PGP Corporation - Library

26 July, 2006

It's been interesting watching the financial and industry analysts dissect the EMC acquisition of RSA and the announcement that Secure Computing would acquire CipherTrust. The latter deal has taken its lumps from Wall Street based on its structure (Secure Computing will assume significant debt to complete the transaction) while EMC continues to try to reassure industry analysts there is material product line synergy between the two organizations.

You've got to feel some sympathy for the team at EMC. When the RSA deal was first announced, EMC justified it as a general security play. When industry analysts and their Wall Street counterparts started scratching their heads, EMC announced that it would begin immediately to integrate RSA's encryption technology into its storage product lines. Although an obvious move, it leaves unaddressed the question of how RSA's token and other businesses add value to EMC. As I said earlier, I think this deal will be a huge win for EMC's customers as they integrate RSA's technology, talent, and culture. However, I also believe that some of the issues being raised by the analyst community are valid and that the company still must do quite a bit of work to convince the world that acquiring RSA is great for the company's joint shareholders.

There's little doubt that RSA's encryption products are world class, but they are primarily toolkits with which other companies (like PGP Corporation) build complete applications and solutions for businesses large and small. And although such tools are valuable, I believe EMC will discover that its customers have moved beyond being interested in buying toolkits or more security "plumbing".

All the senior IT executives with whom I talk are looking for complete applications and turnkey solutions that easily integrate with their existing (and increasingly fragile) infrastructure. New offerings in this space must comprehend the last 10 years' worth of buying decisions and accommodate the weaknesses of those existing infrastructure pieces while leveraging their strengths.

There is also little doubt that RSA and EMC can do a good job of protecting back-office assets by integrating encryption functionality into EMC's storage products. You've got to remember, however, that very little information is generated in the back office. The really interesting data that drives a business is generated and accessed in the front office. If you don't comprehend and incorporate this fact in the overall design architecture, you end up with an incomplete solution and (worse) a false sense of security. This situation does, in fact, highlight one of the great paradoxes of information security: What's important to protect (front-office information) isn't necessarily what's easy to protect (back-office information).

I say this because at PGP Corporation, we live with this paradox and the complexity it creates every day. It's the reason we've invested so heavily in developing an industrial-strength security platform atop which we can support a broad range of security solutions for the front and back office of any enterprise.

As they design their joint solution, I'm betting EMC/RSA will learn that just protecting the back office is an important, but dated and incomplete solution. Truly protecting information is a now holistic problem that requires holistic solutions to a broad range of blended threats. Next week, I'll examine some of these threats and why point products rarely provide enough protection.

- Phil

		/ Home / Newsroom / CEO Blog / EMC-RSA: Why Protecting Just the Back Office Isn't Enough

Newsroom Media Releases In The News Awards & Reviews Events Article Reprints CEO Blog Current Archives CTO Corner Executive Briefs Government Regulations Webcasts Newsletter		Subscribe to CEO Blog via RSS. EMC-RSA: Why Protecting Just the Back Office Isn't Enough 26 July, 2006 It's been interesting watching the financial and industry analysts dissect the EMC acquisition of RSA and the announcement that Secure Computing would acquire CipherTrust. The latter deal has taken its lumps from Wall Street based on its structure (Secure Computing will assume significant debt to complete the transaction) while EMC continues to try to reassure industry analysts there is material product line synergy between the two organizations. You've got to feel some sympathy for the team at EMC. When the RSA deal was first announced, EMC justified it as a general security play. When industry analysts and their Wall Street counterparts started scratching their heads, EMC announced that it would begin immediately to integrate RSA's encryption technology into its storage product lines. Although an obvious move, it leaves unaddressed the question of how RSA's token and other businesses add value to EMC. As I said earlier, I think this deal will be a huge win for EMC's customers as they integrate RSA's technology, talent, and culture. However, I also believe that some of the issues being raised by the analyst community are valid and that the company still must do quite a bit of work to convince the world that acquiring RSA is great for the company's joint shareholders. There's little doubt that RSA's encryption products are world class, but they are primarily toolkits with which other companies (like PGP Corporation) build complete applications and solutions for businesses large and small. And although such tools are valuable, I believe EMC will discover that its customers have moved beyond being interested in buying toolkits or more security "plumbing". All the senior IT executives with whom I talk are looking for complete applications and turnkey solutions that easily integrate with their existing (and increasingly fragile) infrastructure. New offerings in this space must comprehend the last 10 years' worth of buying decisions and accommodate the weaknesses of those existing infrastructure pieces while leveraging their strengths. There is also little doubt that RSA and EMC can do a good job of protecting back-office assets by integrating encryption functionality into EMC's storage products. You've got to remember, however, that very little information is generated in the back office. The really interesting data that drives a business is generated and accessed in the front office. If you don't comprehend and incorporate this fact in the overall design architecture, you end up with an incomplete solution and (worse) a false sense of security. This situation does, in fact, highlight one of the great paradoxes of information security: What's important to protect (front-office information) isn't necessarily what's easy to protect (back-office information). I say this because at PGP Corporation, we live with this paradox and the complexity it creates every day. It's the reason we've invested so heavily in developing an industrial-strength security platform atop which we can support a broad range of security solutions for the front and back office of any enterprise. As they design their joint solution, I'm betting EMC/RSA will learn that just protecting the back office is an important, but dated and incomplete solution. Truly protecting information is a now holistic problem that requires holistic solutions to a broad range of blended threats. Next week, I'll examine some of these threats and why point products rarely provide enough protection. - Phil Related Links EMC/RSA union draws mixed reviews EMC Defends 'Strategic' Purchase of RSA RSA defends EMC deal