PGP Blogs

PGP Acquisition of TC Trust Center and Chosen Security
Friday, February 5th, 2010

We are, of course, very pleased to announce the acquisition of TC TrustCenter and its US parent company, Chosen Security. You can read the details and view a short presentation describing the reasons for this acquisition here. I didn’t want to let the week pass, however, without offering a personal perspective on why PGP Corporation needs to have a position in the trust services market and why we chose TC TrustCenter as our way of providing these services.

When we started PGP Corporation seven years ago we were focused on building the most robust and easiest to use encryption solutions in the world. We had watched the first generation of PKI companies approach this problem from the direction of offering “trusted communications” and concluded the market and users in particular weren’t ready for that approach.

In 2002, enterprises and individuals had data privacy issues they needed resolved, but they needed them resolved quickly and within the context of the then existent communications infrastructure. That infrastructure was not yet ready to support a new, heavy-duty layer of security infrastructure. It would have been similar to building a 100-floor steel and glass skyscraper directly atop a three-story brownstone.  So, instead PGP Corporation focused on applications that protect data in motion and at rest and integrated them into a single, comprehensive management platform.

Fast forward to 2010 and the world and the approach to data protection has evolved. While enterprises are now spending more than ever to protect their networks, it’s commonly understood that network security technology is not keeping pace with the threats now aimed at those networks. The cost of data breaches continues rise even though most forms of electronic communication have some form of security either built in or layered atop them. Nearly all of these security approaches depend upon keys and certificates that are used either to encrypt the content or guarantee the identity of the sender and/or receiver.

The problem is that there are now so many of these certificates in use for so many different purposes that it has become nearly impossible for an enterprise to effectively manage them all, let alone determine which are current and valid.  This problem will only get worse as the world’s hacker community begins to exploit the weaknesses in the current certificate generation, distribution and management systems. We’ve already seen attempts to insert “bandit keys” into corporate key chains to allow hackers to read encrypted email. We can expect exploits such as this one to multiply in the coming years.  For this reason, we decided last year that PGP Corporation would need to extend its encryption and security product line to include trust services so that our customers can use our products with confidence while communicating with the broadest range of customers, partners, and regulators globally.

We chose TC Trust Center as our path to market for two reasons. First, they bring unprecedented breadth and depth of experience to the trust services market. Their executive team has dozens of years of experience in the space and a proven track record of building successful security businesses.

Second, the way they have designed and built their products is completely consistent with PGP Corporation’s worldview. TC TrustCenter’s platform enables secure electronic transactions across individuals, servers, and mobile devices.

Today’s announcement, of course, is just the beginning. In the coming months we’ll be telling you about our vision of how combining trust services with the PGP® Encryption Platform will allow us to build solutions to address threats that are just now emerging. With hackers stockpiling Zero Day threats, and more applications and data moving into the cloud, these new security solutions will be required business enablers of the cloud migration plans for many enterprises. With the combined offerings of PGP Corporation, Chosen Security and TC TrustCenter, we will address threats aimed directly at IT infrastructure as well as the increasing number of threats now targeting endpoint devices . These trusted offerings will not only build confidence in the infrastructure of an organization, they will build confidence to withstand threats to data as it moves in and out of an organization.

We are very excited by the opportunities that combining our two companies and technologies offers us. I extend my welcome to my new TC TrustCenter and Chosen Security colleagues to the PGP Corporation family.

Filed under: CEO Blog
Tags: CA, Chosen Security, Data Breach, PKI, TC Trust Center, zero day threat
Comments: No Comments

U.S. House Passes DATA Act
Tuesday, January 12th, 2010

The U.S. House of Representatives delivered an early Christmas present last month when it passed the Data Accountability and Trust Act (DATA). HR 2221, sponsored by Representative Bobby Rush (D-Il), is just about everything you’d want in a well-considered piece of legislation on such a complex topic. The bill not only protects consumers in that it requires nearly all businesses to take steps to protect personally identifiable information at rest and in motion, it also requires companies to publicly disclose any breaches of that data. HR 2221 singles out data brokers as a special class and requires they put processes in place to protect the information they maintain and submit to periodic audits to ensure they comply.

The DATA act also addresses a growing concern on the part of consumers by requiring that data brokers provide a method for individuals to prevent their personal information from being used for certain marketing purposes. Responsible consumer brand companies have long had access to far more information about us than they were comfortable using and adopted an informal code of conduct that constrained their use of that data. HR 2221 gives that code of conduct the force of law and applies to all companies involved in interstate commerce.

Besides providing extensive consumer protection, the DATA act also provides businesses a reasonable “safe harbor” by declaring loss of data that is “unusable, unreadable, or indecipherable” by the use of encryption or other technology not subject to the breach disclosure requirements. This bill also, of course, will unify the existing 47 state data breach bills now in effect. The fact that the DATA act has passed doesn’t make it law, however, as it now needs to be modified in committee to make it consistent with whatever bill the Senate passes (there are two under consideration).

Even when a federal bill does become law, it will not completely end the debate over various state laws that address issues on topics where the federal bill is silent. The primary example of this is the Massachusetts data protection act (201 CMR 17).  The Massachusetts law, set to take effect next March, specifies exactly what classes of data must be protected based on physical attributes, not just content.  It also specifies exactly what types of technology must be used to protect them. While the diligence of the Massachusetts legislators is laudable, history demonstrates that this type of prescriptive legislation that involves rapidly evolving technologies, generally creates as many problems as it solves. An excellent example of the issues being raised by 201 CMR 17 can be found on TechTarget’s SearchCompliance site.

The passage of HR 2221 will also have important implications internationally as it is likely to form the basis upon which the Federal Trade Commission will commence negotiations to create consistency in breach regulations with the European Union. As I’ve noted before, the EU continues to lead the way in enforcing some of the most stringent privacy regulations on the Internet. Continuing this trend, the UK’s Information Commissioner last week published a draft policy that, if adopted, will severely limit the ability of web sites to track user behavior. With regulators in the Euro zone moving ahead on their plans to provide even more privacy safeguards for their citizens, it’s critical that U.S. regulators finalize the data breach requirements so they can focus on some of the more current issues.

It will take some time to work out how the pending federal bill will impact some of regulations imposed by state regulators and how enterprises can best comply with the new requirements. Overall though, it was a very good month on the data protection front and we can only hope the Senate acts quickly to deliver the final bill for which Americans have been waiting so patiently.

Filed under: CEO Blog
Tags: DATA Act, Data Breach, HR 2221, Massachusetts 201 CMR 17, Representative Bobby Rush
Comments: No Comments

Sharing Data in an Unsecure World-Portable Encryption for Microsoft Windows 7
Wednesday, December 16th, 2009

These days you don’t need to wait for holiday sales to buy the tiniest, highest capacity USB thumb drive you can find. A 2GB USB drive sells for under $10 in the US, and works great to put family pictures, your favorite music (yes, the 80s were a good era) and oh yeah, the customer files you need to share with Bob at the audit firm. There’s only one problem: these drives tend to get lost easily, or as what often happens with most people, you just can’t remember where you put it. If that happens, you have now put out confidential company data (and possibly personal data) free for all to see, out into the world. This can very quickly turn into an organizational nightmare when it turns out that the drive was indeed lost, and now your organization has to inform investors, its customers, and just about everybody else about this loss. A look at the latest data breach headlines show that loss of USB drives and CDs/DVDs is unfortunately, still very much a reality. From the financial damage to the emotional damage data loss can cause, it’s no wonder Information Technology (IT) security officers lay awake at night wondering how to secure data that is entering, residing, and leaving USB drives and CDs/DVDs.

As you get ready with your Windows 7 upgrades, it is essential to think about your device and media protection strategy.

The good news is, with PGP Portable, you can instantly secure any removable device or optical media, and we mean any. No need to invest in costly encrypted USB drives with their own asset management consoles, and no need to worry about cross-platform issues with native Windows solutions.

Simply right click, and convert any USB drive (or folder) into an encrypted container, drag and drop files, and share the drive. With PGP Portable, there’s no need to install any software to access data on the PGP Portable-enabled drive. So now you can encrypt the USB drive lying in your office drawer, drop files into it (just like a regular drive), and drop it in the office mail for Bob at the audit firm.

Call Bob and give him the passphrase you used (using a secure method). Bob then inserts the drive into his Windows PC (or a Mac!), enters the passphrase you gave him, and reads or modifies the files as he wishes.

Yes, it is just that easy.

1. Insert any USB drive. Select the USB drive, right-click, and create a PGP Portable Disk

2. Create a passphrase. The image below shows creation of PGP Portable-protected folders (which can then be burned onto optical media for sharing)

3. To access the encrypted data, simply insert the USB drive or CD/DVD into any Windows or Mac OS X system. Enter the correct passphrase, and access the data!

Although there are some hardware and native software solutions that protect removable devices, they don’t always offer a complete solution. What’s nice about PGP Portable is that:

i)              Unlike the native BitLocker-To-Go on Windows 7, it protects USB drives and CDs/DVDs (yes, Blu-Ray too!!). So next time you’re distributing the latest revision of documents to partners or your field force, rest assured the data stays protected.

ii)             PGP Portable-enabled devices can be shared with Windows and Apple® Mac OS X users, without requiring any software installation to access the data.

iii)            There are no application windows you need to work with, or additional steps you need to take to access or modify these files. You work within the secure container just as you would with a regular USB drive, using your operating system’s native file explorer. You can also change the passphrase (provide you know the old one, of course).

iv)            It can be centrally managed. This ensures IT officers can enforce their corporate security policy automatically and easily.

v)             My favorite: it is software based. Which means you can secure any USB drive. Personally, I find carrying and using a specialized encrypted USB drive to be expensive and cumbersome.

Filed under: Perspectives
Tags: Data Breach, Data sharing, PGP Portable, Windows 7
Comments: No Comments

The Critical Need For Encrypted Email
Monday, August 17th, 2009

Robin Witty-Senior Product Marketing Manager

Are your company’s emails really secure? Do you know for sure when most email sent over the Internet is in clear text and can be read by anyone with simple tools and know-how. Similar to the old party line telephone systems where neighbors could listen in on your phone calls, unauthorized parties can obtain confidential information from unencrypted corporate emails including valuable intellectual property or third party data that may require protection regulated by law.

If you think email breaches can’t happen to your company, consider a couple of high profile email breaches. Sarah Palin’s personal emails were posted to the web and her password was changed by a hacker. A Twitter executive’s confidential business emails and documents were hacked, read and posted to the web. Twitter had to reassure their users that customer’s personal information was not compromised.

Encrypting email is a smart way to prevent email breaches. An important read for IT and business managers alike, Osterman Research delves into this topic with their “The Critical Need for Encrypted Email and File Transfer Solutions” white paper. From the white paper: “An email sent across the Internet is … like a message on a postcard that anyone can read along the way. However, an email or file sent in clear text offers much more exposure than a postcard because of the nature of transmission itself. … Hackers or others with malicious intent can intercept email messages and read them simply by placing packet sniffers on the network.” While email in transit is certainly at risk, it’s even more vulnerable while at rest on the internal, external recipient, and Internet mail servers where it resides before, during, and after delivery. You just don’t know where in the world that email goes before it reaches its destination but you can be pretty sure it’s not a straight line to the recipient.

When email is encrypted from end-to-end, the email and attachments are always protected – while stored and in transit, as well as both inside and outside the company. Encryption at the gateway protects email mainly from external threats. Other encryption solutions for disk, file, server, databases, etc. can also protect the data throughout its lifecycle. Some email encryption solutions can also interoperate or function alongside other email hygiene systems like antivirus so corporate email systems can be protected from other threats as well.

Encryption is quickly becoming a best practice to protect against unauthorized access to email contents and new email threats that you may not even know about yet. To learn more about protecting your email and email attachments, click here to download the Osterman Research, “The Critical Need for Encrypted Email and File Transfer Solutions”, July 2009 white paper.

Filed under: Perspectives
Tags: breach, Data Breach, email, Email Breach, Encryption, Osterman, Protection
Comments: No Comments

The Insider Threat
Tuesday, May 19th, 2009

A recent data breach at Johns Hopkins Hospital was announced that resulted from a single employee working in patient registration who accessed more than 10,000 pieces of personally identifying information. Reports of fraud started back in January and have been traced to records at Johns Hopkins.

The employee in question has been linked to a larger driver’s license fraud scheme in nearby Virginia. These types of incidents have been appearing more and more; while we protect against attacks coming across the internet with firewalls, and malware threats with endpoint protection, it’s getting easier to go after the valuable personally identifiable information directly, by planting an employee inside the organization or simply coercing an employee already in the system with a pay-off, especially low-paid administrative staff.

The employee in question is expected to be indicted, but this still begs some questions: who has access to your businesses sensitive data and why? While administrative staff need to have appropriate access rights in order to fulfill their job functions, access to all patient records containing personally identifiable information is likely excessive. Of note, this is not the first incident at Johns Hopkins Hospital as there were reports in 2007 of a contractor stealing backup tapes with over 135,000 patient and employee records. In neither case was the data encrypted.

The hospital, in an attempt to put the public at ease, has stressed that this was not part of a hacking incident, but simply theft by one of their own employees. Whew, well that’s a relief. While we have become smarter at securing the borders of our businesses we cannot forget the potential threat that comes from within; we must ensure that only those who need access to the data have it, and that the access is logged, and the rest is fully-encrypted.

Filed under: Perspectives
Tags: Data Breach, Identity Theft, insider threat, Johns Hopkins, malware, Personally Identifying Information, PII
Comments: No Comments

Laid Off Employees Admit to Stealing Data
Saturday, February 28th, 2009

Our old friend Larry Ponemon released a disturbing report this week that described the extent to which laid off employees take confidential corporate data with them. According to the report nearly 60 percent of those surveyed admitted to stealing company data when they were terminated. In addition, almost 2/3 of those surveyed conceded they’d leveraged confidential corporate data to find subsequent new employment.

I frequently see reports that measure how much CIOs and CISOs worry about this type of insider threat, but this is the first research I’ve seen that attempts to measure the problem from the other side. While these numbers are somewhat higher than I expected, I’m not at all surprised at just how “leaky” companies seem to be given how long I think we’ve understood this problem. What this new Ponenmon study highlights is just how much work we have yet to do to achieve an acceptable level of protection not only for our own confidential information, but the data all businesses protect for their customers, suppliers and partners.

As we reported last month, the cost of data breaches continues to rise and given the state of the economy, I believe the frequency of breaches will only rise as well. To be clear, there are no easy or cheap answers to this problem . It’s going to take development and deployment of new policies, technologies, and educational programs to even address it, let alone solve it.

Filed under: CEO Blog
Tags: Data Breach, insider threat
Comments: No Comments

Just Who Should Pay for Data Breaches…and How?
Saturday, October 4th, 2008

As a lifelong resident of California I’d be the first to admit that state politics on the left coast can sometimes be a little peculiar.

Last month with the Governor and the Legislature at their traditional impasse over the state budget, the Governor was threatening to veto the budget AND more than 900 other bills if the Legislature voted to over-ride his budget veto. Finally, on September 18 the governor and the legislature agreed on a budget (80 days late). With this piece of business out of the way, Governor Schwarzenegger turned his attention to processing the 896 bills passed by the legislature in the wake of the budget deal.

Unfortunately, this didn’t leave the governor enough time to do the standard due diligence on which bills to sign or veto. In California the governor must do one or other as we have a sort of “reverse pocket veto” law that means that any bill not proactively vetoed becomes law. So, last week saw our governor vetoing bills at a rate that was projected to surpass his own record of more than 300 for the year. The governor was vetoing so many bills that he didn’t have time to explain his reasoning for most of them. Presumably he’ll have a chance and explain to the California electorate his reasoning for negating the work of both houses of the state legislature on more than 1/3 of the bills they sent to him last month.

One of the vetoes Governor Schwarzenegger DID explain was AB 1656 known as the Consumer Data Protection Act. This is actually the second time the governor has vetoed essentially the same bill having done so last year as well. In explaining the veto, the governor explained, “As I stated in last year’s veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers.” The governor also explained that he believed current industry “best practices” were both adequate and would be able to evolve more quickly if merchants were not required by statute to protect confidential information in specific ways. Finally, the governor asserted his belief that the bill would saddle merchants (and the state) with unacceptable costs in the event of a data breach.

On the face of it this seems like a credible explanation, but the more I looked into the bill and its supporters, I think there’s actually a more subtle issue at stake here that neither the bill’s supporters nor opponents wish to debate directly. Essentially there are two lobbying groups promoting their constituencies commercial interests on either side of AB 1656.

On one side we have the state’s Credit Unions represented by the California Credit Union League (CCUL). The CCUL member institutions (like many commercial banks) issue credit cards to their members and under the federal Gramm-Leach-Bliley Act bear most of the cost of notifying card holders in the event of a breach, reissuing new cards, and providing restitution to card holders that lose assets due to the breach. The problem with this model is that data breaches are rarely caused by the card issuing banks and credit unions. Many breaches occur because of security lapses on the part of the merchants that accept credit cards. What the CCUL and other supporters of AB 1656 are actually trying to do is to shift the costs of dealing with data breaches upstream to the retailers frequently responsible for them.

On the other side of the AB 1656 debate we have the California Retailers Association (CRA) and a host of other merchant advocacy groups. The retailer’s position is that they already paying their fare share of breach remediation in the processing fees they pay to the card issuers on each transaction and there’s some logic to their argument. What bothers me about this is that it still leaves the issuers with ultimate liability for events over which they have only indirect control. Issuers typically have the right to cancel a merchant if their fraud rate exceeds a negotiated threshold or the merchant fails to comply with other contractual terms. So the CRA’s position is that this issue is better dealt with contractually than via legislation.

I’m guessing the reason this issue is being led by the CCUL (and not the leading card issuing banks) is that they have much less leverage with the merchant community, particularly the big chains that make up the majority of transactions. They are, therefore, more exposed to big losses and less able to absorb them in the event of a large breach.

I don’t honestly know what the best way of assigning liability in these cases is, but as I noted above, the status quo doesn’t seem entirely just, nor does it appear to provide sufficient motivation for the merchants to do everything required to protect their customer’s confidential information. Fortunately, we’ll have a relatively clean set of test data available soon as Minnesota passed a very similar bill known as the Plastic Card Security Act. So hopefully we’ll be able to revisit this topic in a year or so and objectively assess whether legislation or negotiation leads to the best solution.

Filed under: Cybercrime Grit & Grime
Tags: AB 1656, cost, Data Breach, plastic card security act
Comments: No Comments

Lies, Damn Lies, & Data Breaches
Wednesday, September 3rd, 2008

A report out of the Identity Theft Resource Center claims that the number of data breaches in 2008 has already surpassed 2007’s total of 446. While it’s intuitively obvious that the number of data breaches is increasing, I have a hard time putting much credence in the actual numbers reported by the ITRC or the reasons they cite for the increase.

The first problem with counting data breaches is that we all need to admit that the only statistics we see at all are reported data breaches. Until 2003 when California passed the watershed legislation in this field, SB 1386, very few breaches had to be reported and predictably almost none were. Initially, many global enterprises ignored SB 1386 assuming that if they didn’t have a presence in California they weren’t subject to it’s requirements. It took awhile before most enterprises, particularly those outside of California, internalized the meaning of section 1798.92(a) which reads:

“Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay…”

What this means, of course, is that any enterprise that has any customers in California is subject to the disclosure requirements of SB 1386. So, when the ITRC asserts that the growth in the number of breaches reported is due primarily to the increase in the number of states with similar statutes, I have a hard time with the assertion. I may be parochial here, but it just defies logic that the addition of four new state disclosure laws in 2007 in relatively unpopulous states (Arizona, Utah, New Hamphshire and Vermont) can have a material effect on the number of reported breaches.

Then, of course, there’s a whole question of whether the difference reported by ITRC is even statistically material. I don’t have quite the time today to get into this, but to see an interesting contrarian point of view on this, check out the Chronicles of Dissent posting from December.

We can argue about the numbers all we want, but what seems clear at this point is that breaches likely are increasing in number and severity (number of records stolen). It also seems clear that the real drivers are the increasing skills and resources available to the bad guys. Buckle up, this is going to be an interesting ride.

Filed under: Cybercrime Grit & Grime
Tags: Chronicles of Dissent, Data Breach, disclosure, Identity Theft, Identity Theft Resource Center, SB 1386
Comments: No Comments

Do You Have the Time?
Tuesday, May 29th, 2007

This year marks the 60th anniversary of the creation of the Bulletin of Atomic Scientists’ famed Doomsday Clock. The clock was originally conceived as a way to promote the risks associated with the unconstrained proliferation of nuclear weapons. Although it’s certainly a morbid metaphor, there’s no denying the Doomsday Clock has achieved its primary objective: No nation has chosen to exercise its supposed first-strike capability since the clock first appeared.

In its 60 years, the clock has been “adjusted” 19 times. The closest to midnight (“doomsday”) we’ve been was in 1953 when the clock was set to 11:58pm on the occasion of the United States and the Soviet Union testing thermonuclear devices within 9 months of one another. The furthest from midnight to which the clock has been set was 11:43pm in 1991 when the same two nations signed the Strategic Arms Reduction Treaty. The clock was most recently adjusted in January of this year to 5 minutes to midnight in recognition of North Korea’s and Iran’s nuclear programs. I mention this anniversary because I think it’s an apt metaphor for what many private and public enterprises now face as they evaluate the ever-increasing threats from cyber terrorists and common criminals. Consider just three headlines we’ve seen in the last few months:

It’s impossible to read these stories and not conclude that we’re entering a new phase in the battle to protect information and the systems that contain it. The difference between this war and the one predicted by the Doomsday Clock is that each company, institution, and government will have to face their own privacy doomsday if they don’t take action now to prevent it.

As I’ve observed before, protecting confidential information in the current environment requires vigilance in protecting both the systems we use to process information and the information itself. I won’t rehash those arguments here, but I will point you to a resource focused on how to best protect confidential information in an increasingly dangerous world.

The Jericho Forum has been championing the idea of what they term “de-perimeterization” for a number of years. The basic idea behind de-perimeterization is that no matter how good your firewalls are and how well you manage them, you can’t completely protect confidential information because it now resides on so many devices outside the perimeter. In fact, the level of protection offered for those devices that do sit behind firewall devices is also diminishing with time. To do business today, you have to open ports in even the best firewalls, and that flow of transactions is inevitably accompanied by attacks. Eventually, one or more of those attacks will succeed, as TJX and others have so painfully learned.

The security experts at the Jericho Forum are much more knowledgeable and articulate on these issues than I am, and I’d encourage anyone who is a serious student of cybersecurity to become familiar with their materials. If you only have time to review one document, check out the Jericho Forum Commandments. It’s only two pages, and I guarantee it will open your eyes about how best to protect confidential information.

As the number and types of devices containing confidential information continue to proliferate (BlackBerry® devices, mobile phones, MP3 players, and even satellites), security experts in all enterprises need to consider what new threat models they face when only a fraction of their existing IT devices have firewall protection. Those that don’t begin thinking seriously about this issue now will start to hear their own doomsday clocks ticking ever louder.

- Phil

Filed under: CEO Blog
Tags: Data Breach, Doomsday Clock
Comments: No Comments

Security issues? What security issues?
Tuesday, June 20th, 2006

It’s been interesting watching the IT analyst community “rediscover” the encryption market recently. Having nearly ignored the space since the collapse of the PKI market 5 years ago, a number of analysts have started to cover the content security market again. Much of what’s been written recently, however, seems to fall into the category of “a good look in the rearview mirror”.
Many analysts are defining the encryption or content security market in terms that would have been accurate 5 years ago, but no longer capture the market dynamic now driving this sector. Much of what I’ve seen lately focuses (quite well) on the gateway encryption or B-to-C content delivery segments. Although interesting and easy to study, neither of these areas are the compelling story today. Please understand that much of the current analysis is first-rate work. It’s just that I spend much of my time in the field meeting with customers in the middle of these decisions, and I’m simply hearing different things than I’m reading from the leading analyst firms.

What I keep hearing in meetings from California to Germany is that the really hard issue facing enterprise IT organizations is not when and how to deploy point solutions for email, laptop encryption, or even secure telephony. The decision senior IT professionals are now dealing with is how and when to deploy the security infrastructure on which these applications will be based. The reason they’re focused on the latter issue is that there is far more money and risk associated with the infrastructure decision than with the application decision. There are also many issues to be considered in making the infrastructure decision:

• Evaluating whether or not the existing security infrastructure includes preexisting PKI products
• Complying with the myriad regional laws that dictate how encryption can and cannot be deployed
• Ensuring that the underlying infrastructure is both “future-proof” and extensible to any possible new security applications

As you can see, this isn’t a decision for the faint of heart or the under-informed. It must be taken carefully with broad consensus across the enterprise to ensure long-term success.

The other misconception I’ve seen propagated in much of what’s being written by the analyst community recently is that acquisition of content security solutions is still being driven primarily by regulatory and compliance concerns. Again, although these are two important drivers in this space, the really forward-looking companies I’ve been talking with lately are much more concerned about internal data breaches than the regulatory environment.

Although Sarbanes-Oxley, California SB 1386, and the pending U.S. federal security legislation will certainly have an ancillary effect on the deployment of content security systems, it is the threat of both deliberate and inadvertent internal breaches that is causing IT security officers globally to order the deployment of current-generation security solutions. Most enterprises have awakened to the realization that the world is a dangerous place and that only by taking proactive steps to secure confidential information can they completely protect their shareholders, customers, and partners.

The question is how you can distinguish a vendor with a great point solution from one that can offer a “future-proof” infrastructure on which you can build the security applications you’ll need in the next 3 to 5 years plus the unknown solutions that tend to obsolete non-extensible systems. All IT professionals have their favorite list of questions. Here’s my short list:

1. How does your product handle integration of the small pockets of legacy PKI and X.509 certificates we have in the corporation? (Yes, I know the world has moved beyond these systems, but they are so deeply embedded in the applications they serve, we’ll never be able to take them out.)
2. Can your product use the same key store and key management system to deploy across email, disk, storage, and telephony applications?
3. How does your product require I alter my existing email and directory infrastructure? (This is really a trick question because the only correct answer is, “It doesn’t”.)

- Phil

Filed under: CEO Blog
Tags: California SB 1386, Data Breach, PKI, Sarbanes-Oxley
Comments: Comments off