RSA: Hashing Out Encryption

SAN FRANCISCO -- RSA 2008 Conference -- The conference that once was just a gathering of a few cryptographers is now a major event that drew more than 17,000 attendees last week. And the technology that started it all -- encryption -- showed it has grown a lot, too.

The big themes among encryption vendors exhibiting and rolling out new products here included managing encryption across the enterprise, making encryption easier to use, and a shifting focus from the nitty-gritty of encryption keys to the data itself. These themes aren't exactly new, but they were more front-burner than in years past, thanks to a busy year of high-profile data breaches, PCI mania, and laptop-theft paranoia.

With the pioneers of encryption chatting it up in the annual Cryptographer's Panel here as a backdrop, encryption vendors on the exhibit floor rolled out next-generation encryption management products and tools that help make encryption less a technology of complicated algorithms and key pairs and more of a mainstream business security strategy. But that doesn’t mean encryption is streamlined -- organizations today typically run a patchwork of separate encryption systems for various elements in their networks, from their files to their laptop hard drives.

Around 21 percent of U.S. enterprises surveyed in a Ponemon Institute and PGP study released this month say they currently have a consistent encryption strategy implemented across their organizations, which is an increase from last year, when only 16 percent did. Nearly 75 percent have an encryption strategy that's based on a type of data or application or is enterprise-wide, according to the study.

The number one reason for adding encryption: data breach prevention, with 71 percent of the vote, up from 66 percent last year, the study said. The most common encryption today is laptop encryption, which 20 percent of respondents use most of the time.

"Separate encryption systems all handle keys differently, and it's a policy" mess, says Gretchen Hellman, senior director of marketing for Vormetric, which specializes in policy-based encryption, access control, and auditing. Hellman is also the daughter of Martin Hellman of Diffie-Hellman algorithm fame.

RSA, the security division of EMC, here released its RSA Key Manager for the Datacenter product, which aims to centralize and integrate the lifecycle management of keys in the enterprise -- including in the database, file servers, and in storage systems.

"Multiple point encryption solutions, each with their own approach to encryption key management, increases management complexity and the risk of lost or stolen keys," said Dennis Hoffman, RSA's chief strategy officer, vice president, and general manager of its data security group, in a prepared statement.

According to the Ponemon-PGP study, organizations plan to spend 34 percent of their overall budget for encryption on key management (which includes key lifecycle, policy, and reporting), and 45 percent expect those systems to save them money on their data security costs.

Vormetric, meanwhile, rolled out what it calls the Key Security Expert, a tool for providing key security and access control for encryption keys across various encryption platforms in an enterprise. "It's a method to immediately address this ability to secure and control access to keys locally," Vormetric’s Hellman says. "Any third-party encryption key or homegrown solution -- we can control access to it."

Venafi, which sells what it calls systems management for encryption, demo'd its upcoming Encryption Manager V system at RSA, which will come with symmetric key support and enhanced auditing. Paul Turner, vice president of product and customer solutions for Venafi, says the new encryption management platform contains more policy-based management. It also integrates with existing key management tools.

"Most people are not key experts. So we had to make the policies simple," Turner says. Venafi doesn't provide encryption, just the systems management tools for it, he says.

BitArmor, meanwhile, upgraded its DataControl encryption software with support for Vista and Windows Server 2008, and plans to add management for Windows BitLocker Drive Encryption in the third quarter. "There are various types of encryption, but they are all separately focused on the device or app," says Patrick McGregor, BitArmor’s Chief Executive Officer. "We are taking an approach at the data level... we protect data at the core, and the keys are in the data itself. It's persistent encryption, a more elegant solution."

Other encryption announcements here included Voltage Security's new software-as-a-service model for its SecureFile encryption for documents and files, as well as increased systems integrator support for its format-preserving encryption technology, which encrypts data without changing the structure of the data. "Our goal is to make encryption usable," says Dan Beck, director of product management for Voltage, best known for its identity-based encryption technology for email encryption. The idea is to encrypt the data without changing the structure of the data, he says.

And Wave Systems demo'd strong authentication using its Embassy software for managing hardware security. "We don’t do encryption. We are protecting the data," says Lark Allen, executive vice president of Wave Systems.

Wave showed tools that support the next-generation Intel Centrino 2 with vPro, with TPM v 1.2. It also demonstrated management of the Seagate Momentus 5400 FDE.2 line of full-disk encryption drives.

So is encryption now considered mainstream? Bruce Schneier, chief security technology officer for BT, says encryption today is "surprisingly mainstream," even though you can't really see it. "People don’t buy encryption, they use it," he says of end users. "It's in their browser, their VPN" connections. "And when it becomes ubiquitous, it disappears" into tools and products, he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.