture Partners. The company has played in the e-mail encryption market for four of its five years in existence, and this year augmented its offering with encryption technology for files and data. “Increasingly enterprises realize that the old way of encrypting things is the container approach, where you encrypt the hard drive of a laptop, but things leave containers,” says Matt Pauker, co-founder of Voltage. “We’re focused on protecting the data itself, rather than the container.”
Looking to apply systems management to encryption, three-year-old Venafi has attracted $20 million in venture capital. The company sells software that automates many of the manual tasks associated with administering encryption technology — including keys and certificates — for example, making sure that installed software has its optional encryption settings turned on. Start-up 2factor wants to make encryption even more secure. Last year the company received $1.6 million in seed money to fund development of its two-factor, continuous user-authentication and data encryption that the company says limits the opportunity for intrasession hack attacks and threats. Venafi and 2factor both made Network World’s 2007 list of 10 IT security companies to watch.
Hoping to spur encryption adoption by making it less expensive -- free, really -- two-year-old start-up Kryptiva earlier this month launched its first product that secures e-mail communications from the sender’s desktop to the recipient’s in-box. The software is a free download that works with any e-mail system to authenticate users and encrypt content, officials say.
Although attempts to make encryption easier and less expensive will help, obstacles to this technology remain. “I think there are a lot of usability issues still [surrounding encryption], and authentication is the big weak link in all of this too,” says Arabella Hallawell, a research vice president with Gartner. Also standing in the way is the lack of consumer adoption of encryption, she says, because such organizations as healthcare companies and financial institutions can’t rely completely on encryption until they know their customers have easy access to decryption.
Learn more about this topicE-mail encryption becomes a necessity
08/15/0510 IT security companies to watch
10/15/07Free plug-in encrypts content, authenticates users