Sensitive data hits the road every day, on poorly protected laptops, removable storage media, PDAs and smart phones. In 2007, businesses long accustomed to protecting information in their data centers turned to new security technologies and products to reduce risk to data on the go.
In addition to the expected repackaging, partnering and acquisition and marketing spin, the security industry has responded with some genuine innovation. The simple antivirus products of a few years ago are rapidly evolving into comprehensive integrated suites, combining antivirus/antispyware, HIPS, host firewall, removable device control and even NAC in a single centrally managed agent. Data loss prevention has shifted its focus from the gateway to the endpoint, focusing on data that can simply walk out the door.
Nowhere is the shifting focus on mobile endpoints more pronounced than disk encryption. Businesses that shunned the cost and key management headaches of encrypting laptops have scrambled to deploy it for a perceived quick fix to protect data and satisfy regulatory auditors.
Even so, it's cutting-edge technology that will complete the rapid evolution of full disk encryption from selective to near ubiquitous deployment. Hardware-based encryption is just making its way into the mobile device market, but it's coming on fast. Earlier this year, Seagate announced the Momentus 5400 FDE 2 hard drive, at first available only through clone laptop company ASI, but now available on select Dell models. Intel has announced its chip-based hardware encryption, code-named Danbury, will ship with vPro processors in the second half of 2008.
"By end of 2008, we'll see a fair amount of variety of offerings," said Jon Oltsik, senior information security analyst for the Milford, Mass.-based Enterprise Strategy Group. "By mid-2009, there will be more widespread combinations. By the end of next year, if you are replacing laptops, you'll have several options--not just from Dell. It will be pretty much universal."
Hardware-based encryption, whether disk- or chip-based, solves the performance problem that limited adoption. Moving keys into hardware makes encryption easier to implement and manage. Most important, perhaps, for a little more money, it comes with the laptop you already planned to buy.
"If the requirement is to encrypt laptops, the easiest way is to buy laptops that can already encrypt," said Oltsik.
He said that it's not clear which technology--disk- or chip-based--might prevail, but that's in the hands of the laptop makers. It depends on who is most successful in channel distribution and gets into production lines. Users don't really care.
Where does this leave software encryption companies like Credant, Utimaco, PGP, and Safeboot (recently acquired by McAfee) and Check Point (which acquired Pointsec)? Recognizing that their boom will last only as long as it takes hardware-based encryption to take hold, they are partnering with Seagate and Intel to offer integrated solutions. While the hardware companies handle the encryption processing, software vendors will focus on what they day do best--policy creation and implementation, key management, etc.
"In five years, we probably won't sell encryption software," said Malte Pollman, Utimaco vice president of products, but key and other management services for Intel, Seagate and any other hardware encryption companies.
But while hardware processing is making laptop encryption more attractive, it's by no means a complete data security solution. It should be part of a multilayered defense, including data loss prevention and endpoint security tools.
"Encrypting hard drives is a security of last resort, if a PC is stolen from you or me at the airport," said Oltsik. "We're seeing so much buying because it's getting easier to implement and protects you against the most common incidents. There are a lot of other kinds of attacks we have to pay attention to."