"The Report of My Death Is An Exaggeration"
Doug McLean - Blogmeister
Since Mark Twain uttered the title of this blog in 1897, hundreds if not thousands of technologies have been declared "dead." Some technology obituaries, vacuum tube computers spring to mind, were completely accurate. However, I've been in the computer industry long enough to know that successful computing technologies rarely ever "die," they just get repurposed to work in new environments or to solve new problems. The best examples I can think of are SGML (Simple Graphic Markup Language) and ODA (Office Document Architecture). Both of these technologies were hot in the early '80s when the industry was looking for standardizing the way computers told printers how to render a page (and coincidentally creating massive markets for document and content management). It turns out that both of these technologies lost the imaging battle to the PDF standard, but that doesn't mean they died. In fact, HTML can trace its roots and even some of its syntax directly to SGML and CSS (Cascading Style Sheets) can trace its architectural genealogy to ODA.
A more recent example debunks the myth that "the mainframe is dead." Now if any computing technology should be dead by now, the mainframe computer certainly qualifies. But, as Jon Oltsik points out in this excellent piece in Network World, the IBM Z-Series has found a key role in the deployment of cloud based computing services, as hot a trend in enterprise IT as currently exists.
So, I've been amused this summer listening to a number of industry analysts (most of whom I greatly respect) claim that the advent of Self Encrypting Drives (SED), means the "death of encryption software." SEDs are these new drives that come from the factory pre-encrypted and prevent any data written to them from being read by unauthorized parties during their lifecycle and even after they've been retired. This is accomplished in most cases by putting the well known, and trusted AES encryption algorithm in firmware on the drive.
Putting encryption inside the drive itself is a neat idea, but I assure you it doesn't mean the death of "encryption software." I should note at this point that Jon Oltsik is one of the analysts that's declared encryption software "dead" earlier this year. But, Jon's a smart guy and I'm assuming by this he meant that it will now morph to operate in a world where almost all drives have some limited encryption technology built in. I also feel compelled to observe that, in the IT sector, any time hardware is standardized (and consequently commoditzed) it has caused market expansion not contraction as it allows vendors to deliver new functionality at lower price points with which to tap new markets.
One of the core issues we need to resolve in the debate about whether encryption software is on life support is just what the term "encryption software" means. Once upon a time it referred to the core cryptographic algorithms used to scramble the bits on a disk or in a message. Algorithms such as TwoFish, Blowfish, DES, Triple DES and AES have all been used in the past to turn plain text into ciphertext and back again. However, the technology frontier in encryption software has expanded dramatically beyond the core crypto in the last ten years and is now more focused on how these algorithms are used and managed. There is still very important work going on to keep the core crypto algorithms secure and to fix some things we know are liabilities in the associated hash functions. Currently though, most of the investment in "encryption software" development is at the broader system level rather than at the algorithm level.
In fact, if all of the manufacturers of disk drives, computers, smart phones and everything else we need to secure were to guarantee that they would have current crypto libraries on board every device they ship starting tomorrow, it would save PGP Corporation...not a dime. The reason for this is that our R&D investments are focused on the issues that drive our business and that our customers really care about. These days that means focusing on integrating policy management and key management functionality into existing enterprise data management infrastructure.
It also means focusing on providing the right management functionality for each kind of storage device. The policy and key management issues associated with managing encrypted drives on laptops are very different than they issues associated with managing encrypted shared storage devices. Take the simple example of complying with the legal discovery requirements under which most financial institutions operate. If they've encrypted their storage server farm (and most do), they have to have very powerful search, index, and retrieval functionality that knows what do with keys and encrypted data. Compare that with a diversified manufacturer that just wants to encrypt all of its engineer's laptops and impose some modest policy requirements on their use. These are very different problems for which no one approach is the correct solution. You may source the solutions from a single vendor with a sufficiently broad product line, but you'd never deploy the same solution to address both issues.
So, from our perspective, "encryption software" is a long way from dead and, in many ways, is in the middle of its adolescence. It's no longer a child trying to find its way in the world, but neither is it a completely mature technology that can be assumed to be available and usable on a predictable basis without significant planning, implementation and reporting.