Recent data security breaches like the loss of backup tapes at Bank of America and Ameritrade are boosting the fortunes of storage security vendors such as NeoScale Systems, Decru, Vormetric and Kasten Chase.
"These public events of private data being compromised have increased the number of inquiries," says Tom Grubb, vice president of marketing at Santa Clara, Calif.-based Vormetric. "In particular, we're seeing a lot of interest from financial institutions."
"The recent breaches have been a point of crystallization for many organizations to escalate or speed approval for security projects," agrees Michele Borovac, director of marketing at Redwood City, Calif.-based Decru.
But it's not just outraged consumers and politicians driving storage security interest, vendors and analysts say. The need to secure storage under regulations such as HIPAA are also boosting sales.
"Over the past six months, we've seen a surge of interest in storage security solutions driven by the need for regulatory compliance," says Barbara Nelson, chairman and CEO of Milpitas, Calif.-based NeoScale.
Jon Oltsik, senior analyst at Enterprise Strategy Group, concurs that storage security vendors are gaining momentum. He believes the Bank of America tape loss in February gave the vendors a high-profile breach that will bolster sales and marketing efforts. Oltsik hopes that the recent attention to storage security will finally give IT users the chance to obtain much-needed funding for security products.
"I can assure you that security professionals have been screaming about these kind of vulnerabilities for years, and already recognize the value that these vendors bring," says Oltsik. "Companies need to stop talking about security and start dedicating budget dollars to address this business risk."
How Big Is The Market?
Getting an idea of the size of the storage security market and the scope of the recent upsurge is difficult, however. None of the vendors would disclose exact sales figures.
Vormetric talks about consistent quarter-over-quarter growth as measured by volume and scale of the sale. Decru cites a significant increase in the number of inbound calls, shorter sales cycles, and 70 percent to 100 percent quarter-over-quarter growth. NeoScale reports that it is about 20 percent ahead on inquiries and has a median sales cycle that is 20 percent shorter this quarter. Sales growth overall is said to be greater than 100 percent for the last three quarters.
What does this mean in dollar figures and market size? Unfortunately, no analyst firm tracks the storage security sector with the same degree of exactitude as, say, storage systems sales. Oltsik's best guest is that the entire storage security market is no more than $50 million. But that could be about to change, with many of the vendors now making bullish predictions. Prompted by recent data privacy scares, NeoScale projects the 2005 market will be at least ten times the size of the 2004 market. Now that's growth.
It seems then, that the early days of storage security evangelism may be over. By all indications, customers get it now, and many are seriously looking at how to adopt encryption and other technologies to safeguard their data.
"Customers now view encrypting sensitive data as inevitable," says Borovac. "They know they need to do it, either for internal best practices, or because the regulations are moving strongly in that direction. Breaches like ChoicePoint and B of A provide justification for doing it more quickly."
But there is still a gap between talking about storage security or testing products and companies actually purchasing the software or appliances in volume. Enterprise Strategy Group surveyed 388 storage professionals last year and found a surprisingly low number of people were securing their stored data. Only seven percent always encrypt backup tapes, and 60 percent don't encrypt backup tapes at all. Data encryption on disks, file systems, or databases is even rarer.
"While there are early adopters, most of the large financial services organizations are in RFP or pilot mode," says Borovac. "Most of these organizations have started pilot projects for encryption so they can better understand how and where to deploy this technology."
NeoScale's Nelson agrees that the finance sector has not yet taken the plunge. "From our conversations with financial institutions, we believe that the percentage is very low today but rising," she says. "Many of these customers are piloting storage security solutions, so we expect dramatic increases over the next year."
Legislation Looms Large
Predictions of dramatic growth may be hastened by legislative efforts. The California Database Breach Act (SB 1386) may be the only reason the public hears about security lapses. The law states that California residents must be notified if there is reason to believe that the security of their personal information has been breached. While SB 1386 doesn't require anyone to encrypt data, if the Bank of America tapes had been encrypted, the loss of backup tapes would not have had to be disclosed.
"There will almost certainly be further regulations on data privacy and identity theft," predictions Oltsik. "No legislative body will mandate data encryption, but this will be a more likely solution if companies must disclose security breaches more often."
Given the impact of California's SB1386, there appears to be growing support to make this a national mandate. If that happens, the likes of Decru, Kasten Chase, NeoScale and Vormetric could be in for a flood of inquires.
"All the evidence suggests that it's a question of when, not if, we'll see more legislation," says Vormetric's Grubb.
"SB 1386 gives the companies a 'get out of jail free' card if there is a data breach but the information is encrypted," says Decru's Borovac. "If the data is encrypted, the organization does not need to disclose the breach, thus preventing significant brand damage and loss of customer trust."
Nelson thinks that Congress is likely to extend the California SB 1386 legislation nationwide. And indeed, the analyst community seems to concur. Gartner, for example, has predicted that by year-end 2006, failure to encrypt credit card numbers stored in a database will be considered legal negligence in civil cases of unauthorized disclosures. Gartner has also gone on record with a prediction that by the end of 2007, 80 percent of Fortune 1000 enterprises will encrypt their most critical data.
But guessing what laws the government will enact is a little like forecasting the weather — a lot can change in a short period. Perhaps a nationwide mandate is coming, perhaps not. Nonetheless, financial institutions need not wait for a national mandate before acting.
"Given the insecurity of the entire off-site tape rotation process, tape encryption should be a minimum requirement for all financial institutions," concludes Oltsik.
For more storage features, visit Enterprise Storage Forum Special Reports