A Key To Security In The Custom System Channel


Encryption offerings give system builders secure option


Like many IT security technologies, encryption has undergone a kind of reinvention.

Often the invisible solution, encryption for years has been offered by companies such as PGP as a way to protect data both at rest and in motion.

And to this day the biggest deployments of encryptions are around e-mail, which has gained ground in the SBM, and endpoints with products such as PGP Whole Disk Encryption and PGP Universal Gateway Email and Desktop Email.

But the dearth of new mobile devices, compliance regulations and cloud technologies set the stage for encryption to experience a kind of renaissance while paving the way for channel partners to invoke new conversations with end user customers.

In general, analysts and other industry experts agree that the growth potential for encryption appears to be primed for an upswing. Studies show that sensitive and financial data is increasingly at risk as more information is stored on mobile devices such as laptops and smartphones. According to the Gartner Group, one laptop is stolen every minute, while 25 percent of all PC users suffer from data loss each year.

"There's increased interest in encryption. A lot of companies have realized how vulnerable their company is about the data online," said Tim Matthews, director of product marketing for Symantec, formerly of PGP. "There's an increase in consumers concerned about their own privacy, their own proprietary information and want to keep their data secure."

Meanwhile, a Ponemon Institute annual "Cost Of A Data Breach," survey released in January 2010, determined that end user organizations experiencing a data breach will pay an average of $204 per lost record, for a comprehensive cost of more than $6 million. In addition, 36 percent of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices such as smartphones or laptops, while stolen mobile devices jacked up the per-record cost of a data breach to $224 per compromised record.

"It's not just a value- add. Encryption is a necessity," said Luigi Giovannetti, co-founder and vice president of CPU Sales and Services, based in Woburn, Mass. "I think that someone has to get burnt or get in trouble for someone else to say, that could have been me. Someone has to learn the hard way."

That's where the channel comes in. The myriad of new technologies opens up gaping opportunities for system builders and solution providers.

Experts say that the proliferation of mobile technologies in the workplace, such as laptops and smartphones--particularly consumer devices--will further propel encryption growth. As such, experts say that mobile encryption is still at the beginning of its growth curve.

In addition to USB sticks and laptops, encryption for mobile devices will likely experience an upswing on consumer smartphones, such as Droids and iPhones, as well as personal BlackBerrys, especially as more users rely on their own personal mobile devices for work-related use.

"With things getting more portable nowadays, there needs to be portable encryption on the go, anywhere in the world," said Jordan Grill, product development manager for ENC Security Systems, which recently launched the EncryptStick software platform, designed to store important files within an unlimited number of encrypted vaults on any type of hard drive, flash drive and network server.

"Flash drives are just the tip of the iceberg of portable devices. On Blackberrys, a lot of that information is not encrypted. If important documents are not being secured, you're responsible," Grill said.

Subsequently, IDC projects that the encryption market is likely to reach $1.7 billion by 2013, driven, in part, by a slew of data protection laws such as HITECH, HIPAA and the UK Data Protection Acts, which require organizations to encrypt sensitive information and uphold privacy standards. Looking ahead, compliance appears to be an integral component of future encryption growth, experts say.

"There's a lot more legislative action that mandates the use of encryption if they want to be free of civil lawsuits," said Symantec's Matthews. "That backdrop has caused a lot more attention and probably will cause a lot more growth. It's a worldwide trend."

A few states have taken legislative initiatives even farther, initiating state-wide encryption laws, and more are expected to follow suit. Encryption was subsequently brought to the forefront of the U.S. legislative conversation this March. The implementation of a new Massachusetts law outlines a detailed set of security standards designed for mitigating the risk of a security breach; it requires that organizations implement encryption, protecting transmitted records and files containing personal information that travel the entirety of the organization's networks, as well as all data traveling over wireless networks and all personal information stored on laptops and other mobile devices.

Massachusetts was the second state in the nation to implement comprehensive encryption requirements after Nevada, which enacted encryption legislation in October 2008.

"There's talk about a federal law. It's probably going to be a multi-year trend," Matthews said. "There's a big opportunity for channel partners to bring solutions to companies, especially bringing solutions to smaller companies who don't have an educated security team in place internally. Regardless of the law, if you're a Fortune 50 or a struggling start-up, if you have data breach, you will be fined and the fines can be significant."

In addition to a spate of encryption technologies, channel partners say that a lot of encryption growth will be boosted by comprehensive education and involved conversations about security threats, data breaches and nuanced compliance regulations.

"I'm not going to make one sale and solve your problems. There is no piece of software you can sell and you're all set. It's a process," Giovannetti said.

Impending encryption growth was underscored when Symantec acquired encryption companies PGP and GuardianEdge for $300 million and $70 million in cash respectively, giving the security giant a major leg up in the marketplace with its newfound access to encryption for full-disk, removable media, e-mail, file folder and smartphones.

Despite the fact that encryption companies are increasingly becoming consolidated into larger security organizations, some partners contend that encryption will likely remain a standalone product, as opposed to being rolled into a larger security suites.

Leo Bletnitsky, CEO of Las Vegas MedIT, based in Las Vegas, said that customers simply aren't willing to pay elevated prices for the inclusion of encryption in existing security products, and encryption "ends up being a separate product or a completely separate vendor."

"There are a lot of vendors like Trend Micro that have encryption gateway solutions (Encryption for E-mail Gateways). Even there, they're standalone products, not integrated with their antivirus," Bletnitsky said. "I just don't know if people will be willing to pay more money for that. I don't think you have enough takers."

But encryption's versatility as a standalone will enable it to have strong play in niche verticals, and experience growth as it becomes more tailored to meet the increasingly stringent requirements of regulatory compliance mandates, such as the Payment Card Industry Data Security Standard (PCI DSS), implemented by credit card companies and processors.

One such solution by security company Trustwave fills that gap with a recently released end-to-end encryption solution targeting merchants, which among other things, encrypts Primary Account Number data and card track data on the card's magnetic stripe throughout the entirety of a transaction.

And as with everything else, the cloud will inevitably play a major role in future encryption technologies. Encryption solutions deployed in the cloud are already on the market. One such offering is provided by Beachhead Solutions, which recently launched a PC encryption and security tool deployed and managed entirely through the cloud as a subscription or managed service provided through reseller MSPs.

Thus far, the biggest deployment of encryption in the cloud is via e-mail security, and protecting backups and shared drives in the cloud.

And security experts say that other SaaS encryption deployments will likely expand as cloud technologies become more widely adopted. Down the road, the cloud could likely be the tool used to encrypt all information by default, and then decrypt it when it needs to be used, experts say. However, turnkey solutions for a default encrypted state are a few years out, at the bare minimum, Matthews said.

"This idea is of encryption being more pervasive. Not just laptop encryption, but how can I have encryption be more prevalent, as a default state?" Matthews said. "That is the future vision that is playing to the cloud really well."