Utimaco strives for ultimate mobile encryption

With new U.S. government initiatives to protect data, data encryption on mobile devices is becoming a must-have for many firms. As The 451 Group's Nick Selby writes, German vendor Utimaco Safeware is rapidly expanding its presence in the U.S. using a compelling combination of data- and voice-encryption offerings, but it's facing plenty of competitors.


The 451 Group
Utimaco Safeware AG, a publicly traded German whole-disk encryption vendor, has announced FIPS-140-2 certification for its flagship SafeGuard Easy computer encryption software, as well as the availability of an upgrade to its PDA and mobile device handset product, SafeGuard PDA, which also encrypts voice calls. Utimaco has been expanding in the U.S., and says the current staffing level at its Foxboro, Mass. headquarters is now at 22 and will rise to 32 in the near future.

The mobile device security sector has been gaining visibility in recent months, with a slew of highly publicized incidents in which personally identifiable information was released inadvertently through loss or theft of devices that stored unencrypted data. This month's announcement that the U.S. Department of Commerce lost more than 1,100 laptop computers must be music to Utimaco's ears.

Impact assessment

The message
Utimaco's user-transparent encryption software protects enterprise assets: data on laptops, PDAs, cell phones, and the evolving hybrid devices that are becoming increasingly prevalent in business.
Competitive landscape
Mobile device security comes from Pointsec Mobile Technologies Inc., SafeBoot N.V. (formerly Control Break), PC Guardian Anti-Theft Products Inc., WinMagic Inc., Credant Technologies Inc., Bluefire Security Technologies Inc., PGP Corp. and Trust Digital LLC. Digital Rights GmbH's SafePhone, Snap Defense Systems LLC and Zfone all encrypt cellular voice calls.
The 451 assessment
Utimaco tells a story of a firm expanding aggressively into the U.S. It expects U.S. staff to hit 32 in the coming months and says it has increased its installed base to three million, with four million licenses sold (it says it only counts those installations that have been registered and updated -- a good method of counting, in our opinion). Competitors like Pointsec and Credant have earned varying levels of FIPS certification as well (there are differences in the degree of certification, and in precisely what parts of the software are certified). With new U.S. government initiatives to protect data, FIPS is a must-do -- not undertaken just for competitive advantage. Voice call encryption is a very interesting add-on, but we note that the provisioning process sounds fairly involved.

Context
Oberursel, Germany-based Utimaco was founded in 1983 and has been publicly traded since February 1999. It maintains development offices in Germany, Austria and Belgium, as well as regional headquarters in Foxboro, Mass., and claims 284 employees. The company says it has sold four million SafeGuard Easy licenses, up from "over two million" a year ago, and claims three million installations.

Utimaco's 2005/2006 financial year ended June 30. The company reported a 47% EBITDA increase year-on-year, to €9.7 million ($12.2 million) from €6.6 million. Revenue over that span, though, rose just 19.8%, to €41.7 million from €34.8 million. The company says that the higher margins were partly attributable to changes to International Accounting Standards section 38. The changes, which took effect in March 2004, revised the capitalization process for intangible assets. In Utimaco's case, this applied to software it developed. Essentially, about $5 million was invested in product development, which took that amount off the company' P&L statement.

Products
The SafeGuard product line includes SafeGuard Easy (SGE), software that provides sector-based whole disk encryption of computer hard drives, and Safeguard PDA (SGP), which encrypts the data on PDAs and other handheld mobile devices. Through a partnership with Berlin-based Gesellschaft für Sichere Mobile Kommunikation (GSMK, 'the company for secure mobile communication'), Utimaco licenses GSMK's CryptoPhone and bundles it with SGP to add voice encryption. We note that all CryptoPhone products come with their full source code. SGP pricing on 1,000 seats starts at $63/seat and scales down; SGE starts at $85/seat.

Technology
SGE is sector-based whole disk encryption that works on Windows computers and encrypts the entire disk as opposed to various files. A pre-boot authentication can be supplemented with multifactor authentication, such as a onetime password from smartcards, USB sticks or mobile phones with onetime password capabilities. SGE integrates with Windows authentication, allowing pre-boot authentication to be controlled by the Windows login as opposed to a separate screen. Its FIPS 140-2 certificate joins certifications for Common Criteria (level EAL3) and several international standard certifications. FIPS and Common Criteria are measures of compliance with rule sets, not endorsements.

SGP works on Windows Mobile 2003 and 2005/WM5. The PDA voice encryption deployment is a bit tricky – typically, an enterprise sends in one of each type of PDA device on which it wishes to install the CryptoPhone. GSMK returns the phone and a ROM installation image with which the customer must re-flash all devices to be encrypted with the new image – that includes both a hardened OS and the CryptoPhone software. All user data (such as calendars, address books and the like) is clobbered during the ROM flashing process, and must be backed up using third-party provisioning or over-the-air provisioning software tools. There is a less secure method of installation, software only, which can be installed without reprovisioning. However, this could be destroyed with a hard reset of the device, and is only available on special arrangement with GSMK.

About The 451 Group

The 451 Group is an independent technology industry analyst company focused on the business of enterprise IT innovation.
Visit The 451 Group's Web site.
GSMK's technology encrypts voice calls with Advanced Encryption Standard (AES) and Twofish as counter mode stream ciphers. GSMK says that counter mode minimizes the effect of bit errors on the audio and makes synchronization and recovery from problems easier than other methods. Every time a call is made, the software uses a 4096-bit Diffie-Hellman shared secret exchange, then makes a SHA-256 hash to create a 256-bit session key. Avoidance of man-in-the-middle attacks is charming: using the 4096-bit Diffie-Hellman result, the software generates a six-letter hash that is displayed to the user. Each user then reads three letters over the encrypted line to the person they're speaking with, to provide bidirectional authentication. (We'll be speaking with GSMK separately; it provides its software for other devices, as well as free Windows software to create PC-based secure calls.)

Utimaco SGP also provides fingerprint recognition (based on libraries provided by Hewlett-Packard Co.) for the HP27xx, HP555x and HP545x model PDAs, implementing another factor of authentication whose settings may be centrally enforced and adjusted. Biometric reference data is stored in Utimaco's encrypted internal database, and verification is via a HP API. Biometric signatures are encrypted using code from Utimaco's partner, WonderNet.

Competition
Utimaco's main competitor is probably Pointsec, another European company. Pointsec is nominally Swedish, but as the wholly owned subsidiary of a publicly traded Swedish company, Pointsec isn't strictly European anymore -- it spends an awful lot of time in North America and Asia these days. Other competition for mobile device security includes SafeBoot (formerly Control Break), PC Guardian, PGP Corp and WinMagic. For handheld security, competitors include Credant, Bluefire and Trust Digital.

While Pointsec and other security vendors offer remote wipe capabilities with their PDA protection software, Utimaco does not -- though Utimaco says this is on the product roadmap. Utimaco points to third-party software deployment tools and Exchange Server to accomplish this. SafePhone from Digital Rights GmbH, Snap Defense Systems' products and Zfone encrypt cellular voice calls.

SWOT analysis

Strengths
Utimaco is publicly traded, and it has great brand awareness in Europe and especially in Germany. CryptoPhone is a bold effort to push mainstream encryption of cellular voice calls into the enterprise.
Weaknesses
Deployment of CryptoPhone is a bit of a drama at the moment, and the tool lacks central management to deal with provisioning headaches, requiring third-party software. The voice encryption technology is widely available and competitors will surely add it if Utimaco is successful.
Opportunities
Right now we don't know of any other major mobile device encryption vendor doing voice encryption.
Threats
Rival Pointsec is increasing its market share and presence in Asia and North America. While there's not much transparency into its financials, Pointsec says it's ready to make acquisitions and continue expansion.

Nick Selby is a Boston-based analyst covering enterprise security for The 451 Group.

Dig deeper on Handheld and Mobile Device Security Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close