Full-disk encryption was a niche technology not long ago. Until spectacular data breaches like the Veterans Administration debacle, the Payment Card Industry Data Security Standard (PCI DSS), and a wave of state data breach disclosure laws, a lost or stolen laptop was just a lost or stolen laptop.
Corporate laptop encryption efforts were driven by overriding security concerns to take on the cost, the performance degradation and the overhead of managing keys, user support and policy.
That's all changed. In addition to software sales, VARs can profit from laptops with hardware-encrypted drives.
While disk encryption software has matured and become more manageable, most organizations lack the resources and the expertise to deploy and manage it. A tech-savvy VAR can bring a lot to the table for customers.
"10 years ago, customers only wanted to talk to the vendor directly; it was very difficult to sell through the channel" said Jeff Ciraulo, vice president of marketing for Gilbert, Ariz.-based Envoy Data Systems, a Credant Technologies Inc. partner. He said companies are leery about the complexity and the fear of lost data or downtime while data is recovered and PCs are reimaged. A VAR with knowledgeable engineers and support staff can be the go-to company for full-disk encryption.
"You need to have the expertise in-house and the confidence to talk to customers about the technology," Ciraulo said. "Now, they want a partner who knows the product very well and can support it."
Breach notifications laws spur full-disk encryption
"Full-disk encryption has become incredibly hot," said Andrew Jaquith, senior analyst for Cambridge, Mass.-based Forrester Research Inc. It's becoming a must-have security technology, now that companies are often charged with protecting sensitive customer data.
Small wonder, particularly given California's SB-1386 data breach disclosure law, and 40-plus similar state laws. Most of these laws indicate that if non-encrypted data is exposed or stolen, such an incident must be disclosed. If encrypted data is lost, an organization is exempt from any disclosure obligation. For that reason, some companies now see encryption as an extra insurance policy in the event of a data breach.
"The strongest driver for full-disk encryption for the average company is avoidance of a disclosure exercise if a laptop is lost," said Mark Nicolett, vice president and distinguished analyst for Stamford, Conn.-based Gartner Inc.
PCI DSS is also full-disk encryption driver
The PCI DSS mandates that any company holding credit card data must encrypt it. To that end, the first place companies often implement encryption is on back end file servers and databases; good policy dictates that credit card data shouldn't be on laptops or other mobile devices, which are all too often lost or stolen. Still, too many companies find out the hard way that a couple hundred thousand customer numbers were on an unencrypted laptop that was snatched at the airport or left in the back seat of a taxi.
Ciruaulo said PCI is still the No. 1 reason companies ask Envoy Data Systems about full-disk encryption.
"Failing PCI audits is causing companies to worry about losing credit card privileges," he said. "They're trying to get up to speed before the next audit."
With those kind of incentives, the numbers are impressive in what Forrester noted is a $1 billion-plus market for encryption technology. The research firm's survey of 500 large enterprises, conducted in Q2 of 2008, showed 35% already use full-disk encryption products and another 19% plan to deploy it this year. Forrester predicts that laptop encryption will be standard for three-quarters of large enterprises by 2011.
Jaquith said the numbers for smaller businesses are lower, around 23%, but still strong.
That kind of interest has produced considerable consolidation: Sophos Inc. acquired Utimaco Safeware Inc. in 2008; McAfee Inc. acquired SafeBoot Corp. in 2007, and Check Point Software Technologies bought Pointsec Mobile Technologies Inc. in 2006.
Independent mobile data securityencryption vendors include Credant Technologies Inc., Safend, GuardianEdge Technologies Inc., PGP Corp., Voltage Security Inc., WinMagic Inc., Secuware Inc. and BeCrypt Inc.
Companies will sometimes limit encryption to laptops, including increasingly popular Macintosh devices, Ciraulo said, because of budget restrictions. However, the ability to copy data from desktops to smartphones and removable storage often mandates that all PCs are encrypted.
In addition to software, encryption resellers can also push PCs with encrypted hard drives, which will become more of a commodity as costs go down.
Disk encryption is often bundled with portable device encryption and control capabilities. This includes enforcing corporate policy over the copying of data to USB drives, CDs and DVDs, digital music players and other similar devices.
Portable device control was a separate market early on, but encryption vendors have long since either acquired or developed mobile device encryption capabilities, and the few remaining device-control vendors, such as Safend Inc., have added encryption.
Granular device control is not as popular as some vendors thought it would be, varying with industry verticals based on regulatory mandates, Nicolett said. It's strong in the Department of Defense and some federal agencies, he said, but less so in the private sector because of employee resistance.
Only the most restrictive environments will prohibit the use of portable storage entirely (some organizations have been known to physically plug USB ports). So, in addition to help with the disk encryption piece, VARs can offer additional services to help determine and implement policy, typically through Active Directory.
"The consensus is that complete lockdown doesn't work in the majority of cases, but complete anarchy is also unacceptable," he said. "Companies are looking for a middle ground where they can exert control in a way that gives the end user as much freedom as possible."