24. May 2010 by Bryan Glancey.

WOW, it has been a very busy quarter for Data at Rest companies in the marketplace. Almost all of the existing players in the market have been purchased by large acquirers, including the recent acquisition of Guardian Edge (once PC Guardian) and PGP by Symantec.

  Almost every viable player in the market has now been acquired, and I expect the rest to follow suit in the next quarter. For those of you that have not been following over the years - here is the plays that have been made:

First to go, (my former employer) Pointsec Mobile Technologies was sold to Checkpoint for 586M .

Then Utimaco was purchased by Sophos for 342M .

The McAfee purchased the former SafeBoot product for 350M .

Now Symantec has taken down both PGP for 300M and Guardian Edge for 70M .

Over my more than a decade in the Data-at-Rest business it has gone from ‘what is encrpytion’ to ‘whose security suite with encryption are you buying’. This technology has strongly moved into the mainstream.

   It should not be a surprise as Information Security regulations have grown in include a number of requirements for protection of personally identifiable information - both all major commercial vertical and government agencies.

 The question for 2010 and 2011 will be one of large scale implementation of the technologies usign existing tools on the market, as well as growth of those products as they are integrated into much large suites of applications.

  I think that we will see a few more acquisition firework shows before it is done, but I’m looking forward to seeing the resulting mainstream products that result.

Posted in Blogroll, Uncategorized | Print | No Comments »

4. November 2009 by Bryan Glancey.

  I have been involved with Data-at-Rest security for about 15 years now, I have seen the Security ‘Hype Cycle’  (http://en.wikipedia.org/wiki/Hype_cycle ) for so many technologies - too many, in fact, and I’m trying to forgot them like my many years of Don Johnson Look-a-like attire in the 80’s (I got rid of all the white linen jacket’s ).  Data-at-Rest security has gone from complete obscurity -I regularly presented in meetings with Fortune 100 executives to discuss protecting information on Cell phones, Laptops and desktops and was routinely met with “We have Windows Passwords and that’s more then enough security”; . In 2002 I coined the term ‘Enterprise Mobile Device Security’ (truthfully, an Easter egg from my previous work in Enterprise Document Management Systems (EDMS) - secret’s out) to try to draw a distinction between Data-at-Rest technologies and Systems - but again this has gotten lost in translation in 2009.

    I can’t tell you how many conversations I have had recently, in Government and Business alike, and companies have ‘moved on’  looking for the next security hot topic to protect against without completing their Polices, procedures, and implementation around Data-At-Rest.  Some are looking to next generation hardware that encrypts information in hardware - without thinking about the management backend required to do enterprise scale user and encryption key management.

   Security is hard work, and sometimes that ’stick to it’ ness doesn’t easy convey from the security team to the board room or executive leadership.  Looking into 2010, I have a hope that we can make this the ‘implementation decade’.  Can we complete our security implementation in 2010? Sure, through hard work and determination we can use technologies and procedures already in existence to provide at least basic protections for Data everywhere it goes. We all need to spend a lot more time thinking about solving problems, and implementing them - at least as much as we do looking for new problems.

     So, Implement that Cryptosystem - change that four character password -  implement two-factor authentication. I know it’s taken 15 years for us all to get here, but maybe if we complete some of these implementation we won’t have to continually hear about data losses for the next 10 years.

Posted in Blogroll | Print | No Comments »

22. September 2009 by Bryan Glancey.

Here comes my soapbox again. It’s always a joke to me how some so-called ‘Security’ companies can have a total lack for Certification for their Cryptography and call themselves security companies. It’s like saying your grandma is a jet fighter pilot because she saw you playing flight simulator. It’s an embarrassment.

 What about ePO, or HBSS, McAfee’s be all - end all managment console that communicates to all the clients. ZERO certifications, ZIP, Zilch, Nada. What about certifications that cover anything above Windows XP, nope.

Do you know McAfee has NEVER done a certification for FIPS on it’s own? Only through acquisition of SafeBoot do they have ANY certifications. What a joke!

Just so no one says that I’m talkign out of school, here is a copy of all of McAfee’s certifications form the NIST website at www.nist.gov/cmvp

It’s always funny to me how people can spend MIllions of dollars on marketing, but not spend on building a quality product

Posted in Blogroll, Uncategorized | Print | 1 Comment »

11. May 2009 by Bryan Glancey.

  I am a big believer in common sense. It’s amazing how uncommon common sense really is, and how important it is.

 One of the guiding principals of Information Security is independent review. The network administration team and the Network security team set the rules and protections, they set up up, then you hire someone from the outside to come in and try to break them . This happens all over the place in the world: the CFO makes the budget and documents expenses then you hire an independent auditor to verify; before you get that life threatening Brain Surgery you request a second opinion - checks and balances, second opinions, peer review - it keeps everyone sharp and protects us all from bad advice, or being sold a $2000.00 vacuum cleaner when we have hardwood floors.

   Currently, cooking in the government is the Comprehensive National CyberSecurity Initiate. It’s secret, no one can know what in it until they decide to release it. The concerning thing about it is who is influencing the choices - is it someone who knows the difference between a Hash Algorithm and Hash Browns? Do they know the difference between a rainbow table and the rainbow coalition?

  My hope is that the government open the CNCI to industry input, even though the ensuing carnival may be painful. Yes, someone will come in and present why token ring is more secure then ethernet, wasting everyone’s time, but at least there will be a intelligent discussion.

  If the vendor conversations are too loud, perhaps just a good survey of  the Hacker community, INFOSEC professionals in the NSA’s own IAM/IEM certification program or CISSPs . Some how some intelligent debate needs to enter the Cybersecurity realm and move it from Lip Service to Reality.

  How about CyberSecurity Stimulus? You think I’m kidding? When we spend endless hours of debate discussing the already lost manufacturing jobs, we are letting an industry that the United States has a significant advantage and resource in blow in the wind.  Every other major world power spends more on Cybersecurity then the United States, why don’t we wake up and join the 21st Century.  The jobs yielded by Security applications would pay on average twice that of the manufacturing jobs that we spend billions to keep and bailout.

Posted in Main, Blogroll, Uncategorized | Print | No Comments »