Enterprise Strategy Group | Getting to the bigger truth.TM

Posts Tagged ‘PGP’

Enterprises Want Broad Functionality for Mobile Device Security

Monday, November 1st, 2010

Now that we all have an assortment of iPhones, Droids, tablet devices, and Windows devices, lots of industry folks believe that mobile security is the next hot market.  There are a number of players already in this market from pure plays like Good Security and Mobile Active Defense.  Traditional endpoint security vendors like McAfee see this as an extension of its antivirus business.  Symantec is in the same boat with antivirus as well as encryption software from PGP.  Networking vendors also see up-side in the mobile device security market.  Cisco has AnyConnect and ScanSafe while Juniper Networks wants to combine its Pulse client with its recent acquisition of SMobile.

These vendors come at mobile security from many different angles with different security functionality in different places–some on the device and some on the network.  Will this confuse the market?  No.  Enterprises are actually looking for a wide range of mobile device security functionality.  According to an ESG Research survey of 174 security professionals working at enterprise (i.e., more than 1,000 employees) organizations, the top three most important mobile device features are 1) device encryption, 2) device firewall, and 3) strong authentication.  They also want things like DLP, VPN, and device locking.

Beyond security functionality, most enterprises also want an integrated platform for mobile device security and management.  In other words, they want a single software package for device provisioning, configuration, reporting, etc.  They also want a common set of features for all mobile devices rather than a potpourri of different features for iPhone, Windows 7, Droid, Palm, etc.

It appears then that the mobile device security market will include networking, security, and management vendors along with device manufacturers and carriers as well.  Personally, I think mobile device security will have a network architecture look to it, with technology safeguards built into devices, the enterprise, and the cloud.  If this happens, integration will be critical for all leading products.

The CIA and the Encrypted Enterprise

Friday, October 29th, 2010

The international horse show wasn’t the only event in Washington DC this week; I participated in the Virtualization, Cloud, and Green Computing event in our nation’s capital. One of the guest speakers was Ira “Gus” Hunt, CTO at the CIA. If you haven’t seen Gus speak, you are missing something. He is very strong on the technical side and extremely energetic and entertaining.

Gus focused on cloud computing activities at the CIA (I’ll blog about this soon), but I was intrigued by one of his slide bullets that referred to something he called the “encrypted enterprise.” From the CIA’s perspective, all data is sensitive whether it resides on an enterprise disk system, lives in a database column, crosses an Ethernet switch, or gets backed up on a USB drive. Because of this, Hunt wants to create an “encrypted enterprise” where data is encrypted at all layers of the technology stack.

The CIA is ahead here, but ESG hears a similar goal from lots of other highly regulated firms. When will this happen? Unfortunately, it may take a few years to weave this together as there are several hurdles to overcome including:

  1. An encryption architecture. Before organizations encrypt all their data, they have to understand where the data needs to be decrypted. For example, remote office data could be encrypted when it is sent to the corporate data center, but it needs to be decrypted before it can be processed for large batch jobs like daily sales and inventory updates. There is a balancing act between data security and business processes here demanding a distributed, intelligent encryption architecture that maps encryption/decryption with business and IT workflow.
  2. Key management. Most encryption products come with their own integrated key management system. Many of these aren’t very sophisticated and an enterprise with hundreds of key management systems can’t scale. What’s needed is a distributed secure key management service across the network. Think of something that looks and behaves like DNS with security built in from the start. The Key Management Interoperability Protocol (KMIP) effort may get us there in the future as it is supported by a who’s who of technology vendors including EMC/RSA, HP, IBM, and Symantec, but it is just getting started.
  3. Technical experience. How should I encrypt my sensitive Oracle database? I could use Oracle tools to encrypt database columns. I could encrypt an entire file system using Windows EFS or tools from vendors like PGP. I could buy an encrypting disk array from IBM, or I could combine EMC PowerPath software with Emulex encrypting Host-based Adapters (HBAs). Which is best? It depends on performance needs, hardware resources, and financial concerns like asset amortization. Since there is no “one-size-fits-all” solution here, the entire enterprise market is learning on the fly.

A lot of the technical limitations are being worked on at this point, so the biggest impediment may be based upon people and not technology. We simply don’t have a lot of experience here, so we need to proceed with research, thought, and caution. To get to Gus Hunt’s vision of the “encrypted enterprise,” we need things like reference architectures, best practices, and maturity models as soon as possible. Look for service providers like CSC, HP, IBM, and SAIC to offer “encrypted enterprise” services within the next 24 months.

Friday, September 3rd, 2010

Anyone remotely interested in identity management should definitely download a copy of the National Strategy for Trusted Identities in Cyberspace (NSTIC) document. It can be found at this link: .

A a very high level, the strategy calls for the formation of a standards-based interoperable identity ecosystem to establish trusted relationships between users, organizations, devices, and network services. The proposed identity ecosystem is composed of 3 layers: An execution layer for conducting transactions, a management layer for identity policy management and enforcement, and a governance layer that establishes and oversees the rules over the entire ecosystem.

There is way more detail that is far beyond this blog but suffice it to say the document is well thought out and pretty comprehensive in terms of its vision. This is exactly the kind of identity future we need to make cloud computing a reality. Kudos to Federal Cyber coordinator Howard Schmidt and his staff for kicking this off.

I will post my feedback on the official website, but a few of my suggestions are as follows:

  1. Build on top of existing standards. The feds should rally those working on things like Project Higgins, Shibboleth, Liberty, Web Services, Microsoft Geneva, OpenID, etc. Getting all these folks marching in the same direction early will be critical.
  2. Get the enterprise IAM vendors on board. No one has more to gain — or lose — than identity leaders like CA, IBM, Microsoft, Novell, and Oracle. Their participation will help rally the private sector.
  3. Encourage the development of PKI services. PKI is an enabling technology for an identity ecosystem but most organizations eschew PKI as too complex. The solution may be PKI as a cloud service that provides PKI trust without the on-site complexity. This is why Symantec bought the assets of Verisign. The Feds should push Symantec and others to embed certificates in more places, applications, and devices.

There will be lots of other needs as well. The document recommends identity and trust up and down the technology stack but it doesn’t talk about the expense or complexity of implementing more global use of IPSEC, BGPSEC, and DNSSEC. There is also the need for rapid maturity in encryption, key management, and certificate management. Good news for RSA, PGP, nCipher (Thales), IBM, HP, Venafi, and others.

The key to me is building a federated, plug-and-play, distributed identity ecosystem that doesn’t rely on any central authority or massive identity repository. This is an ambitious goal but one that can be achieved — over time — if the Feds get the right players on board and push everyone in the same direction.

Symantec + Verisign = Cloud Security

Thursday, May 20th, 2010

When Symantec bought Veritas, a lot of people didn’t get it. After all, what did server backup have to do with PC antivirus software? In fact, storage and security work hand-in-hand in something the feds call Information Assurance. Symantec saw this synergy before most of the market.

Fast forward to yesterday’s news about Symantec acquiring Verisign‘s security business. Yes, SSL certificate sales drove Verisign security revenue, but Symantec gets a heck of a lot more with this acquisition. Add Verisign to PGP and Symantec, and you get:

  1. End-to-end trust. Symantec can now create an infrastructure where any user or node can set up a trust relationship with any other user or node. The SSL and PKI parts are not new, but when Symantec bundles a digital certificate in every Norton desktop, you have the potential to bring PKI to the masses.
  2. PKI as a service. In a related way, Symantec has the scale and reach to marry the security power of PKI with a global SaaS service. In my opinion, this is a home run as it capitalizes on PKI’s trust model while eschewing its onerous deployment and management. Furthermore, Verisign can now act as a CA for PGP keys as well. Authentication? Digital signatures? Non-repudiation? Symantec has the opportunity to take these geeky terms and apply their goodness. We’ve been talking about the “year of PKI” for 15 years; Symantec now has the opportunity to make it happen.
  3. Key management SaaS. While PKI is used for authenticating users and signing documents, PGP can act as the backend data encryption/decryption for large files. PGP’s onsite key server can also leverage Verisign in the cloud. Afraid to manage keys? Need a key escrow service? Call Symantec.

Finally, it is fashionable to talk about cloud computing and how cloud security is the long straw. If you it boil down cloud security, however, some of the key components are identity management, data security, and compliance management. Verisign covers the identity piece, PGP handles data security, and Symantec already has a leading IT GRC platform. Symantec can now sell you the pieces or provide the whole enchilada as a SaaS cloud service.

If this isn’t an exciting security business model, nothing is.

Symantec Moving to Define an Encryption Architecture

Thursday, April 29th, 2010

Today, Symantec announced that it is acquiring two encryption companies: GuardianEdge and PGP. Some will see this as a late counter-punch to Check Point‘s acquisition of PointSec, McAfee‘s acquisition of SafeBoot, and Sophos‘s acquisition of Utimaco. In other words, Symantec is finally getting in the full-disk encryption game, primarily on laptops.

Wrong interpretation. Symantec does get endpoint encryption technology, but there is a lot more here than meets the eye. In my humble opinion, Symantec also gets:

  1. A killer install base. Between the two companies, Symantec gets a foothold in the enterprise and midmarket across the globe. Symantec also bolsters its federal government business, where encryption is a very big deal.
  2. Encryption beyond PCs. Check Point, McAfee, and Sophos bought good companies, but the focus in all cases is on endpoints–PCs, mobile devices, USB keys, etc. Symantec gets this, but also gains encryption technology for file systems, e-mail, mainframes, etc. This gives Symantec a leg up.
  3. A leading key management platform. A wise man once said, “encryption is easy, key management is hard.” PGP recognized this and built a great key management platform to manage encryption keys for mobile devices, PCs, e-mail, mainframes, etc. Symantec also gets a seat at the KMIP and IEEE encryption standards table.
  4. An encryption and key management play. In discussing these deals, I haven’t seen anyone mention the added value Symantec gets from PGP’s recent acquisitions of TC Trust Center and Chosen Security. Symantec gets a root CA capable of offering PKI as a service. This gives a tremendous opportunity. Symantec can become an identity broker in the cloud for enterprise authentication, B2B trust, consumer identity protection, etc. Imagine what Symantec can do if it ships every copy of endpoint security software with an X.509 certificate. In my mind, this opens up a whole host of possibilities.

In the next few years, large organizations will realize that encryption technologies have become ubiquitous across the enterprise with no central management. This could be a real problem for data restoration, especially in a disaster recovery situation. At that point, they will look for partners to bring order, processes, and central control to this chaos. As of today, Symantec is extremely well positioned for this burgeoning–and extremely critical–market opportunity.

PGP’s “Under the Radar” Acquisition

Tuesday, February 2nd, 2010

Today, PGP announced that it plans to acquire TC Trust Center and ChosenSecurity. Never heard of them? You are not alone. Basically, TC TrustCenter and ChosenSecurity provide Software-as-a-Service (SaaS) for Internet-based trust relationships.

Okay, some of you may think that this is simply a way to spin PKI (public key infrastructure) into marketing-speak and you are right to some extent. Why bury the PKI lead? Unfortunately, there is stigma around PKI that has lingered for years. In the past, few applications supported PKI and enterprise PKI servers were simply too difficult to install and manage. Yes, security professionals understand the benefits of PKI, but they were scared to death of it thanks to implementation, customization, and administration horror stories.

TC TrustCenter and ChosenSecurity didn’t change PKI, they simply mastered it and made it virtually transparent to customers. As a result, PKI can be embedded into applications, identities, and systems as a service.

To me, this acquisition has upside potential for PGP far beyond existing business growth because:

  1. PKI may be the perfect SaaS offering: It offers tremendous value without the resource commitment in skills, product acquisition, administration, etc.
  2. What’s one of the things that is broken on the Internet? The element of trust. If I don’t know if a site is trustworthy, how can I be sure if downloaded software will perform as advertised or turn my system into a zombie? The same holds true for systems, individuals, transactions, etc. PKI, if implemented and managed correctly by a trusted third-party, can help address this problem.
  3. In my humble opinion, PKI as a service will be baked into a lot of things in the future (like cloud computing, for example).
  4. I don’t know how much business PGP does with the U.S. federal government or other national governments now, but it just put itself in a position to do a heck of a lot more.
  5. Finally, when we encrypt most of our data in the future, someone will have to manage millions of net new encryption keys. PGP is now in a position to act as a key management or key escrow service.

I could go on and on, but I won’t. I’ve always been one of few fans of PKI, so PKI as a service brings out the excitable geek in me. Obviously, some of the folks at PGP share this enthusiasm.

Search
© 2011 Enterprise Strategy Group, Milford, MA 01757 Main: Fax:

Switch to our mobile site