Wednesday, July 12, 2006

A chronological take on the EMC/RSA Deal


A lot is floating around on the Internet about this $2.1Bn aquisition. Some are for it and some are against it. EMC stock has taken a hammering and the management of both companies are having to answer a lot of tricky questions. See EMC/RSA aquisition draws mixed reviews.

The main drivers for Storage companies wanting to get into security (such as this aquisition) or Security Companies wanting to get into storage (Symatec/Veritas) are Compliance and the spate of highly publicised data security breaches (as opposed to network breaches) over the last 12 months. Its that simple.

Most security efforts have traditionally focused on securing the perimeter and the network using tools such as firewalls, antivirus software and intrusion-detection systems. In future, expect to see more attention devoted to securing the data residing in storage networks, databases, servers, laptops and desktops. Why? Because hackers and insiders have started going after the "data-at-rest" and because traditional network perimeters have begun fading away as companies tie their networks with those of partners, suppliers and customers.

"Data at rest" is sitting there like a big duck waiting to get shot. And get shot it has been - and well publicised too - leading to lawsuits, stock price collapses, management getting fired, legal fines and even companies going bankrupt as a result of the fallout.

Observers to this aquisition seem to have short memories. I cannot fathom what all the fuss is about. This deal makes perfect logical sense to me - in fact I am surprised it has taken so long to happen. Let us take a chronological walk through time at the events over the last 12 months leading up to this to justify my statement.

We reported on this blog on 5th May 2005 that Storage managers site security as top concern . In fact, the conjunction of information security and storage was one of the driving factors behind the previous year's acquisition of Veritas Software Corp. by Symantec Corp.

On 20th June 2005, after many high profile data security incidents in the financial services industry started filtering through the presses, we penned a story Storage security market is born when Netapp aquired startup Decru for $272M. The article noted that "The move by NetApp trumps the industry in what will likely be a rush by other vendors to either buy or create their own storage security technology, an area that has been neglected up to now." Another interesting snippet was "within two years, you won't be able to have a conversation with a client about storage without talking about security." Well that was one year ago.

On 29th July 2005 we penned an interesting story storage security creates resurgence in mainframe technology when IMB announced new mainframe technology to handle increasing demands in data encryption. Gartner even gave this a thumbs-up, noting that "Organizations seeking to allay security concerns should look to the IBM mainframe as one significant piece of a comprehensive approach to safeguarding corporate data. "

On 12th July 2005 some 50 million US identities had been exposed to data breaches and we declared 2005 : The year of the Data Breach and advised Encrypt or invite disaster

On 10th August 2005, we blogged Publicized data security breaches rocket after revealing data from the Privacy Rights Clearing House that 61 U.S. organizations have reported exposures of personal information of more than 50 million individuals in the past 180 days. The majority of these breaches were as a result of lack of encryption or proper data-at-rest protection.

We followed this up on the 11th August 2005 with Cryptography enters mainstream and it is this article that makes the most sense for me for the EMC/RSA deal. The expanded use of data encryption and resultant cryptography will result in an explosion in the number of cryptographic keys, and equally there will be a wider array of policies under which these keys are governed. In order to enforce security policies consistently, manage risk and comply with regulatory requirements, enterprises will need a robust, automated and centralized key management system. And this is exactly where RSA plays.

On 17th August 2005 we posted Security spending shifts where we noted that authentication and encryption had jumped from 7 to 25% of all security projects over last 12 months.

On 11th October I summed up the main issues of some of Dimension Data's biggest global clients at a 3-day round-table held at Sun City in South Africa (Top infosec issues for 2006 ) and Privacy and Legislation was flagged as the #1 infosec issue likely to impact their infosec programs in 2006 and authetnication and encryption the most likely technologies deployed to address those issues.

On 1st November the encryption problem had extended to mobile devices such as phones and laptops in a very popular article we wrote called Laptops pose massive security risk

After a few dramatic hurricanes in the US in Sept/Oct 2005, interruption of service and disaster recovery became big storage topics leading to data replication,data backup and data transport challenges. And with these challenges came security issues associated with moving masses of data from one place to the next. This was highlighted on 28th October 2005 when we penned a posting Data security, encryption tops user concerns.

On 15th December 2005 Databreach wrap-up reveals more shock figures showed that the data breach trend was accelerating with data taken from stolen laptops accounting for 50% of the breaches and the other 50% coming from data-at-rest breaches. Also at this time we penned Survivors guide to 2006 with Data Protection sitting at top spot.

On 3rd January, in ComputerWorld 2006 security predictions "Securing Data" landed up at #4 spot. This also appeared in Dimension Data's Predictions for 2006 . On 11th January 2006 EU data security failings highlighted that only 25% of companies listed corporate data as an asset on their balance sheets and most EU organisations were erroneously focussing their efforts on the network as opposed to the data.

So what do EMC get? They get the RSA brand, which is very strong in security circles. They get authentication technology. They get Public Key encryption libraries. And finally they get key management technology. The first fruits of this deal have already been announced today in EMC plans native encryption on storage arrays .

So there you have it. It all makes perfect logical sense why EMC would want to buy RSA. In fact I will bet that Symantec was in the bidding war for RSA too. But we will never find that out will we?

Scott Crawford sums it up nicely in his July 2006 Network/Systems Management Newsletter from ComputerWorld titled : The "experts" don't get the EMC/RSA union: "As it was, the ill-informed reaction of the market made its shortsighted disappointment look more like we still haven't learned anything from the day-trader mentality of the late '90s - and even less from the information security breaches of the past several months."

I couldn't agree more!

CATEGORIES: 1opinion, 1encryption, 1storage, 1aquisition
Rate this post: (Provided by NewsGator)


Post a Comment

Links to this post:

Create a Link

<< Home