Six reasons why encryption vendors have a future - for now

The inclusion of BitLocker by Microsoft in Windows 7 is perhaps the biggest move yet in the on-going commoditisation of the encryption market.

As one CISO (chief information security officer) agreed at a recent IT security forum, when it comes to full disk encryption of Windows devices for the purposes of compliance, BitLocker is “a big enough tick in the box”.

Microsoft is not the only infrastructure vendor to be embedding encryption in its products. Many storage systems now come with encryption included, either at the hardware level (for example Seagate self-encrypting drives), as part of the management software (as is the case with BitLocker) or with on-demand storage services (e.g. EMC/Mozy off-site backup).

Encryption specialists have also become the acquisition targets of the larger security providers. Back in April, Symantec announced the purchase of two encryption vendors (PGP and GuardianEdge).

This does not just add encryption to Symantec’s already broad security portfolio but it will allow it to embed its own encryption into its storage products and services.

So is it the end of the road for encryption specialists? Not yet, and there are plenty of reasons why they can continue to thrive. Here are six of the main ones:

1. The heterogeneity of the environments that need to be encrypted. BitLocker is not available on pre-Windows 7 releases (Vista, XP etc.) and even if you move to Windows 7 you need to have a hardware security module (HSM) only included with more recent PC devices. Add to that Apple devices, the range of operating systems used on smartphones, Linux servers, as well as untold numbers of removable storage devices and it is clear that products from vendors that work across multiple operating environments and endpoints are required (vendors include Credant, Safend, McAfee/SafeBoot and Sophos/Utimaco).

2. Outside of the realm of endpoint security, there is the encryption of data in transit. For example, when it comes to WAN traffic encryption, specialists such Senetas and Talus step in.

3. Although many infrastructure vendors appear to be moving into the encryption market, they are only doing so by providing the products from specialists via OEM agreements. So Credant is supplying Dell; SafeNet (“we encrypt anything”) supplies a range of vendors including HSMs to Microsoft. PGP has many OEM agreements which Symantec will presumably maintain.

4. Some organisations have specialist encryption requirements that go beyond that offered by “commodity” products. Specialists like BeCrypt have attained certification from the UK Government, NATO and the 5I countries (a group of English speaking nations that share intelligence). Spies and snoops need more than just a tick in the box.

5. The need for encryption management. There is an overriding danger with encryption: lose the keys and you lose the data. However safe you want your data to be, having no access to it at all is not the goal. Many of the specialists include encryption key management capabilities in their products, and there are vendors that specialise in this area such as Venafi and nuBridges.

6. There is one situation where it makes sense to encrypt your data and throw away the keys. Storing data in the cloud is appealing to more and more organisations, whether as part of a backup strategy, for primary storage or for a particular service such as email. Encryption of data held in the cloud is an obvious way to protect it. But what if you change service providers? Having copied your data how do you make sure the stuff held by the previous provider is destroyed? If it is encrypted it does not matter, it is just up to the service provider to remove the unreadable data, and nothing can be done with it. Trend Micro sees this as one of the use cases for its encryption products.

One thing is for sure, as the number devices and access mechanisms used for data continues to grow, ensuring the safety of data wherever it is, encryption will become more and more widely used and therefore more and more of a commodity.

Whether it will retain any level of perceived additional value, or whether its “commodity” status drives encryption into being seen as a hygiene factor expected to be present will have to be seen. In the meantime expect to see more consolidation and acquisition in the encryption space.

Bob Tarzey , analyst and director, Quocirca