Data Encryption — The Next Frontier Of VAR Opportunity?

Data encryption works. It protects data at rest (data stored on some type of media) and data in flight (data in transit on a network) by scrambling data into a form of recoverable unreadability. That fact is clear. However, a discussion of data encryption often leaves VARs with more questions than answers. For instance: How is this technology implemented? What is key management? Who are the target customers for this technology? We solicited answers from four data protection vendors: CipherOptics, Decru (A NetApp Company), Ingrian Networks, and NeoScale Systems.

Identify Your Customers’ Encryption Needs

“CipherOptics products address the data in flight challenge,” explains Brandon Hoff, chief marketing officer for CipherOptics. “More than 70% of data loss happens over the network, where hackers can easily hide, plant back doors, or divert data from a network connection. Currently, less than 13% of data loss occurs due to lost tapes or lost laptops, and a majority of these are recovered.”

Michele Borovac, director of marketing for Decru, further defines encryption methods for data at rest as at the host or within an application, within the network using a dedicated appliance (Decru’s solution), or at the storage device. Karim Toubba, EVP of product management and corporate strategy for Ingrian Networks, categorizes encryption solutions by software-based products and hardware-based solutions. James Hanley, SVP of field operations for NeoScale Systems, echoes Borovac’s description of the methods of encryption. The point is to understand where your customer’s data is at risk. An enterprise with disk-based backup that is performed between locations may need data encryption for data at rest and data in flight. Whereas, a customer with an off-site tape archive may need only encryption for data at rest.

Key Management Is Key To Selling Encryption

When data is encrypted, it requires an electronic key to decrypt the data. That sounds simple enough. However, this process quickly escalates to a management challenge as clients being to encrypt data on a large-scale basis — especially across heterogeneous storage hardware.

“Key management is the real issue of data encryption — too many keys make encryption unusable because it is too expensive to administer,” says Hoff. “Storing the keys in the wrong location or an unsecured location effectively defeats encryption.” To illustrate Hoff’s point, encrypting data on a notebook computer is not effective if the key is stored on the same computer.

“With an effective key management system, keys are automatically made available to authorized locations, so companies will be able to restore information when and where required,” says Hanley. “Without an effective key management solution, data may become unrecoverable as no backdoor methods exist to decrypt information without the original encryption key.”

“Most enterprises have distributed networks, which makes management of the keys and security policies the most critical component to securing sensitive data,” explains Toubba. “Hardware-based data encryption ensures the highest level of security and having the encryption offloaded to the appliance removes that load from network servers.”

Borovac advises VARs to pay close attention to three factors when considering key management systems:

n Key availability: Data at rest must often be kept for months, years, or even decades. Keys must be accessible to ensure data can be decrypted when and where it is needed.

n Security: It’s critical that keys are stored securely. It’s far easier to steal keys than to crack encryption, especially if these keys are stored in an open operating system.

n Support for heterogeneous environments: Most organizations generate and maintain sensitive data in a range of different applications and storage technologies. Deploying different types of encryption in databases, operating systems, and storage technologies further complicates key management.

Sell Encryption In Vertical And Horizontal Markets

“Our customers range from very large companies to smaller regional hospitals and banks, and Fortune 1000 to Fortune 100 companies,” says CipherOptics’ Hoff.  “Our customers tend to be in industries that regularly handle personal information or are regulated by the Health Insurance Portability and Accountability Act of 1996 [HIPAA], Gramm-Leach-Bliley Act [GLBA], Payment Card Industry [PCI] standard, or other privacy regulations.”

“The financial services and government markets have been early adopters of encryption, but data security is a fairly horizontal market,” says Decru’s Borovac. “Everyone has sensitive data. Intellectual property can be as valuable as customer data if it goes missing.”

“The key verticals that have been most responsive to enhancing security policies using encryption have been retail, financial services, and payment processing,” explains Ingrian’s Toubba. “Recent high profile security breaches have driven more movement in the government and higher education sectors. The retail and banking industries have more mature data encryption projects.”

One hot trend in key management are global key management systems. Those are devices that can manage encryption keys from heterogeneous types of key management systems. This is of particular interest to organizations that bought encryption solutions early in the development of data encryption technology. Those customers may be managing many different types of keys across multiple locations. A centralized key management system allows customers to manage all keys — regardless of the specific type — from a single interface.

Global key management systems will also be useful to companies who merge with or acquire other companies. It is highly unlikely that two companies would have identical encryption solutions.

NeoScale’s Hanley concludes that the financial services, healthcare, and government markets have the strongest current demand for encryption solutions.

Sell Encryption To Security Management — Not IT

As with other security technologies, VARs should recognize that an encryption sale is typically consultative, and influencers and decision makers may not be their regular IT contacts. Selling security to the IT storage team probably won’t produce success.

In most cases, the decision to secure data is being made at a much higher level within the customer’s organization. Chief security officers, VPs of operations, and senior auditors may be driving the requirement to encrypt sensitive data. Those individuals are feeling the pressure to comply with federal, state, and internal corporate governance regulations. Their concerns will be different from those of the IT staff.

Yes, data encryption works. But in order to successfully sell this technology, a VAR must understand which customer audience they should be addressing. Avoid price-only comparisons, and emphasize the value of your customer’s data.