Part of my role as senior director of marketing here at Vormetric is to handle analyst relations. In this role, I try to be an effective conduit between the analyst community and our customer and prospect base. This includes sharing analysts’ findings with our customers. Toward that end, I’m very pleased to share some of the key findings from a report recently written by Garrett Bekker, a senior analyst with 451 Research.
The report offers a current analysis of our recent product releases, including the solutions offering tokenization with dynamic data masking, Teradata support, and, most recently, cloud encryption gateway capabilities. The report also offers analysis of the Vormetric Data Security Platform strategy. Before you read this blog further, I’d encourage you to download and review the report, which is titled “Vormetric enters encryption gateway fray with latest extension to its platform strategy.”
The report provides an accurate, current look at our platform and vision. It is also objective, which means there’s a candid look at both the positives and negatives. The report includes a SWOT (strengths, weaknesses, opportunities, threats) analysis, and I thought it would be good to feature each of these findings and comment on them.
In assessing our strengths, here’s what Bekker wrote: “With its platform strategy, Vormetric has quietly assembled one of the broadest data-protection portfolios on the market, and now can address most use cases across on-premises, cloud and big-data environments.” (Source: 451 Research, “Vormetric enters encryption gateway fray with latest extension to its platform strategy,” Garrett Bekker, April 13, 2015, page 5)
We’re extremely pleased to get this kind of recognition from an industry expert. This commentary represents a strong validation of both our strategy and our execution over the past couple of years.
After evaluating our solutions, here’s how Bekker described our weaknesses: “Though its platform strategy has come a long way in the past year, the company's portfolio still lacks some advanced features such as FPE, encryption for more complex SaaS apps, stateless tokenization, and static data masking, some of which we expect it to address in future releases.” (Source: 451 Research, “Vormetric enters encryption gateway fray with latest extension to its platform strategy,” Garrett Bekker, April 13, 2015, page 5)
Bekker accurately lists some specific capabilities that are not currently available through the Vormetric Data Security Platform, and I’d like to discuss each in a little detail.
Format Preserving Encryption (FPE)
While it is technically feasible for our platform to support FPE, we have yet to make this capability a priority for a few reasons:
- Strong alternatives. FPE is effectively a way to retain a field’s formatting characteristics, while removing the original value. As a result, this approach offers benefits in cases in which it isn’t possible, or it is too costly or complex, to change the format of a database field. Tokenization is another approach that offers this same benefit. Like tokenization, FPE is often of interest to security teams looking to safeguard fields like credit card numbers and Social Security numbers. However, unlike tokenization, FPE still represents the actual value, and theoretically, FPE could be reversed if the database is stolen. Therefore, while employing tokenization can remove a database from audit scope, FPE may not. Consequently, delivering support for tokenization, which we announced in February, looked to be the stronger approach.
- Lacking support of standards bodies. FPE isn’t a broadly accepted standard in the industry at this point. NIST is currently evaluating FPE, but the organization has yet to issue an approved standard.
- Limited customer demand. Thus far, the customers and prospects we’ve been working with haven’t listed this as a priority. Many say they’re hesitant to deploy a non-standard approach, but that can change depending on what the NIST committee has to say.
Support for “Complex” SaaS Applications
I recently published a post announcing the Vormetric Cloud Encryption Gateway. The initial release of this offering was focused on cloud storage solutions, namely Amazon S3 and Box, but, as Bekker explains, it doesn’t support such SaaS applications as Salesforce.com.
We opted to focus on cloud storage with this initial release for some very good reasons. Most importantly, over 1,500 customers currently rely on Vormetric to secure their data—much of it unstructured. Increasingly, it is this unstructured data that is moving into cloud storage environments, and our customers want to retain control over this data after it leaves their premises. The Vormetric Cloud Encryption Gateway represents a natural extension to our platform that enables customers to do just that.
While several other vendors offer bolt-on gateway encryption products, what we’re hearing from customers is that they aren’t working out all that well. Further, when customers leverage these point-solution approaches, they’re finding these tools represent another security silo that adds even more work and complexity to their jobs.
It is worth mentioning, the Vormetric Cloud Encryption Gateway has been designed to be highly extensible. The solution features Vormetric Security Blades that will enable support of additional cloud services. Our engineers are working hard on adding new services and we are in discussions with a number of SaaS providers to explore how we can provide support for additional cloud offerings. We’re convinced that there are better approaches than the current bolt-on approaches and we will continue to focus on enabling our customers to address security and compliance objectives in the cloud—and to do so in the most efficient, scalable, and operationally sound way.
As Bekker points out, stateless tokenization is also a capability we don’t currently support. There are different ways of enabling stateless tokenization; one approach is to use FPE, and we are exploring this and other options. Stateless approaches don’t require a token vault, which can offer some scaling advantages. However, like FPE, these solutions may not remove data from audit scope because they are reversible, so they are limited in their use case support.
Static Data Masking
Data masking is another way to de-identify sensitive records. Our tokenization solution features dynamic data masking, which is the process of applying a mask to a portion of a field before it is furnished to a user, according to an organization’s access policies. Static data masking, as the name implies is more persistent, and it is typically done to a set of columns in an entire database, for example, before it is copied and saved into a testing environment. At this time, static data masking is an offering that we are seriously evaluating.
Here’s Bekker’s take on our opportunities: “As cloud and big data make further inroads into the enterprise, the need to protect data wherever it lives will increase accordingly. We view Vormetric as being the most competitive with mid- to large-sized enterprises with heterogeneous environments that need to protect data across a wide variety of architectures and use cases.” (Source: 451 Research, “Vormetric enters encryption gateway fray with latest extension to its platform strategy,” Garrett Bekker, April 13, 2015, page 6)
Here again, we’re heartened by the analyst’s findings. We’ve set out to deliver a central platform that can help customers address data-at-rest security requirements across a range of environments. We’re encouraged that this approach is helping us gain distinction and recognition in the market.
Here’s how Bekker assessed the competitive landscape we face: “One of the biggest threats faced by all providers of third-party data protection may come from cloud and big-data vendors that have or may elect to provide their own native encryption and key management. While native offerings may be a useful starting point for customers beginning their cloud journey, we believe that organizations with heterogeneous infrastructure will be better served over the long term by third parties that can provide centralized management of encryption keys and security policy administration.” (Source: 451 Research, “Vormetric enters encryption gateway fray with latest extension to its platform strategy,” Garrett Bekker, April 13, 2015, page 6)
I find this analysis spot on. We’ve been hearing a common theme from our customers that echoes this point: Using limited point security tools for each specific technology or service won’t be sustainable in the long term. Sensitive data simply resides in too many places and across too many technologies. That’s why having a unified platform that enables protection of sensitive data in a broad range of environments, while also enabling central key and policy management, is becoming such an imperative—and it’s one we uniquely address.
Conclusion: Your Input Welcome
Again, be sure to download the report, entitled “Vormetric enters encryption gateway fray with latest extension to its platform strategy,”
In addition, if you have any input on the commentary above, particularly around the weaknesses Bekker noted, please let us know. As our roadmap for product development have been, and will continue to be made, based on our customers’ input, we are always interested in hearing more from our customers. If you’re interested in employing encryption in additional SaaS environments, or you’d like to see us deliver capabilities for FPE, stateless tokenization, or static data masking, please do let us know by emailing us at firstname.lastname@example.org.