PKWARE Looks to Ease the Pain of Application Encryption with Smartcrypt
Total Page:16
File Type:pdf, Size:1020Kb
451 RESEARCH REPRINT REPORT REPRINT PKWARE looks to ease the pain of application encryption with Smartcrypt GARRETT BEKKER 05 FEB 2016 The company’s new Smartcrypt attempts to provide the best of both worlds, with application-level encryption that eliminates the usual complexity of doing encryption and key management higher up the stack – or ‘PKI minus the headache.’ THIS REPORT, LICENSED EXCLUSIVELY TO PKWARE, DEVELOPED AND AS PROVIDED BY 451 RESEARCH, LLC, SHALL BE OWNED IN ITS ENTIRETY BY 451 RESEARCH, LLC. THIS REPORT IS SOLELY INTENDED FOR USE BY THE RECIPIENT AND MAY NOT BE REPRODUCED OR REPOSTED, IN WHOLE OR IN PART, BY THE RECIPIENT, WITHOUT EXPRESS PERMISSION FROM 451 RESEARCH. ©2016 451 Research, LLC | WWW.451RESEARCH.COM 451 RESEARCH REPRINT You would have to be living under a rock to have not noticed the dramatic rise in data breaches over the past few years. As a result, we have seen growing interest in products and services focused specifically on securing data, including data classification, data loss prevention (DLP), encryption and tokenization. However, as with most areas of security, there is an implicit tradeoff – as you move up the scale toward greater security, the complexity and cost of implementing that level of security increase accordingly. With respect to encryption specifically, at the disk or storage layer it is fairly straightforward, but pro- vides little protection against modern threats such as insider attacks, hijacked privileged credentials or vulnerabilities in applications. Performing encryption at the application layer can help secure against a wider range of threats, but may also require extensive changes to applications and workflows. PKWARE is attempting to provide the best of both worlds with its new Smartcrypt offering, which is intended to provide application-level encryption that eliminates the usual complexity, or what can be thought of as ‘PKI (public key infrastructure) minus the headache.’ THE 451 TAKE Despite the growing need for approaches that go beyond traditional network- and endpoint-based defenses, complexity has remained a significant barrier to more widespread adoption of data secu- rity, particularly encryption. In that spirit, we applaud PKWARE’s efforts to help reduce some of the traditional friction associated with broader use of encryption, specifically with respect to key manage- ment and exchanging data securely with external parties. Still, Smartcrypt is not fully transparent, and some integration work may be required, although PKWARE is hoping Smartcrypt will help minimize the unavoidable challenges of doing application-level encryption. And to the extent that Smartcrypt can serve as an alternative to tokenization, we also see the potential to address data sovereignty use cases in light of the attention being paid to the expiration of Safe Harbor agreements between the US and EU, and other data-privacy regulations across the globe. CONTEXT PKWARE offers a full suite of file-compression and -encryption products that span a variety of devices and deploy- ment models, including desktops, mobile devices, servers and mainframes. The company was founded in 1986 by the late Phil Katz, the inventor of PKZIP compression (and the ‘PK’ of PKWARE). CEO Miller Newton joined the company in 2009 after serving as CEO of Netkey, Lavastorm Analytics and Monster.com (now Monster World- wide). PKWARE is headquartered in Milwaukee, with offices in New York, London and Ohio, and approximately 70 employees. PKWARE claims to have more than 35,000 customers globally, including more than 200 government entities. Although the company doesn’t disclose financial information, we estimate revenue to be comfortably in the eight-digit range. PKWARE has raised an undisclosed amount of private equity funding from Montreal-based Novacap and Chicago-based Maranon Capital. PRODUCTS PKWARE’s initial reputation was forged largely by its flagship PKZIP compression software for the consumer market. In the early 2000s, the company introduced its SecureZIP strong encryption product for enterprise cus- tomers, and in 2013 launched Viivo, an encryption offering for cloud resources (initially Dropbox) targeting the consumer/’prosumer’/SMB markets with heavily cloud-focused features. Viivo was significant in that, unlike SecureZIP, which achieved separation of duties by having key management handled by external third parties (including X.509-based certificate authorities like Symantec’s PGP offering), -Vi ivo was a test case for combining key management and encryption in a single offering. The newest member of the PKWARE family, Smartcrypt, is an agent-based application-layer encryption offering for both structured and 451 RESEARCH REPRINT unstructured data that blends the features of SecureZIP Enterprise with Viivo, particularly with respect to key man- agement. Smartcrypt has three main components: a Smartcrypt app that must be installed on the protected de- vice (database, file server, etc.) for client-side encryption; a management console that handles policy creation and management, as well as key management; and an SDK that allows developers to integrate Smartcrypt’s encryption and key management directly into existing enterprise applications for use with unstructured data. The Smartcrypt agent supports a variety of operating systems: Solaris, HP-UX, RHEL, AIX and Windows Server. Since the Smartcrypt app is installed at the application layer and not the file-system layer, the encryption is persistent – each file is encrypted individually, and protection travels with the file, regardless of its location, and can only be de- crypted by users on authorized devices. PKWARE also claims the data is less likely to be corrupted by OS upgrades and patches. However, since encryption is done higher up the application stack, it’s no longer transparent to ap- plications – enterprise customers will still have some work to do integrating Smartcrypt with existing applications, although without having to create separate crypto libraries or key-escrow systems. One interesting feature is what PKWARE calls ‘Smartkeys,’ which are unique keys generated by the Smartcrypt app for each specific asset – a file, file share or entire folder. The Smartcrypt app is also responsible for exchanging the necessary keys with authorized parties, rather than relying on lists of authorized recipients that require re- encryption of the data every time the list changes, and that have served as a barrier to more widespread adoption of application-level encryption. If the access list changes, Smartcrypt can just re-encrypt the key material rather than the data itself, which helps improve performance, but also provides the ability to easily revoke access to a data set if someone leaves the company, or if data is accidentally leaked outside the company. The Smartcrypt key management server is typically deployed on-premises, and handles exchanging keys among authenticated devices and collaborators. Smartcrypt can also enable auditors and IT teams to decrypt data for compliance efforts, as well as allow other security devices – such as DLP scanners – to decrypt and inspect traffic. For sharing data with external parties, however, PKWARE has a cloud-based component that will serve as a ren- dezvous point for exchanging public keys with external identity repositories. PKWARE’s key management server runs on AWS in the US, so customers with AWS accounts also have the option of standing up the key management server in other regions. STRATEGY At a high level, one of the overall goals with Smartcrypt was to allow companies to make more extensive use of data protection – particularly further up the application stack, where most vulnerabilities and attacks occur – while minimizing the usual impact to both users and business processes that comes with application-layer security. One of the primary use cases for Smartcrypt is to enable the secure exchange of data with external parties without the usual headaches of managing public and private keys in a PKI-based system, which frequently results in users de- faulting to simple passwords out of sheer frustration. An added benefit is the ability to search, classify and inspect encrypted data, as well as allow for inspection by DLP and other security tools. Smartcrypt can also leverage PKZIP to compress traffic prior to encryption, to help offset potential performance impacts and speed up file transfers. In terms of go-to-market strategy, while there are some greenfield opportunities for cloud migrations and encrypt- ing data in cloud resources – Smartcrypt can integrate with Microsoft Office and Outlook, as well as file-sharing services like Microsoft OneDrive and Dropbox – we suspect much of the opportunity will be with existing custom- ers. PKWARE has therefore designed Smartcrypt to be both length- and format-preserving, to help customers with legacy data such as driver’s licenses, credit card numbers and Social Security numbers that need to be secured without breaking referential integrity – or the application itself. Smartcrypt can also be viewed as an alternative to tokenization, and with interest in the latter rising thanks to data- sovereignty concerns and the expiration of Safe Harbor agreements between the US and EU, emphasizing Smart- crypt’s utility for data-sovereignty use cases would be a logical move. Tokenization has its drawbacks, particularly with respect to the latency that can be introduced by performing lookups in a token database (a challenge that some newer forms of tokenization, such