The mobile device security sector has been gaining visibility in recent months, with a slew of highly publicized incidents in which personally identifiable information was released inadvertently through loss or theft of devices that stored unencrypted data. This month's announcement that the U.S. Department of Commerce lost more than 1,100 laptop computers must be music to Utimaco's ears.
|Utimaco's user-transparent encryption software protects enterprise assets: data on laptops, PDAs, cell phones, and the evolving hybrid devices that are becoming increasingly prevalent in business.|
|Mobile device security comes from Pointsec Mobile Technologies Inc., SafeBoot N.V. (formerly Control Break), PC Guardian Anti-Theft Products Inc., WinMagic Inc., Credant Technologies Inc., Bluefire Security Technologies Inc., PGP Corp. and Trust Digital LLC. Digital Rights GmbH's SafePhone, Snap Defense Systems LLC and Zfone all encrypt cellular voice calls.|
|The 451 assessment|
|Utimaco tells a story of a firm expanding aggressively into the U.S. It expects U.S. staff to hit 32 in the coming months and says it has increased its installed base to three million, with four million licenses sold (it says it only counts those installations that have been registered and updated -- a good method of counting, in our opinion). Competitors like Pointsec and Credant have earned varying levels of FIPS certification as well (there are differences in the degree of certification, and in precisely what parts of the software are certified). With new U.S. government initiatives to protect data, FIPS is a must-do -- not undertaken just for competitive advantage. Voice call encryption is a very interesting add-on, but we note that the provisioning process sounds fairly involved.|
Oberursel, Germany-based Utimaco was founded in 1983 and has been publicly traded since February 1999. It maintains development offices in Germany, Austria and Belgium, as well as regional headquarters in Foxboro, Mass., and claims 284 employees. The company says it has sold four million SafeGuard Easy licenses, up from "over two million" a year ago, and claims three million installations.
Utimaco's 2005/2006 financial year ended June 30. The company reported a 47% EBITDA increase year-on-year, to 9.7 million ($12.2 million) from 6.6 million. Revenue over that span, though, rose just 19.8%, to 41.7 million from 34.8 million. The company says that the higher margins were partly attributable to changes to International Accounting Standards section 38. The changes, which took effect in March 2004, revised the capitalization process for intangible assets. In Utimaco's case, this applied to software it developed. Essentially, about $5 million was invested in product development, which took that amount off the company' P&L statement.
The SafeGuard product line includes SafeGuard Easy (SGE), software that provides sector-based whole disk encryption of computer hard drives, and Safeguard PDA (SGP), which encrypts the data on PDAs and other handheld mobile devices. Through a partnership with Berlin-based Gesellschaft für Sichere Mobile Kommunikation (GSMK, 'the company for secure mobile communication'), Utimaco licenses GSMK's CryptoPhone and bundles it with SGP to add voice encryption. We note that all CryptoPhone products come with their full source code. SGP pricing on 1,000 seats starts at $63/seat and scales down; SGE starts at $85/seat.
SGE is sector-based whole disk encryption that works on Windows computers and encrypts the entire disk as opposed to various files. A pre-boot authentication can be supplemented with multifactor authentication, such as a onetime password from smartcards, USB sticks or mobile phones with onetime password capabilities. SGE integrates with Windows authentication, allowing pre-boot authentication to be controlled by the Windows login as opposed to a separate screen. Its FIPS 140-2 certificate joins certifications for Common Criteria (level EAL3) and several international standard certifications. FIPS and Common Criteria are measures of compliance with rule sets, not endorsements.
SGP works on Windows Mobile 2003 and 2005/WM5. The PDA voice encryption deployment is a bit tricky – typically, an enterprise sends in one of each type of PDA device on which it wishes to install the CryptoPhone. GSMK returns the phone and a ROM installation image with which the customer must re-flash all devices to be encrypted with the new image – that includes both a hardened OS and the CryptoPhone software. All user data (such as calendars, address books and the like) is clobbered during the ROM flashing process, and must be backed up using third-party provisioning or over-the-air provisioning software tools. There is a less secure method of installation, software only, which can be installed without reprovisioning. However, this could be destroyed with a hard reset of the device, and is only available on special arrangement with GSMK.
Utimaco SGP also provides fingerprint recognition (based on libraries provided by Hewlett-Packard Co.) for the HP27xx, HP555x and HP545x model PDAs, implementing another factor of authentication whose settings may be centrally enforced and adjusted. Biometric reference data is stored in Utimaco's encrypted internal database, and verification is via a HP API. Biometric signatures are encrypted using code from Utimaco's partner, WonderNet.
Utimaco's main competitor is probably Pointsec, another European company. Pointsec is nominally Swedish, but as the wholly owned subsidiary of a publicly traded Swedish company, Pointsec isn't strictly European anymore -- it spends an awful lot of time in North America and Asia these days. Other competition for mobile device security includes SafeBoot (formerly Control Break), PC Guardian, PGP Corp and WinMagic. For handheld security, competitors include Credant, Bluefire and Trust Digital.
While Pointsec and other security vendors offer remote wipe capabilities with their PDA protection software, Utimaco does not -- though Utimaco says this is on the product roadmap. Utimaco points to third-party software deployment tools and Exchange Server to accomplish this. SafePhone from Digital Rights GmbH, Snap Defense Systems' products and Zfone encrypt cellular voice calls.
|Utimaco is publicly traded, and it has great brand awareness in Europe and especially in Germany. CryptoPhone is a bold effort to push mainstream encryption of cellular voice calls into the enterprise.|
|Deployment of CryptoPhone is a bit of a drama at the moment, and the tool lacks central management to deal with provisioning headaches, requiring third-party software. The voice encryption technology is widely available and competitors will surely add it if Utimaco is successful.|
|Right now we don't know of any other major mobile device encryption vendor doing voice encryption.|
|Rival Pointsec is increasing its market share and presence in Asia and North America. While there's not much transparency into its financials, Pointsec says it's ready to make acquisitions and continue expansion.|
Nick Selby is a Boston-based analyst covering enterprise security for The 451 Group.