Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘encryption’

Open E-mail Encryption Issue with Massachusetts CMR 201 17

Tuesday, May 25th, 2010

I phoned a security professional friend the other day to discuss e-mail encryption implementation and she brought up an interesting question. The new Massachusetts data privacy law (aka CMR 201 17) requires that:

  1. Private data stored on laptops must be encrypted
  2. Private data that is transmitted must be encrypted

So here are a few scenarios in question:

  1. What if I have private data on my laptop and I want to e-mail it to a fellow employee who sits three cubicles away from me. Should this e-mail be encrypted?
  2. If I want to send this private data in an e-mail to an external party, it appears like I have to encrypt the data from the time it leaves my PC until the time it is received by someone on the other end.

As I understand it, less than 10% of all e-mail is encrypted today at organizations with e-mail encryption deployed. If scenario #1 is true, then e-mail encryption must become an e-mail staple as a high percentage of internal e-mail messages must be encrypted. If scenario #2 is true, then e-mail encryption gateway solutions don’t meet compliance requirements. This means new deployments of e-mail encryption clients and potentially CAs, PKI, revocation lists, digital certificates, etc.

I don’t know whether either scenario is true so I’d appreciate reader comments and opinions. Thanks.

Symantec Moving to Define an Encryption Architecture

Thursday, April 29th, 2010

Today, Symantec announced that it is acquiring two encryption companies: GuardianEdge and PGP. Some will see this as a late counter-punch to Check Point‘s acquisition of PointSec, McAfee‘s acquisition of SafeBoot, and Sophos‘s acquisition of Utimaco. In other words, Symantec is finally getting in the full-disk encryption game, primarily on laptops.

Wrong interpretation. Symantec does get endpoint encryption technology, but there is a lot more here than meets the eye. In my humble opinion, Symantec also gets:

  1. A killer install base. Between the two companies, Symantec gets a foothold in the enterprise and midmarket across the globe. Symantec also bolsters its federal government business, where encryption is a very big deal.
  2. Encryption beyond PCs. Check Point, McAfee, and Sophos bought good companies, but the focus in all cases is on endpoints–PCs, mobile devices, USB keys, etc. Symantec gets this, but also gains encryption technology for file systems, e-mail, mainframes, etc. This gives Symantec a leg up.
  3. A leading key management platform. A wise man once said, “encryption is easy, key management is hard.” PGP recognized this and built a great key management platform to manage encryption keys for mobile devices, PCs, e-mail, mainframes, etc. Symantec also gets a seat at the KMIP and IEEE encryption standards table.
  4. An encryption and key management play. In discussing these deals, I haven’t seen anyone mention the added value Symantec gets from PGP’s recent acquisitions of TC Trust Center and Chosen Security. Symantec gets a root CA capable of offering PKI as a service. This gives a tremendous opportunity. Symantec can become an identity broker in the cloud for enterprise authentication, B2B trust, consumer identity protection, etc. Imagine what Symantec can do if it ships every copy of endpoint security software with an X.509 certificate. In my mind, this opens up a whole host of possibilities.

In the next few years, large organizations will realize that encryption technologies have become ubiquitous across the enterprise with no central management. This could be a real problem for data restoration, especially in a disaster recovery situation. At that point, they will look for partners to bring order, processes, and central control to this chaos. As of today, Symantec is extremely well positioned for this burgeoning–and extremely critical–market opportunity.

Forensics, Litigation, and Full Disk Encryption

Wednesday, March 31st, 2010

A few years ago, I boldly predicted that PC encryption would go through a technical transition. My instincts told me that software-based encryption from companies like PGP, McAfee (SafeBoot), and Check Point Software (PointSec) would be usurped by laptops and desktops with standards-based (i.e., TCG standards) Self-Encrypting Drives (SEDs).

This seemed like a “no brainer” based upon industry history. For years new Intel chips would include new functionality, as did each Windows release. If encryption came as a standard feature on Seagate, Hitachi, Fujitsu, and Western Digital drives, it was logical that this would become the default configuration. Besides, SEDs are faster and more secure than software, so regulatory compliance activity was sure to add fuel to the SEDs fire.

Fast forward to 2010 and I readily admit that my timing was off. Check Point, McAfee, PGP, and others continue to sell tons of software encryption licenses while few have adopted self-encrypting drive-based systems. Why?

  1. The standard took too long to gain critical mass. Seagate came out with its own SED based upon a pre-ratified TCG standard but others lagged behind. As a result, Seagate, a company in the widget business, had to champion a mindset change. Seagate just didn’t have the marketing chops for this.
  2. System vendors could care less. Ask a Dell salesperson about encryption and he or she will show you a list of options including software and SEDs. In other words, no one is pushing SEDs at the point of sale.
  3. Software hasn’t caught up. If I have 20 thousand PGP licenses, I probably have a pretty robust management infrastructure behind them. Unless SEDs can be easily migrated into this environment, it is probably not worth the effort.

So does all this mean that SEDs are dead? Not at all. In fact there may be a SEDs renaissance any time now. The reason is simple. Some software-based encryption doesn’t protect data if PCs are in “sleep” or “hibernate” mode. Given the start-up time of Windows, many users take full advantage of sleep/hibernate modes, so this is a serious hole. Combine this with the fact that many organizations provide users with administrator access to their PCs and you’ve got a real problem — you can’t claim that a lost or stolen PC was actually protected if this loophole — and user behavior — exists.

Since SEDs overcome this issue, lawyers, auditors, and compliance officers may demand that new PCs come with self-encrypting drives onboard. Sounds extreme, but security-oriented purchasing behavior is already pretty pervasive.

From a security perspective, SEDs are a great option. Combine this with regulatory and litigation pressure and they may gain momentum after all. Software vendors take note, you may be dragged into supporting SEDs sooner than you think.

CA Enters Encryption Key Management Market

Wednesday, November 11th, 2009

CA entered the key management market this week, joining others such as HP, IBM, EMC/RSA, PGP, and Thales. CA’s announcement was relatively quiet, but it is still significant because:

  1. CA joins the KMIP initiative. CA becomes another leading technology vendor to join the Key Management Interoperability Protocol (KMIP) group within OASIS. The group hopes to have a specification ratified soon and working product next year. CA’s engineers will focus on application key management as part of a holistic key management architecture.
  2. CA anchors key management to System z. While many vendors have key management appliances, the bulk of the market activity I see remains on the mainframe. CA will support IBM’s TS1120 and 1130 tape drives, interoperate with RACF, TopSecret, and ACF2, and all the mainframe storage facilities as well. Finally, CA key management is part of its “Mainframe 2.0″ initiative to simplify and modernize mainframe operations.
  3. CA understands the link between key management and identity. Many key management leaders are focused on storage alone, while others only care about PKI. CA is one of the few vendors to play in both the infrastructure and identity side of IT. Yes, the obvious link here is PKI, but the combination of encryption, key management, and identity could also be used for entitlement management and data security. For example, a contractor may have rights to a data file for a limited period of time only before the encryption key expires.

With its focus on the mainframe, CA didn’t get much attention with this announcement, but large enterprises — especially in financial services, defense, law enforcement, and intelligence — will recognize the value here right away.

In the meantime, this announcement also helps the rest of us who care about the confidentiality, integrity, and availability of our data.

Search
© 2010 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site