Encrypting laptops is worth the money
For the most part, security technology procurement is a struggle as security budgets have always been low and remain under-funded.
Security executives have to justify purchases in terms of business risk--a daunting task for even the most skilled professionals. As the old saying in the security world goes, organizations don't want good security, they want good-enough security. Paying for anything more is often viewed as a waste.
In general, frugal security strategies remain but my colleagues and I at Enterprise Strategy Group see one particular area that bucks this trend--full disk encryption (FDE) for laptops. Many large organizations are retroactively adding FDE software to existing systems or require FDE on all new laptop purchases. These decisions are almost always being driven by business managers rather than IT. There's no security magic here. CEOs see a pretty simple relationship between problem and solution.
What does this mean for the industry?
• Companies like GuardianEdge, PointSec (now Check Point Software), Safeboot, and Utimaco are selling tens of thousands of licenses at a time. Business will continue to be good for another three years or as long as businesses hold on to legacy PCs. Smart vendors in this space are already diversifying into other security areas. The writing is on the wall.
• Ultimately, this market will be dominated by hard drive vendors (Seagate, for example) and Microsoft. I took some flak for suggesting in an earlier blog that large organizations fast-track Vista for laptops solely to get BitLocker disk encryption. I'm now finding some firms headed down this path.
• PC encryption is the calm before the impending key management storm. Managing all of these keys in a formal and organized way is not a well-understood practice and many tools are pretty weak. Get ready for headlines about unrecoverable data or malicious key-management administrators.
• Infrastructure-based security and encryption is inevitable. FDE is the first chapter in a long book.
Losing a corporate laptop should be a minor inconvenience not a publicly disclosed security breach leading to millions of dollars in public relations, legal and customer service costs. It appears that CEOs recognize this trade-off and taking proactive security countermeasures--for once.
Jon Oltsik is a senior analyst at the Enterprise Strategy Group. He is not an employee of CNET.
The alternate vendors you mention support many, some times thousands of users, smart card, biometric, PKI, token login, rich graphical interfaces and of course synchronization of the boot credentials with the users Windows password, and they support the same feature set across most versions of Windows from one product/management system.
As johntafdn replied on your fast-track post "..with regard to someting thats given for free, is thats all it worth.."
future how you encrypt the drive will not be a point of
differentiation. It's just not that hard. The hard part as Jon
highlights, is managing the keys. There's another tricky bit
associated with ensuring that a consistent set of policies
controls the encryption/decryption and data access, but few
users or vendors see that issue yet with enough perspective to
act on it.
I think the drive manufacturers may end up being a channel
through which these products are delivered, but I don't see
anything in the core skills of being a world class drive vendor
(quick design cycles and ultra low cost manufacturing and
distribution) that is naturally leveraged in this space. I think the
winners end up being those vendors that crack the code on how
to do key and policy management without disrupting the
existing infrastructure.