PKWARE Looks to Ease the Pain of Application Encryption with Smartcrypt

451 RESEARCH REPRINT

REPORT REPRINT

PKWARE looks to ease the pain of application encryption with Smartcrypt GARRETT BEKKER 05 FEB 2016 The company’s new Smartcrypt attempts to provide the best of both worlds, with application-level encryption that eliminates the usual complexity of doing encryption and key management higher up the stack – or ‘PKI minus the headache.’

THIS REPORT, LICENSED EXCLUSIVELY TO PKWARE, DEVELOPED AND AS PROVIDED BY 451 RESEARCH, LLC, SHALL BE OWNED IN ITS ENTIRETY BY 451 RESEARCH, LLC. THIS REPORT IS SOLELY INTENDED FOR USE BY THE RECIPIENT AND MAY NOT BE REPRODUCED OR REPOSTED, IN WHOLE OR IN PART, BY THE RECIPIENT, WITHOUT EXPRESS PERMISSION FROM 451 RESEARCH.

You would have to be living under a rock to have not noticed the dramatic rise in data breaches over the past few years. As a result, we have seen growing interest in products and services focused specifically on securing data, including data classification, data loss prevention (DLP), encryption and tokenization. However, as with most areas of security, there is an implicit tradeoff – as you move up the scale toward greater security, the complexity and cost of implementing that level of security increase accordingly. With respect to encryption specifically, at the disk or storage layer it is fairly straightforward, but provides little protection against modern threats such as insider attacks, hijacked privileged credentials or vulnerabilities in applications. Performing encryption at the application layer can help secure against a wider range of threats, but may also require extensive changes to applications and workflows. PKWARE is attempting to provide the best of both worlds with its new Smartcrypt offering, which is intended to provide application-level encryption that eliminates the usual complexity, or what can be thought of as ‘PKI (public key infrastructure) minus the headache.’

THE 451 TAKE Despite the growing need for approaches that go beyond traditional network- and endpoint-based defenses, complexity has remained a significant barrier to more widespread adoption of data security, particularly encryption. In that spirit, we applaud PKWARE’s efforts to help reduce some of the traditional friction associated with broader use of encryption, specifically with respect to key management and exchanging data securely with external parties. Still, Smartcrypt is not fully transparent, and some integration work may be required, although PKWARE is hoping Smartcrypt will help minimize the unavoidable challenges of doing application-level encryption. And to the extent that Smartcrypt can serve as an alternative to tokenization, we also see the potential to address data sovereignty use cases in light of the attention being paid to the expiration of Safe Harbor agreements between the US and EU, and other data-privacy regulations across the globe.

CONTEXT PKWARE offers a full suite of file-compression and -encryption products that span a variety of devices and deploy- ment models, including desktops, mobile devices, servers and mainframes. The company was founded in 1986 by the late Phil Katz, the inventor of PKZIP compression (and the ‘PK’ of PKWARE). CEO Miller Newton joined the company in 2009 after serving as CEO of Netkey, Lavastorm Analytics and Monster.com (now Monster World- wide). PKWARE is headquartered in Milwaukee, with offices in New York, London and Ohio, and approximately 70 employees. PKWARE claims to have more than 35,000 customers globally, including more than 200 government entities. Although the company doesn’t disclose financial information, we estimate revenue to be comfortably in the eight-digit range. PKWARE has raised an undisclosed amount of private equity funding from Montreal-based Novacap and Chicago-based Maranon Capital. PRODUCTS PKWARE’s initial reputation was forged largely by its flagship PKZIP compression software for the consumer market. In the early 2000s, the company introduced its SecureZIP strong encryption product for enterprise customers, and in 2013 launched Viivo, an encryption offering for cloud resources (initially Dropbox) targeting the consumer/’prosumer’/SMB markets with heavily cloud-focused features. Viivo was significant in that, unlike SecureZIP, which achieved separation of duties by having key management handled by external third parties (including X.509-based certificate authorities like Symantec’s PGP offering), -Vi ivo was a test case for combining key management and encryption in a single offering. The newest member of the PKWARE family, Smartcrypt, is an agent-based application-layer encryption offering for both structured and 451 RESEARCH REPRINT

unstructured data that blends the features of SecureZIP Enterprise with Viivo, particularly with respect to key management. Smartcrypt has three main components: a Smartcrypt app that must be installed on the protected device (database, file server, etc.) for client-side encryption; a management console that handles policy creation and management, as well as key management; and an SDK that allows developers to integrate Smartcrypt’s encryption and key management directly into existing enterprise applications for use with unstructured data. The Smartcrypt agent supports a variety of operating systems: Solaris, HP-UX, RHEL, AIX and Windows Server. Since the Smartcrypt app is installed at the application layer and not the file-system layer, the encryption is persistent – each file is encrypted individually, and protection travels with the file, regardless of its location, and can only be de- crypted by users on authorized devices. PKWARE also claims the data is less likely to be corrupted by OS upgrades and patches. However, since encryption is done higher up the application stack, it’s no longer transparent to applications – enterprise customers will still have some work to do integrating Smartcrypt with existing applications, although without having to create separate crypto libraries or key-escrow systems. One interesting feature is what PKWARE calls ‘Smartkeys,’ which are unique keys generated by the Smartcrypt app for each specific asset – a file, file share or entire folder. The Smartcrypt app is also responsible for exchanging the necessary keys with authorized parties, rather than relying on lists of authorized recipients that require re- encryption of the data every time the list changes, and that have served as a barrier to more widespread adoption of application-level encryption. If the access list changes, Smartcrypt can just re-encrypt the key material rather than the data itself, which helps improve performance, but also provides the ability to easily revoke access to a data set if someone leaves the company, or if data is accidentally leaked outside the company. The Smartcrypt key management server is typically deployed on-premises, and handles exchanging keys among authenticated devices and collaborators. Smartcrypt can also enable auditors and IT teams to decrypt data for compliance efforts, as well as allow other security devices – such as DLP scanners – to decrypt and inspect traffic. For sharing data with external parties, however, PKWARE has a cloud-based component that will serve as a ren- dezvous point for exchanging public keys with external identity repositories. PKWARE’s key management server runs on AWS in the US, so customers with AWS accounts also have the option of standing up the key management server in other regions. STRATEGY At a high level, one of the overall goals with Smartcrypt was to allow companies to make more extensive use of data protection – particularly further up the application stack, where most vulnerabilities and attacks occur – while minimizing the usual impact to both users and business processes that comes with application-layer security. One of the primary use cases for Smartcrypt is to enable the secure exchange of data with external parties without the usual headaches of managing public and private keys in a PKI-based system, which frequently results in users de- faulting to simple passwords out of sheer frustration. An added benefit is the ability to search, classify and inspect encrypted data, as well as allow for inspection by DLP and other security tools. Smartcrypt can also leverage PKZIP to compress traffic prior to encryption, to help offset potential performance impacts and speed up file transfers. In terms of go-to-market strategy, while there are some greenfield opportunities for cloud migrations and encrypt- ing data in cloud resources – Smartcrypt can integrate with Microsoft Office and Outlook, as well as file-sharing services like Microsoft OneDrive and Dropbox – we suspect much of the opportunity will be with existing customers. PKWARE has therefore designed Smartcrypt to be both length- and format-preserving, to help customers with legacy data such as driver’s licenses, credit card numbers and Social Security numbers that need to be secured without breaking referential integrity – or the application itself. Smartcrypt can also be viewed as an alternative to tokenization, and with interest in the latter rising thanks to data- sovereignty concerns and the expiration of Safe Harbor agreements between the US and EU, emphasizing Smart- crypt’s utility for data-sovereignty use cases would be a logical move. Tokenization has its drawbacks, particularly with respect to the latency that can be introduced by performing lookups in a token database (a challenge that some newer forms of tokenization, such as ‘stateless tokenization,’ are addressing). Still, for certain regional data- privacy regulations outside the US, tokenization is required because it eliminates the deterministic mathematical relationship between ciphertext and the original data that, at least in theory, could be used to reverse-engineer the crypto and restore the original data. While Smartcrypt could be an interesting alternative to tokenization, adding a tokenization offering could help PKWARE address a broader set of use cases. 451 RESEARCH REPRINT

In terms of pricing, customers will have several options for purchasing Smartcrypt, including on a per-user basis, starting at a five-device minimum, at $79 per Mac or Windows desktop and $13 per Android or iOS mobile device. Server pricing will start at $2,500 per instance for up to 25 servers, with volume discounts for higher server counts. COMPETITION While the list of vendors providing some form of encryption is lengthy, the field narrows significantly when con- sidering those that cover a broad range of use cases, such as PKWARE. Smartcrypt is architecturally similar to Microsoft’s Enterprise Data Protect, and Microsoft’s dominant presence at the OS layer – and with Active Directory, as well as its cloud presence with Azure and Office 365 – puts it in a position to solve a lot of data-security prob- lems without the help of third-party partners. Microsoft has also signaled its renewed attention to security with the recent acquisitions of Aorato, Adallom and Secure Islands, and could become a major force in cloud security. Other data-security vendors with a broad range of encryption options include pure plays such as Vormetric (in the process of being acquired by Thales e-Security for $400m) and Gemalto (SafeNet), as well as Sophos, Symantec (PGP) and CloudLink (acquired by EMC).

SWOT ANALYSIS

STRENGTHS WEAKNESSES The ability to limit the friction of securely Recipients will need to install the client app exchanging data with external parties, up- to view protected files. Some customers may date keys and access lists without re-encryp- still prefer a tokenization option for certain tion, and reduce the impact on application compliance/data-sovereignty use cases. It performance and business processes should could use some help on the reporting side, collectively ease the adoption burdens of although PKWARE will likely rely on partners. application-layer encryption.

OPPORTUNITIES THREATS With the expiration of Safe Harbor agree- As IT continues to transition away from leg- ments between the EU and US, data residen- acy on-prem resources, one of the primary cy has become a huge issue. As an alternative threats to third-party security vendors may to tokenization, Smartcrypt could find some come from solutions provided natively by traction with global and non-US customers cloud, big-data and IoT providers such as facing data-sovereignty use cases. AWS, Microsoft, Salesforce or Box.