Safeboot kicks tires on data encyption as a service

With HM Revenue's lost discs still top of mind, UK security provider Safeboot claims its data encryption service will prevent this kind of disaster.

The UK arm of Safeboot, one of the world's largest security vendors, has just signed off plans to sell its data encryption software as a service via sales channel partners.

Though the new business model has been some time in preparation (Safeboot has just finished its first six-month trial), the timing couldn't have been better. Security software vendors are quietly expecting a bonanza amid the furore over HM Revenue & Customs' 25 million misplaced child benefit records.

Yet the extent of data security laxity in the UK appears to be so great that one has to wonder, should the UK's public sector collectively pull its socks up?

A data encryption service would "take away the heartache" of managing data security.
Erik Churet
Sales Director, Safeboot
The software service model is supposed to help solve this problem by concentrating scarce security resources among service providers. Indeed, part of the pitch being forwarded by Erik Churet, Safeboot sales director, is that its data encryption service would "take away the heartache" of managing data security.

Even so, this will not have Britain's data security problems fixed over night. Safeboot's service cannot grow too quickly without eating its own babies.

"You can't have that [service model roll-out] when you've got resellers because of the way the licence gets paid," says Churet.

Resellers get paid a margin on the sale of capital deals, while a software service is rented. A change in the sales model might require a change in the constituency of Safeboot's sales channel and that is not something that can be rushed.

Accordingly, Safeboot is implementing only modest plans for expansion. It has approved the model after completing a trial with 2E2, a systems integrator and provider of other software services. Churet says he'll sign another four or five software service partners and handle about 15 per cent of its licence sales through them in 2008.

Ironically, the aspect of the model that makes it difficult to implement is the one that should make it most attractive to customers. Renting the software also hands responsibility for hardware and maintenance to the supplier and allows the customer to avoid paying huge amounts from its capital budget on data security.

This has been the pitch used to sell the software service model since it was first posited in the late 90s (then known as the ASP - application service provider model). The big opportunities were always thought to be in the mid-market, among firms that could not afford to hire the specialists to handle data security internally.

Eldar Turvey, CEO of ScanSafe, which claims in 2004 to have been the first firm to supply Web traffic scanning as a service, says he started out intending to supply the mid-market, but found larger companies more open to the idea. Customers were not ready to trust outsiders to manage their software and the networks supplying mid-sized firms were not good enough.

Now the model is proven, it is growing quickly. Scansafe boasts a 180 per cent revenue increase on last year. "A record", apparently, but Turvey refuses to divulge the numbers with the explanation that his company is registered in the tax haven of Delaware.

Yet the benefits of transparency may yet become apparent to firms like ScanSafe. Tariq Saied, managing director of Redstone Managed Solutions, which has agreed to launch Safeboot's second software service trial, says that while the mid-market is now ready for the software service model, the public sector has quite suddenly become the most interesting market. It's adherence to the principle of transparency forces it to deal more forcefully with problems that the private sector prefer to keep hush-hush.

As, Saied says: "The other big area is in government - especially with what's going on recently with lost records."

Even before the HMRC gaff, things were already looking up for security software vendors. Safeboot had seen the trend like everyone else when it launched the trial of its software service last year. Likewise, Redstone launched an email scanning service in November. Security behemoth Checkpoint, meanwhile, resurrected the same mid-market sales pitch in the summer with the launch of a software service for its sales channel partners.

People high up in government departments are asking what they need to do so they aren't the next ones.
Mike Howse
Managing Director, Protegrity, UK encryption firm 
This was all done during a year-long spate of high-profile laptop thefts and losses. Encryption vendors in particular have become a good investment. Last year the Financial Services Authority (FSA) fined The Nationwide Building Society £980,000 for losing a laptop that held the confidential records of 11 million customers.

The HMRC, meanwhile, confessed to at least six other serious data losses before the House of Commons Treasury Select Committee in December. Richard Thomas, the information commissioner, told the same committee that several government departments had admitted privately to similar blunders.

The year ended with the government promising to give the information commissioner the power to make data security spot checks on public sector (but not private sector) organisations, while the commissioner is demanding more power to prosecute firms that don't do enough to protect their data. The FSA has been rattling its sabre over data security as well.

Yet the expectation that someone can wave a magic wand and solve the UK's data security must be tempered.

"People high up in government departments are asking what they need to do so they aren't the next ones," says Mike Howse, managing director of Protegrity, a UK database encryption firm. "But government is huge. Until a proper audit is done then they are not in a position to put a proper [data security] solution in place. Not enough attention has been paid to this. They need to smarten their act up."

Read more on Identity and access management products