EMC Shifts the Security/Storage Landscape

EMC's acquisition of RSA Security

"EMC is where information lives, and tomorrow you will see that it will be where information lives securely," said CEO Joe Tucci in a press conference.

In a recent meeting with VARBusiness, Lawrence Zulch, EMC Insignia's vice president and general manager, laid out for me the EMC storage life cycle: data creation, security, auditing and recovery. Of the four pillars, security, he said, was the weakest.

RSA -- reportedly acquired for $2.1 billion -- fills that gap nicely and provides EMC with a critical tool in the battle to protect data at all stages of its life. Security incidents have shifted over the past several years from network compromises and massive virus infections to ones of massive data theft. The Department of Veterans Affairs is still reeling from the loss of nearly 27 million personnel records. Bank of America somehow allowed 1.2 million federal employees' payroll data to disappear on errant backup tape. And CardSystems, a processor of MasterCard transactions, suffered a breach that may have exposed more than 40 million accountholders' information.

Storage and security are increasingly inseparable, since data is more vulnerable when it's at rest than at any point in its lifecycle. It's the entire reason why Symantec bought Veritas and SonicWall acquired Lasso Logic: If you can protect the data itself from any threat, it doesn't matter if it's compromised. The California Security Breach Information Act -- commonly referred to as SB 1386 -- requires companies doing business in the Golden State to notify customers when their personal information has been compromised; the only exception is if the data was encrypted.

What makes the EMC/RSA deal a game changer is the nature of the security RSA brings to the storage giant. Everyone will focus on the encryption since RSA is the world's leading encryption house and creator of RC-4 and DES algorithms. It also owns 80 percent of the token and USB token markets, and has a strong offering in the smart card space.

Identity management, though, is what makes this deal extremely interesting. RSA made the wise move in 2001 by acquiring Securant, then a growing maker of identity management software. The company morphed Securant into what is now the ClearTrust platform, which manages all stages of users' identities -- creation, ongoing management and revocation -- and interfaces with leading operating systems and its own IDM form factors.

Having a world-class IDM solution in its stable gives EMC a leg up on its competitors, which are also pushing into the security/storage space. Symantec and SonicWall are bolting conventional security solutions in front of their respective storage offerings. Network Appliance's acquisition of Decru gave it encryption, but it's not being integrated into core product lines. Hewlett-Packard did acquire the SelectAccess IDM technology from Baltimore Technologies, but has never really brought it to market.

RSA's encryption and IDM lines are nice complements to other security technologies already in the EMC portfolio. The acquisition of Documentum gave EMC an early, but leading technology in the digital-rights management space. And the recent acquisition of AUthentica gives it an interesting tool for controlling access to distributed information.

Only CA and IBM Tivoli have the same technology capabilities as the combined EMC/RSA. CA's Brightstor storage management and eTrust access control systems could be used to control granular control to data, but CA doesn't have the market reach or the hardware offerings as EMC. IBM Tivoli also has a strong IDM offering from its 2000 acquisition of Access 360, but has never converted that deal into market share or seamlessly integrated it into a holistic security/storage offering.

Looking over the M&A horizon, expect to see strong interest in Vormetric and NeoScale, two small storage encryption companies. NeoScale partners with EMC, Luminex, HP and Sun's StorageTek. Vormetric, which is geared more toward database storage, partners with IBM, Oracle and Sun. If the landscape in storage landscape is truly shifting toward integrated security, these companies could get snapped up by their larger technology partners.

But don't expect big changes overnight from the EMC/RSA deal. Integrating and implementing IDM systems is never an easy proposition. EMC will have to figure out how to integrate RSA in its core hardware and software solutions, and make new versions that are scalable from the enterprise to the midmarket -- not a simple proposition. And, if EMC CEO Joe Tucci and his lieutenants are wise, they'll also figure out a way to keep the RSA brand alive and make its IDM products available outside EMC's primary storage business. No doubt the process will take years to complete.

In fact, some may argue the RSA acquisition is little more than EMC's trying to preserve the premium pricing of its storage products through contrast selling -- selling core products and throwing in ancillary products as a discounted bonus.

The good news for EMC and RSA partners is that they will have powerful new tools in their storage/security quiver to bring to their customers. And, in many cases, the systems to come out of this deal will be so complex that customers will almost always need a solution provider and integrator to make deployments and maintain their systems.

Expect other storage vendors -- particularly HP -- to follow EMC into the security and IDM technology. Perhaps when the dust settles, we'll no longer have segregated security and storage technologies, but combined data integrity management (or some other new moniker) for this evolving market.