PGP Blogs

As it does every winter, the information security industry gathered last week in San Francisco for the annual RSA Conference. More than 300 vendors and 15,000 security professionals focused on one thing: making companies more secure. And there was one obvious and I think very positive development this year: For the first time, there was a real focus on protecting not just the network infrastructure, but also the data that resides therein.

We've been talking about the need to proactively protect confidential data and content since we reformed PGP Corporation 5 years ago; it now appears the rest of the industry has begun to understand that protecting the perimeter is necessary but not a sufficient approach. We are now seeing companies such as Cisco and Xerox host conference sessions focusing on "defending the data". When an infrastructure company like Cisco starts talking about content protection, you know something has changed. Even Craig Mundie, chief research and strategy officer at Microsoft, took up this topic in his keynote Tuesday morning.

The good news here at PGP Corporation is that our approach to protecting confidential information is being validated in both the enterprise and vendor communities. The bad news is that as everyone jumps on the data protection bandwagon, the rising ambient noise level creates more confusion than clarity.

Take for example the term "key manager". Key management is an important topic for me because it's critical to our customers and is provided by our PGP Universal™ product. And it's a difficult service to get right from an enterprise deployment perspective. I won't go into why it's hard in this forum, but trust me, it is—and that’s a major reason customers have adopted PGP Universal so widely since its launch 3 years ago.

So, when I saw secure storage vendors talk about key management this week, I had to smile. SAN or NAS companies talk about trying to solve a different and narrow key management problem. From a storage vendor perspective, key management means simply retaining the few keys used to encrypt and decrypt files on their way to and from the storage farm, all inside the firewall.

To use a metaphor, it's like the difference between managing a zoo and living in the jungle. In the zoo, there are lots of physical and logical protections surrounding everything—devices, data, and keys. Everything is predictable and controlled. Only a few people have access rights. The living is easy.

Enterprises live in the jungle, however, which is a much more challenging environment. The jungle is composed of tens of thousands of laptops, BlackBerry® devices, and cell phones on which information is actually used each day…unsecured, for the most part. Solving this problem involves a great deal more than key management, but key management is emblematic of the terminology dilemma I noted above.

To be truly scalable, an integrated key management system must be capable of managing both keys and policies in three very different environments:

1. The data center for shared storage applications
2. The distributed infrastructure that enables secure email, IM, and voice communications
3. The mobile storage infrastructure made up of laptops and other smart devices

Trying to extend a key management platform designed around just one or two of these environments to applications for which it was not intended generally ends badly.

This wild kingdom metaphor also informs the new and increasingly rigorous testing required before new security technologies can be put into production. It's relatively easy, in my experience, to do extensive testing in the "zoo", but quite difficult to do the kind of extensive "jungle" testing to ensure a product is actually ready to be deployed.

The most common mistake I see new vendors make is in underestimating what it actually takes to scale a solution that works for a few hundred users to tens or hundreds of thousands of users. The other common mistake (and I've learned this one through hard experience) is assuming that enterprise communications infrastructures look more or less alike. The reality is that no two communications infrastructures are alike. New infrastructure security products must comprehend this diversity and embrace it to be deployable in more than a handful of circumstances.

As an industry, we still have a ways to go before we will see a material decrease in the number of reported data breaches. However, I think one of the key lessons of the 2007 RSA Conference is that you need to protect confidential information in the zoo and the jungle, and consumers of security technology need to ensure they know which companies can solve each problem most effectively.

- Phil