When Baylor University set out to evaluate whole disk encryption software in 2004, the technology was somewhat
separate and isolated from other security tools. The school was deploying encryption on its staff laptops to protect sensitive student data in the wake of new data breach notification rules that were to take effect in Texas in 2005.
Baylor chose PGP Universal Server, which edged out several other vendors for its centralized management console and ease of use, says Jon Allen, information security officer at the Waco, Texas-based university. With more than 1,300 devices now encrypted, PGP's recovery system has been crucial in letting IT easily access and reset locked computers if a staff member forgets their passphrase.
Today however, Allen sees the technology in a different light. No matter if its whole disk encryption, email encryption or transaction encryption, security vendors are integrating the technology as a feature in larger security suites. So when Symantec announced its intention to acquire PGP and GuardianEdge, arguably the most widely recognized encryption vendors in the market, Allen says he didn't bat an eye.
"The biggest advantage with any commoditization of security products is going to be cost and then hopefully more unified management," Allen says. "[The acquisition] is an acknowledgement of where security is headed and the value of encryption as something that if you don't have it in your portfolio, you're going to be behind."
Symantec paid $370 million for the two companies. The deal would integrate both platforms with Symantec's endpoint protection suite. GuardianEdge has already long been used in the Symantec suite under an OEM relationship and the PGP encryption technology is already part of Symantec's Data Loss Prevention products.
Baylor is a Symantec customer, putting the university even more strategically aligned with the security giant, Allen says. Security components that can be centrally managed could be a key benefit by the new relationship, he says.
"Any time you have a company that falls outside of the big five or so security companies out there you know there's potential for this," Allen says. "I would hope that we would be able to see them leverage the best part of PGP in conjunction with the Symantec platform."
Michael Osterman, principal of Osterman Research Inc., says encryption has been a growth market, fostered by increasingly stringent regulations from data breach notification laws, now in more than 40 states, and tougher Health Insurance Portability and Accountability Act (HIPAA) rules, to the Payment Card Industry Data Security Standards (PCIDSS).
"When people think of endpoint security of any kind they're going to be looking at encryption as a key component," Osterman says.
Integrated encryption features in DLP products could enable content inspection at the endpoint to include some form of manual or automated encryption if sensitive data is discovered leaving the company network, Osterman says. The technology is being similarly used in email gateways. But even more compelling are cloud-based encryption platforms, he says. Zix Corp. and Approver offer email encryption services and there's no reason why the technology couldn't be extended to other areas, he says.
"Further down the road we'll see encryption out of the hands of end users and part of a policy management system that allows the IT administrators or senior business mangers to say what should and shouldn't be encrypted," Osterman says.
Encryption has been making its way into larger endpoint security suites for several years, says Mike Rothman, analyst and president of Phoenix-based Securosis LLC.
Symantec rival, McAfee Inc. has been on a similar track with encryption. It acquired SafeBoot in 2007 and uses the encryption technology in its endpoint protection suite. Rothman says he expects Symantec to move in a similar direction as McAfee by creating a centralized management console in which all policies can be created and maintained across the product line. With the acquisition, Symantec also has an opportunity to inject encryption into its Veritas line of storage products.
"I don't treat encryption as a standalone thing," Rothman says. "There's database encryption, disk encryption, email encryption and encryption infrastructure and application level encryption all generally built into other specific systems."