|
Cashing In on Cyber Crime |
|
|
|
|
Sunday, 23 October 2005 |
Hike in high-profile cyber breaches means big bucks for database encryption firms.
It’s been a good year for cyberthugs. Some of the United States’ largest financial and retailing giants have had sensitive data swiped from their supposedly secure databases.
In March, hackers broke into CardSystems, a credit card processing company, exposing the details of 40 million credit cards. The resulting $1 billion in losses nearly put the company out of business. That same month, more than 1.5 million consumer records were stolen from databases at DSW Shoe Warehouse. And in May, Time Warner said that it had lost the personal information of 600,000 current and former employees. One month later, Citigroup said it had lost the personal information of 3.9 million customers.
These recent security breaches have made headlines alongside past incidents at ChoicePoint, Bank of America, and LexisNexis. Naturally, customers are demanding stronger security, which in turn has driven storage and database companies to scurry for solutions. At the top of the list of remedies is database encryption technology, a wrapper- like layer that surrounds and encrypts databases, making it difficult to read the information in it without access to the right keys.
Despite promising breakthroughs made in the new field by young companies like Ingrian and nCipher, experts warn that database encryption is no guarantee against wily hackers.
Still, that extra layer of security makes for a ripe market opportunity. Forrester Research estimates that the database encryption market is worth $100 million currently and could reach as high as $400 million in three years. While that may be just a fraction of an $11-billion security market, it is a significant niche that has yet to be fully exploited.
As big companies wield their clout to drive adoption of the technology, the market will only grow. Payment processing giants like Visa and Mastercard have made database encryption mandatory for merchants seeking to do business with them.
Now, enterprises are coming around to the idea of encrypting their databases. Citigroup, which lost hard copies of its records while shipping to a credit bureau, says that it would encrypt all data in the future and send it electronically. Time Warner has made similar promises.
Such vows may give some comfort to consumers worried about identity theft, but database encryption can only do so much. Most databases store data in clear text, which means someone with access to it can read it. Database encryption tries to fix that problem by protecting data before it reaches storage systems. Think of it as a vault. Database encryption locks the data into a secure compartment and makes it impossible for anyone without the keys to open it, protecting the contents inside even if the vault is stolen. “You can try to encrypt the data in a lot of different places,” says Richard Moulds, vice president of marketing for nCipher. “The question is, where do you get the biggest bang for the buck?”
Dawn of Disclosure
It’s not just nifty new technology fueling the growth of database encryption. Regulatory and legislative factors are also driving the trend. California Senate Bill 1386, known as the Database Breach Notification Act, was signed into law in 2003. The bill requires all businesses in the state to disclose any breach of security. Fourteen other states, as well as the U.S. government, are considering similar legislation.
Collectively, these measures have forced companies to drop their veil of silence. Previously, companies could suppress any incidents of data loss; now they are required to report every case, inviting media attention and an uproar from their customers.
“Security breaches have been going on for a long time, but now new laws are forcing their disclosure,” says Karim Toubba, vice president of product management and marketing at Ingrian Networks. “The surge in the database encryption business now is because companies are looking to stay out of the headlines.”
Redwood City, California-based Ingrian is one of the many fast-growing startups vying for leadership in database encryption. In addition to other startups like nCipher in Cambridge, Massachusetts, and Protegrity in Stamford, Connecticut, the six-year-old company competes against established database giants like Oracle and Sybase and storage companies like Network Appliance. Ingrian declines to disclose its revenues, but says that it averaged quarter-on-quarter growth of 64 percent for the last four quarters.
There is a good reason for the healthy growth. Encryption itself is a commonplace technology and is available with all the off-the-shelf databases sold by Oracle and its rivals. The database encryption startups offer an add-on product that promises to lock the keys to the encrypted database away from the database itself. The advantage is that even if the database is hacked, there is no way to obtain the keys that decrypt the system. “Third-party vendors have an edge because they have their encryption keys outside the database, which offers greater security,” says Joe McKendrick, an analyst with Evans Data.
Independent database encryption solutions also offer greater flexibility in terms of who can access the data. Traditionally, database administrators have had complete authority over access data. This single-point contact makes them a weak link in the chain, says nCipher’s Mr. Moulds. Revenues of nCipher, which is listed on the London Stock Exchange, are up 23 percent to £3.9 million ($7.2 million) for the quarter ended March 31.
“There has to be a separation of duty between those who manage the databases and those who handle the encryption of the data,” says Mr. Moulds. “Companies don’t want to put themselves in a situation anymore where one person has complete access to all information.”
Database giant Oracle says it can compete with upstarts like Ingrian and nCipher but admits that third-party solutions do score in the way their products store the keys to a database—in a separate hardware box that can self destruct if tampered with. A pure-play software solutions provider like Oracle cannot do that. The keys in Oracle’s encryption solution are locked away in a separate software application, the Oracle Wallet.
That’s a problem that Oracle Director of Database Security Product Paul Needham says the company is considering solving through its partners. While this may be a feature that Oracle can quickly catch up with, what it cannot do is provide a product that will work in a heterogeneous network where databases from multiple vendors coexist, say analysts.
“Database vendors like Oracle have excellent encryption solutions, but the problem is that most organizations do not use just one type of database,” says Mr. McKendrick. “You need to have an encryption solution built into the middleware to work with a Sybase, an Oracle, and an SQL product, all in one system.”
While middleware may help solve one problem, it also poses another. Middleware adds to the complexity of the network and thus the task of girding it against attack. But this is something that customers will have no choice but to deal with, at least in the short term until a comprehensive solution is developed. “There is really no end-to-end solution available today that offers all the functionality that enterprises need,” says Noel Yuhanna, a senior analyst with Forrester Research. “In the next two to three years we will see a solution more focused on application and database encryption integration.”
There’s a good chance that end-to-end solutions will come from the bigger players in the segment. After all, Oracle, IBM, and Microsoft have been selling comprehensive software packages for decades. This is what they do best. Microsoft has already made a start with the upcoming release of its SQL Server 2005, which promises to have database encryption and separate the keys from the administrator.
Microsoft likes to build in-house, but other data management companies or security services providers like Computer Associates, BMC software, and Symantec could be hunting around for acquisitions.
“You have some big public companies that have excelled in data management but don’t have much in the form of database encryption solutions,” says Mr. Yuhanna. “We see a trend of consolidation in this segment over the next few months as the market matures and grows bigger.”
For startups involved in database encryption, that spells good news. At least the string of data theft has left a few companies with reason to cheer. |
|
|