PGP Corporation - Library

20 June, 2006

It's been interesting watching the IT analyst community "rediscover" the encryption market recently. Having nearly ignored the space since the collapse of the PKI market 5 years ago, a number of analysts have started to cover the content security market again. Much of what's been written recently, however, seems to fall into the category of "a good look in the rearview mirror".

Many analysts are defining the encryption or content security market in terms that would have been accurate 5 years ago, but no longer capture the market dynamic now driving this sector. Much of what I've seen lately focuses (quite well) on the gateway encryption or B-to-C content delivery segments. Although interesting and easy to study, neither of these areas are the compelling story today. Please understand that much of the current analysis is first-rate work. It's just that I spend much of my time in the field meeting with customers in the middle of these decisions, and I'm simply hearing different things than I'm reading from the leading analyst firms.

What I keep hearing in meetings from California to Germany is that the really hard issue facing enterprise IT organizations is not when and how to deploy point solutions for email, laptop encryption, or even secure telephony. The decision senior IT professionals are now dealing with is how and when to deploy the security infrastructure on which these applications will be based. The reason they're focused on the latter issue is that there is far more money and risk associated with the infrastructure decision than with the application decision. There are also many issues to be considered in making the infrastructure decision:

Evaluating whether or not the existing security infrastructure includes preexisting PKI products
Complying with the myriad regional laws that dictate how encryption can and cannot be deployed
Ensuring that the underlying infrastructure is both "future-proof" and extensible to any possible new security applications

As you can see, this isn't a decision for the faint of heart or the under-informed. It must be taken carefully with broad consensus across the enterprise to ensure long-term success.

The other misconception I've seen propagated in much of what's being written by the analyst community recently is that acquisition of content security solutions is still being driven primarily by regulatory and compliance concerns. Again, although these are two important drivers in this space, the really forward-looking companies I've been talking with lately are much more concerned about internal data breaches than the regulatory environment.

Although Sarbanes-Oxley, California SB 1386, and the pending U.S. federal security legislation will certainly have an ancillary effect on the deployment of content security systems, it is the threat of both deliberate and inadvertent internal breaches that is causing IT security officers globally to order the deployment of current-generation security solutions. Most enterprises have awakened to the realization that the world is a dangerous place and that only by taking proactive steps to secure confidential information can they completely protect their shareholders, customers, and partners.

The question is how you can distinguish a vendor with a great point solution from one that can offer a "future-proof" infrastructure on which you can build the security applications you'll need in the next 3 to 5 years plus the unknown solutions that tend to obsolete non-extensible systems. All IT professionals have their favorite list of questions. Here's my short list:

How does your product handle integration of the small pockets of legacy PKI and X.509 certificates we have in the corporation? (Yes, I know the world has moved beyond these systems, but they are so deeply embedded in the applications they serve, we'll never be able to take them out.)
Can your product use the same key store and key management system to deploy across email, disk, storage, and telephony applications?
How does your product require I alter my existing email and directory infrastructure? (This is really a trick question because the only correct answer is, "It doesn't".)

- Phil

		/ Home / Newsroom / CEO Blog / Security issues? What security issues?

Newsroom Media Releases In The News Awards & Reviews Events Article Reprints CEO Blog Current Archives CTO Corner Executive Briefs Government Regulations Webcasts Newsletter		Subscribe to CEO Blog via RSS. Security issues? What security issues? 20 June, 2006 It's been interesting watching the IT analyst community "rediscover" the encryption market recently. Having nearly ignored the space since the collapse of the PKI market 5 years ago, a number of analysts have started to cover the content security market again. Much of what's been written recently, however, seems to fall into the category of "a good look in the rearview mirror". Many analysts are defining the encryption or content security market in terms that would have been accurate 5 years ago, but no longer capture the market dynamic now driving this sector. Much of what I've seen lately focuses (quite well) on the gateway encryption or B-to-C content delivery segments. Although interesting and easy to study, neither of these areas are the compelling story today. Please understand that much of the current analysis is first-rate work. It's just that I spend much of my time in the field meeting with customers in the middle of these decisions, and I'm simply hearing different things than I'm reading from the leading analyst firms. What I keep hearing in meetings from California to Germany is that the really hard issue facing enterprise IT organizations is not when and how to deploy point solutions for email, laptop encryption, or even secure telephony. The decision senior IT professionals are now dealing with is how and when to deploy the security infrastructure on which these applications will be based. The reason they're focused on the latter issue is that there is far more money and risk associated with the infrastructure decision than with the application decision. There are also many issues to be considered in making the infrastructure decision: Evaluating whether or not the existing security infrastructure includes preexisting PKI products Complying with the myriad regional laws that dictate how encryption can and cannot be deployed Ensuring that the underlying infrastructure is both "future-proof" and extensible to any possible new security applications As you can see, this isn't a decision for the faint of heart or the under-informed. It must be taken carefully with broad consensus across the enterprise to ensure long-term success. The other misconception I've seen propagated in much of what's being written by the analyst community recently is that acquisition of content security solutions is still being driven primarily by regulatory and compliance concerns. Again, although these are two important drivers in this space, the really forward-looking companies I've been talking with lately are much more concerned about internal data breaches than the regulatory environment. Although Sarbanes-Oxley, California SB 1386, and the pending U.S. federal security legislation will certainly have an ancillary effect on the deployment of content security systems, it is the threat of both deliberate and inadvertent internal breaches that is causing IT security officers globally to order the deployment of current-generation security solutions. Most enterprises have awakened to the realization that the world is a dangerous place and that only by taking proactive steps to secure confidential information can they completely protect their shareholders, customers, and partners. The question is how you can distinguish a vendor with a great point solution from one that can offer a "future-proof" infrastructure on which you can build the security applications you'll need in the next 3 to 5 years plus the unknown solutions that tend to obsolete non-extensible systems. All IT professionals have their favorite list of questions. Here's my short list: How does your product handle integration of the small pockets of legacy PKI and X.509 certificates we have in the corporation? (Yes, I know the world has moved beyond these systems, but they are so deeply embedded in the applications they serve, we'll never be able to take them out.) Can your product use the same key store and key management system to deploy across email, disk, storage, and telephony applications? How does your product require I alter my existing email and directory infrastructure? (This is really a trick question because the only correct answer is, "It doesn't".) - Phil Related Links PKI Sarbanes-Oxley Pending Homeland Security Legislation