Figure 1: Alex van Someren

Alex van Someren, along with his brother Nicko, founded nCipher in 1996 as an SSL acceleration company. Since then, nCipher has grown into a $34 million hardware encryption and key management firm, with products that span identity management as well as database encryption. In a rare interview, Dark Reading spoke with Alex van Someren about his thoughts on encryption's renaissance, why PKI flopped, and the risks -- yes, the risks -- of losing an encrypted laptop.

Dark Reading: Why has it taken so long for encryption to gain mainstream acceptance?

van Someren: Encryption is now starting to become a component with a trusted platform module (TPM) chip being built into laptops and motherboards by all major vendors, and it's going to be supported in Windows Vista and in BitLocker disk encryption. It will exist in billions of endpoints.

PKI never really went mainstream because it didn't have much of an application -- it didn't solve a problem for people. And PKI is big and clunky to deploy.

The real problem today is that users leave their laptops in the backseat of a taxicab. That suddenly opens a real market. That's the difference between letting technologists lead and letting customers lead [market demand]. Ten years ago, we were solving a problem that was only for the top 100 big customers with dotcom sites.

Dark Reading: What's the best strategy for an enterprise deciding what to encrypt and what not to bother encrypting?

van Someren: I would strongly discourage people from deploying a lot of encryption arbitrarily, despite the fact that doing so might cause us to sell more products. That's the wrong thing to do because encryption is a very powerful tool in quite scary ways.

When you encrypt data, one of the benefits you get [comes] from a confidentiality point of view -- and may also [deliver] an integrity benefit as well. But now what you've done is resolved your data down to a point of risk which is the key. How ever many gigabytes of data you have protected is now highly dependent on that key.

If you manage that key carefully, you have control over that data. If you lose the key, and it gets into the wrong hands, they now have access to the data, too. So you've shredded 10 gigabytes by simply losing that key.

Encryption deserves to be deployed very selectively because it's a powerful thing. And it doesn't actually solve the problem completely -- it just turns into a different problem, carefully looking after your keys.

The reason you shouldn't apply encryption to all data in your firm is that it just doesn't all need encrypting. Figure out first what's the important data; it will turn out that lots of the data is incredibly mundane and doesn't need to be encrypted or worth the aggravation of having to deal with a key management problem... It will be a little piece that really deserves to be protected in that way.

Otherwise you're not only wasting money, but are putting yourself at risk of creating some very scary problems to do with losing control of your data, which actually makes the situation worse, not better.

Dark Reading: Does built-in encryption on laptops pose problems of its own?

van Someren: Any second now, the first NASDAQ company's CFO won't be able to report their 10-Q because they lost their BitLocker key and Windows Vista won't let them start up their laptop. And that's what it's supposed to do, so you can leave it in back of a taxi and lose the data and no one else can read it.

But if they lose the key, they won't be able to read it either.

This is a very serious issue. We are providing a very powerful tool for users. You need to think very carefully about how you're going to deal with implications of people turning that feature on.

If I fall under a bus, my firm needs to be able to get to my files, so I need an escrow copy of the key, and if leave the company, they need to be confident that the data is not accessible to me [anymore], post my departure. So there's a whole series of issues about which keys need to be managed and who's allowed to have access to them.

The big "switch" that says "goody, I can encrypt my whole laptop" shouldn't be thrown unless you've carefully thought about the deployment implications... We've been developing software tools for helping people with highly scalable key management problems because we had foreseen this becoming a widespread issue.

Dark Reading: nCipher is about to celebrate its 10th anniversary. What changes in the encryption market have you witnessed since you founded the company in 1996?

van Someren: When we first started, there were onerous regulations around export control, and a great deal of political maneuvering, and bizarre incompatibilities [of encryption technology] between one country and another.

There's been a complete shift since then. Cryptography has been wrestled away from spooks and the military, who felt they were the exclusive proponents of it 10 years ago, and it's become a more mainstream activity. It influences everybody who's a user of the Internet.

I used to say I have a taxi driver test. Ten years ago, when I would get into a cab and the driver asked me "What do you do?" and I would say "I run an Internet security business," or I'd use the "C" word, cryptography, they would go, "What?" Nowadays when I get into a cab and say I run an Internet security business, they usually say, "Wow, I bet that's a good business to be in."

Dark Reading: How has nCipher's evolution followed the evolution of encryption?

van Someren: Addressing the performance of SSL got us started.

It was difficult [for businesses] to build successful ecommerce sites when they would leave everyone staring at an hourglass, trying to get on. nCipher built a hardware co-processor product that's bolted onto the server and speeds it [PKI] up dramatically. Our first generation of that product, nFast, sped up SSL encryption by a factor of 30.

Now performance has almost become a given. You always have to have hardware acceleration for SSL in your network infrastructure, and we're frequently now an OEM to the network, with vendors like Juniper and F5 Networks using our SSL product to speed up their network apparatus.

So once you've sped up someone's server, and you're now getting 10,000 transactions per second of it, the value of what's being transacted has risen hugely. And your server becomes a bigger financial risk and the value is increased for an attacker getting access to those transactions to subvert, steal credit card numbers. You have to take better care of the keys that are making that cryptography work.

So we evolved our product line with the idea of enterprise key management, looking after all the keys needed in increasingly widespread use of cryptography. And providing safe places for those keys to reside. These modules bolt onto Web services software, PKI software, edge products like Microsoft ISA Server, Exchange and protect those keys.

Matched with that is the software that lets you deal with backup, movement of keys, replicating keys across locations, and reconciling what is quite a hard problem: Crypto keys are supposed to be a secret you're keeping in as few places as possible, but inevitably in a highly scalable Internet environment, they need to be in multiple places at once.

— Kelly Jackson Higgins, Senior Editor, Dark Reading