Archive for PKI
CEO Blog
We are, of course, very pleased to announce the acquisition of TC TrustCenter and its US parent company, Chosen Security. You can read the details and view a short presentation describing the reasons for this acquisition here. I didn’t want to let the week pass, however, without offering a personal perspective on why PGP Corporation needs to have a position in the trust services market and why we chose TC TrustCenter as our way of providing these services.
When we started PGP Corporation seven years ago we were focused on building the most robust and easiest to use encryption solutions in the world. We had watched the first generation of PKI companies approach this problem from the direction of offering “trusted communications” and concluded the market and users in particular weren’t ready for that approach.
In 2002, enterprises and individuals had data privacy issues they needed resolved, but they needed them resolved quickly and within the context of the then existent communications infrastructure. That infrastructure was not yet ready to support a new, heavy-duty layer of security infrastructure. It would have been similar to building a 100-floor steel and glass skyscraper directly atop a three-story brownstone. So, instead PGP Corporation focused on applications that protect data in motion and at rest and integrated them into a single, comprehensive management platform.
Fast forward to 2010 and the world and the approach to data protection has evolved. While enterprises are now spending more than ever to protect their networks, it’s commonly understood that network security technology is not keeping pace with the threats now aimed at those networks. The cost of data breaches continues rise even though most forms of electronic communication have some form of security either built in or layered atop them. Nearly all of these security approaches depend upon keys and certificates that are used either to encrypt the content or guarantee the identity of the sender and/or receiver.
The problem is that there are now so many of these certificates in use for so many different purposes that it has become nearly impossible for an enterprise to effectively manage them all, let alone determine which are current and valid. This problem will only get worse as the world’s hacker community begins to exploit the weaknesses in the current certificate generation, distribution and management systems. We’ve already seen attempts to insert “bandit keys” into corporate key chains to allow hackers to read encrypted email. We can expect exploits such as this one to multiply in the coming years. For this reason, we decided last year that PGP Corporation would need to extend its encryption and security product line to include trust services so that our customers can use our products with confidence while communicating with the broadest range of customers, partners, and regulators globally.
We chose TC Trust Center as our path to market for two reasons. First, they bring unprecedented breadth and depth of experience to the trust services market. Their executive team has dozens of years of experience in the space and a proven track record of building successful security businesses.
Second, the way they have designed and built their products is completely consistent with PGP Corporation’s worldview. TC TrustCenter’s platform enables secure electronic transactions across individuals, servers, and mobile devices.
Today’s announcement, of course, is just the beginning. In the coming months we’ll be telling you about our vision of how combining trust services with the PGP® Encryption Platform will allow us to build solutions to address threats that are just now emerging. With hackers stockpiling Zero Day threats, and more applications and data moving into the cloud, these new security solutions will be required business enablers of the cloud migration plans for many enterprises. With the combined offerings of PGP Corporation, Chosen Security and TC TrustCenter, we will address threats aimed directly at IT infrastructure as well as the increasing number of threats now targeting endpoint devices . These trusted offerings will not only build confidence in the infrastructure of an organization, they will build confidence to withstand threats to data as it moves in and out of an organization.
We are very excited by the opportunities that combining our two companies and technologies offers us. I extend my welcome to my new TC TrustCenter and Chosen Security colleagues to the PGP Corporation family.
Filed under: CEO Blog
Tags: CA, Chosen Security, Data Breach, PKI, TC Trust Center, zero day threat
Comments: No Comments
CEO Blog
It’s been interesting watching the IT analyst community “rediscover” the encryption market recently. Having nearly ignored the space since the collapse of the PKI market 5 years ago, a number of analysts have started to cover the content security market again. Much of what’s been written recently, however, seems to fall into the category of “a good look in the rearview mirror”.
Many analysts are defining the encryption or content security market in terms that would have been accurate 5 years ago, but no longer capture the market dynamic now driving this sector. Much of what I’ve seen lately focuses (quite well) on the gateway encryption or B-to-C content delivery segments. Although interesting and easy to study, neither of these areas are the compelling story today. Please understand that much of the current analysis is first-rate work. It’s just that I spend much of my time in the field meeting with customers in the middle of these decisions, and I’m simply hearing different things than I’m reading from the leading analyst firms.
What I keep hearing in meetings from California to Germany is that the really hard issue facing enterprise IT organizations is not when and how to deploy point solutions for email, laptop encryption, or even secure telephony. The decision senior IT professionals are now dealing with is how and when to deploy the security infrastructure on which these applications will be based. The reason they’re focused on the latter issue is that there is far more money and risk associated with the infrastructure decision than with the application decision. There are also many issues to be considered in making the infrastructure decision:
- Evaluating whether or not the existing security infrastructure includes preexisting PKI products
- Complying with the myriad regional laws that dictate how encryption can and cannot be deployed
- Ensuring that the underlying infrastructure is both “future-proof” and extensible to any possible new security applications
As you can see, this isn’t a decision for the faint of heart or the under-informed. It must be taken carefully with broad consensus across the enterprise to ensure long-term success.
The other misconception I’ve seen propagated in much of what’s being written by the analyst community recently is that acquisition of content security solutions is still being driven primarily by regulatory and compliance concerns. Again, although these are two important drivers in this space, the really forward-looking companies I’ve been talking with lately are much more concerned about internal data breaches than the regulatory environment.
Although Sarbanes-Oxley, California SB 1386, and the pending U.S. federal security legislation will certainly have an ancillary effect on the deployment of content security systems, it is the threat of both deliberate and inadvertent internal breaches that is causing IT security officers globally to order the deployment of current-generation security solutions. Most enterprises have awakened to the realization that the world is a dangerous place and that only by taking proactive steps to secure confidential information can they completely protect their shareholders, customers, and partners.
The question is how you can distinguish a vendor with a great point solution from one that can offer a “future-proof” infrastructure on which you can build the security applications you’ll need in the next 3 to 5 years plus the unknown solutions that tend to obsolete non-extensible systems. All IT professionals have their favorite list of questions. Here’s my short list:
- How does your product handle integration of the small pockets of legacy PKI and X.509 certificates we have in the corporation? (Yes, I know the world has moved beyond these systems, but they are so deeply embedded in the applications they serve, we’ll never be able to take them out.)
- Can your product use the same key store and key management system to deploy across email, disk, storage, and telephony applications?
- How does your product require I alter my existing email and directory infrastructure? (This is really a trick question because the only correct answer is, “It doesn’t”.)
- Phil
Filed under: CEO Blog
Tags: California SB 1386, Data Breach, PKI, Sarbanes-Oxley
Comments: Comments off
This blog represents the personal opinions of certain employees of PGP Corporation and do not necessarily reflect the positions or opinions of PGP Corporation. As such, these personal opinions are not endorsed by PGP Corporation and you should conduct independent assessments before basing any decision upon the statements made in this blog.
MANAGERS, HOSTS, PARTICIPANTS, MODERATORS AND OTHER THIRD PARTIES ARE NOT AUTHORIZED PGP CORPORATION SPOKESPERSONS, AND THEIR VIEWS DO NOT NECESSARILY REFLECT THOSE OF PGP CORPORATION, AND ARE NOT ENDORSED BY PGP CORPORATION. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PGP CORPORATION WILL HAVE NO LIABILITY RELATED TO USER CONTENT ARISING UNDER INTELLECTUAL PROPERTY RIGHTS, LIBEL, PRIVACY, PUBLICITY, OBSCENITY OR OTHER LAWS. PGP CORPORATION WILL ALSO NOT BE LIABLE FOR MISUSE, LOSS, MODIFICATION OR UNAVAILABILITY OF ANY USER CONTENT. PGP CORPORATION DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED WITH RESPECT TO THE BLOG OR BLOG CONTENT. YOUR USE OF THIS SITE AFFIRMS AGREEMENT TO THE FOREGOING.
