Updated January 3, 2013

National Credit-reporting System, Inc. (NCS), a full-service consumer reporting agency specializing in income, identity, and credit intelligence, announced today that it has partnered with eSignSystems, a division of Wave Systems Corp. (WAVX), to provide a full suite of eSigning, eDelivery, and eVaulting solutions.

The move by NCS anticipates the IRS' January 7 acceptance of electronic signatures on 4506-T forms, which are used by lenders, insurers, and healthcare firms to obtain tax transcripts for consumer and business income verification. In addition to allowing lending customers who use the company’s TRV (R) Services to move the signing and management of their loan origination documents online, the solution will open the door for NCS to serve customers in other sectors, such as insurance and healthcare. For complete details about these announcements:

Updated December 2012

eSignSystems, a division of Wave Systems Corp., recently announced that CoreLogic® has launched AuthoSign™, a comprehensive electronic document management and signing capability built upon eSignSystems technology. AuthoSign is a custom deployment of eSignSystems' SmartSAFE electronic signing and management software that has been integrated directly into IntelliMods™, a complete loan modification decisioning solution from CoreLogic. CoreLogic is a leader in providing comprehensive data, analytics and services to financial services and real estate professionals.

CoreLogic provides tremendous time and cost savings through its automated and customizable loan modification decisioning and delivery solution. IntelliMods from CoreLogic can upload a single loan or an entire loan portfolio within minutes to qualify loan modifications, output documents, and send them to the borrower. This presents significant cost savings for the mortgage banking industry, which has completed more than 5.82 million permanent loan modifications since 2007 as reported by HOPE NOW.

The AuthoSign integration with IntelliMods shortens the loan modification process by several days, and even weeks, for significant time and cost savings over traditional paper-based loan modification decisioning systems. Additionally, AuthoSign tracks and creates action alerts for each individual participating in the mortgage process and hosts the entire signing ceremony online. Every transaction is logged for retrieval by IntelliMods, ensuring comprehensive tracking of every user and signer's activity within AuthoSign. Additionally, management of the entire process is even easier with the detailed tracking, compliance and alerts. This simplifies and speeds up the loan modification process, and keeps all stakeholders informed on the status of the loan modification decisioning and signings.

"CoreLogic is committed to increasing quality and reducing cost and turnaround time for our clients," said Sapan Bafna, Senior Director at CoreLogic. "By including the eSignSystems' technology as part of CoreLogic IntelliMods, we can offer our customers an easy to use and secure electronic SigningRoom. Plus, AuthoSign tracks electronic documents throughout their lifecycle, and creates an enforceable, legally-binding electronic record."

Maintaining an electronically signed record is essential to the integrity of a legally binding transaction. With AuthoSign, all records are verified and authenticated from eDelivery through eSignature and eRetention. This ensures that the access or signing credential (i.e., digital certificate, username or password) is verified and that the records remain free from tampering. Additionally, AuthoSign continuously updates the status of the loan modification's execution for real-time reporting.

AuthoSign also supports signer access to electronically signed documents as required by the ESIGN act. To meet the ESIGN act's legal and compliance requirements, users may access and print certified copies, while the actual archived, eSigned document is left untouched. Authorized individuals can manage, search, transfer and share electronic files, signed or unsigned, via the Web. All records are available to all interested parties in a secure and compliant environment.

"With the Treasury Department requiring a Single Point of Contact for all loan modifications, AuthoSign provides IntelliMods with a secure and compliant tool to manage, track and execute every aspect of the loan modification process, with audit trails from the beginning to the end of the transaction," said Kelly Purcell, EVP of eSignSystems. "CoreLogic even broke new ground as the first integrator to utilize a powerful new PDF text tagging feature of the SigningRoom, which expands their customers' ability to effectively identify and sign within PDF documents."

By integrating eSignSystems SmartSAFE technology into the IntelliMods loan modification decisioning solution, CoreLogic is providing better security and privacy for all parties involved in the transaction. In addition, traditional document transportation and storage costs are reduced dramatically, and the cycle time of loan modification is reduced by days or even weeks.

Wave Systems also recently announced that Scrambls for Enterprise ( ) was launched, giving organizations a means for their employees to safely collaborate over social media sites like Twitter® ( and Facebook ( ), and share files with cloud services like Dropbox™ ( and® ( Scrambls protects data that is often overlooked in corporate security initiatives – information shared online via social media, files stored in the cloud and data in motion.

Employees are free to leverage existing social media infrastructures to enter status updates, Tweets, blog posts, files and more, without jeopardizing security or pr

ivacy. Scrambls for Enterprise encrypts data before it ever leaves a user’s computer or smartphone. Posts and files can only be viewed by those the enterprise grants permission to—everyone else sees scrambled text.

“Social media and cloud services are expanding the way business is done, but enterprises need greater control of the information they share across the public web,” commented Steven Sprague, scrambls co-creator and CEO of Wave Systems. “These services are often self-discovered by employees who use them to share critical information. Enterprises need to take responsibility for this new flow of data, and scrambls provides the privacy, security and audit controls similar to what you’d see with corporate email accounts.”

The power of scrambls lies in the permissions granted to group members. To read a post or descramble a file, the service automatically applies the permission to make it readable again for only those individuals granted access. Business administrators set the policy and manage the groups. Add or remove people from the groups at any time to change who can read messages and files, even after they’ve been published on the web.

“Scrambls can open up new business opportunities with use cases for every type of vertical market,” continued Sprague. “In healthcare, a private and protected channel for communication leads to better care and service. It’s easy for doctors, social workers and caregivers to have sensitive discussions about the care of a family member in real time using popular tools like Twitter or Facebook. Those conversations remain private with scrambls.”

For complete details about these announcements:

For Wave Webcasts and Presentations:

For the Wave Blog:

For Wave Solutions:

For Wave Products:

For our exclusive interview with Mr. Steven Sprague, CEO and President of Wave Systems:

See Wave’s “White Paper" Network Security: How to Defend an Infinitely Expanding Frontier:

For more information: NASDAQ: WAVX

Updated October 25, 2012

Wave Systems Corp. ( NASDAQ: WAVX ) is delivering secured, verified access to networks leveraging Microsoft DirectAccess by protecting credentials in hardware. This functionality allows organizations running Windows 7 (and soon Windows 8) to enable Microsoft's DirectAccess in place of a conventional virtual private network -- and to do so without fear of credential theft. DirectAccess eliminates the need for users to input their name and password to connect to the network -- so it becomes much harder to steal them.

Microsoft is making modern access control one of the key pillars in its soon-to-be-released Windows 8 operating system, with provisions that allow for machine and user ID hardware-protected certificates for user authentication for remote access and strong machine network authentication.

But enterprises don't have to wait for Windows 8 deployment -- Wave is delivering modern access control today on Windows 7 as well, playing a central role in providing a better user experience and authenticated access to networks that identify devices issued by the organization.

"DirectAccess and securing credentials within the TPM lay the groundwork for a new enterprise security model based on device identity," said Wave CEO Steven Sprague. "One of the biggest advantages from a security standpoint is that the user can only access the network from a device authorized by the company, because now IT can control which machines are allowed network access."

Corporate security that makes device ID the cornerstone of its policy puts the responsibility for security out of the hands of the user and into the hands of the enterprise.

"The user has no knowledge of device authentication credentials, and that effectively eliminates the problem of phishing or social engineering hacks that trick the user into inputting access information," Mr. Sprague continued. "With Wave, customers have the full support for machines running Windows 7, and soon Windows 8, to modernize their network architecture to one based on device identity."

Through the use of Wave's ERAS, IT can deploy domain credentials to the Trusted Platform Module (TPM), a security chip on the motherboard of most PCs. This step simplifies the deployment process, and adds security for the credential, as TPM-secured credentials are immune to many well-known attacks.

In addition to offering greater security for DirectAcces, ERAS help protect credentials for networks running Cisco or Juniper network remote access solutions.

The latest version of ERAS (2.9) is set for release later this quarter. ERAS 2.9 supports Windows 7 and will support Windows 8.

For complete details about this announcement:

For Wave Webcasts and Presentations:

For the Wave Blog:

For our exclusive interview with Mr. Steven Sprague, CEO and President of Wave Systems:

See Wave’s “White Paper" Network Security: How to Defend an Infinitely Expanding Frontier:

For more information: NASDAQ:WAVX

Updated September 11, 2012

Wave Systems Corp. announced the general availability of Wave Endpoint Monitor (WEM), the only solution that detects malware by leveraging capabilities of an industry standard security chip onboard the PC. WEM provides increased visibility into endpoint health to help protect enterprise resources and minimize the potential cost of advanced persistent threats such as rootkits.

Rootkit attacks are particularly harmful in their ability to hide in host systems, evade current mainstream detection methods (such as anti-virus programs or whitelisting at the operating system level) and their capacity to replace legitimate IT system firmware. Such attacks occur before the operating system (OS) loads, targeting the system BIOS and Master Boot Record (MBR), and can persistently infect higher-level system functions including operating systems and applications.

"APTs facing enterprises today are more complex, nefarious and sophisticated than ever before," said Richard Stiennon, Chief Research Analyst at IT-Harvest and author of Surviving Cyberwar. "Malware hiding in a device's BIOS will go undetected by traditional anti-virus programs operating at the OS level, creating a strong need for a solution that can identify an attack as it happens. Because Wave's approach is rooted in hardware-based technologies, rootkits and other malware can be spotted before the OS even starts." More .

Updated August 15, 2012

Wave Launches Cloud-Based Management for Self-Encrypting Drives. For complete information: .

Updated July 31 by Michael Sprague

When we introduced scrambls to Security Matters readers, we discussed the need for greater control over what we post online, and to social networks in particular. Social networks have become a primary communication channel for today’s social as well as business conversations, and Wave believes no one should have to sacrifice control over the information we post online—we need a better alternative to protect our data, and a stronger means to achieve social media privacy and security.

Read More

Updated July 25, 2012

Wave Systems Corp. announced today that it has signed a Basic Ordering Agreement (BOA) with the NATO Communications and Information Agency (NCI Agency). The BOA provides the framework for all 28 member countries (which includes the United States European Command (EUCOM) United ) to access Wave’s complete portfolio of trusted computing security solutions. Under the agreement, Wave is entitled to compete on bids pertaining to the company’s areas of expertise.

A BOA is the primary part in a two-stage contracting procedure, whereby the contract is negotiated and placed with a supplier for specific types of products. It serves as a written instrument of understanding, negotiated between the NCI Agency and Wave, that includes terms and clauses applicable to future task order awards, a description of supplies or services to be provided and methodology for pricing, issuing and delivering future task orders.

“Cyberspace is the arena for 21st century warfare. Hackers are intent on infiltrating networks and stealing sensitive data, and no country within NATO is immune to these threats,” commented Steven Sprague, Wave’s CEO. “Trusted computing offers the best and most cost-effective defense against data theft and can help detect and mitigate threats posed by a new class of advanced persistent threats. Signing this agreement makes it easier for the entire NATO community to directly access Wave’s trusted computing solutions, while giving Wave an opportunity to respond to RFPs related to our area of expertise in a timely and efficient manner.” For complete details about this announcement:

Updated July 23, 2012

Wave Systems Corp. announced that it has signed a worldwide distribution agreement with Lenovo, the world's second-largest PC company, under which Lenovo will offer Wave's security solutions on a resale basis and through its channel partners.

"Wave is honored to continue and expand its relationship with Lenovo, one of the pre-eminent PC manufacturers in the world," said Steven Sprague, CEO of Wave Systems. "While Lenovo has long been one of our supporting OEMs -- for years procuring Wave software through our distribution partners -- this agreement gives Lenovo direct access to the Wave portfolio."

The increased emphasis on trusted computing is driving the security industry toward hardware-based security technologies that offer improved access control, encryption, and the early detection of malware. In particular, solid state Self-Encrypting Drives (SEDs) and Trusted Platform Module (TPM) security chips deliver stronger security for end-users and better protection for their critical data. With Wave's industry-leading solutions, Lenovo customers are empowered to secure endpoint data, protect data-in-motion and ensure that only trusted devices gain access to the enterprise network.
For more information:

Updated May 10, 2012

Wave CEO Discusses Scrambls on KLIV Radio Show

Steven Sprague talks with Silicon Valley’s KLIV CEO Show about the new scrambls service, the evolution of hardware security, and innovation in the Silicon Valley and beyond. The full interview is available below.

Read More

Updated May 3, 2012

Why “Delete” is a False Choice for Social Media Users

The EU is currently developing a solution to the problem of personal privacy on social networks. Legislation proposed in January would give individuals the “right to be forgotten”—in other words, to demand that a site delete their personal data, permanently. But although this is a critical control to have, I would argue that it is not the best available model for the consumer.

Read More

Updated April 23, 2012

IT Harvest Interview Part III: Windows 8 and the Link to Trusted Computing Security

In February, Microsoft announced its Windows 8 consumer preview. The enterprise release, rumored to be ready in October, will feature strong authentication, eDrive (Encrypted Drive) support, and UEFI for secure boot —all central concepts of Trusted Computing.

In this third installment from Steven Sprague’s interview with analyst Richard Stiennon, the conversation turns to the Windows 8 launch: what it indicates about Microsoft’s involvement in the security industry, what it means for enterprises using Windows, and how to ease the transition to the new platform.

Read More

Updated April 2, 2012 by Joseph Souren, Vice President & General Manager – EMEA

Cyber-Defence Goes on the Offense in Europe

The European Commission announced plans last week to launch a European Cybercrime Centre, set to open its doors sometime next year. The agency will address several strategic goals for the EU’s member states. Among them, it will act as a correlation engine to extract patterns from Europe’s cybercrime Big Data, highlight potential weaknesses in cyber-defences, provide early warnings for emerging threats and identify organised attacks and prominent offenders. Most notably, however, the Centre’s launch signals that cyber-defence has become a matter of national policy in the EU. Read More

Updated March 16, 2012 by Steven Sprague, President and CEO

Moving Internet Passwords to the Science Museum

Dark Reading recently published an interesting perspective from the esteemed Dr. Taher Elgamal on silent authentication services, which offer us the potential for single-password access to our multiple online user accounts. Elgamal, who invented the Secure Sockets Layer (SSL) cryptographic protocol that provided early security over the Internet, recalls the “old days” of just a few decades ago when we simply logged onto the Internet once and accessed its many resources. Today, by contrast, we must instead remember multiple credentials in order to access different accounts with Amazon or Netflix, as well as our banking, investment or bill pay services. This inconvenience has spawned several online services that allow users to access participating websites through a single log in. Elgamal improves on this by suggesting that the Internet “remember” a user’s login. That way, sites can embed an interface to an Internet service that confirms a user on a particular device is the same user who always signs on from that device. Read More

Updated February 15, 2012 by Steven Sprague, President and CEO

What’s in Your Wallet? Hackers Can Find Out with a Simple Brute Force Attack

Last week, web security firm zvelo disclosed that it applied a fairly simple brute-force attack to hack the PIN protection of Google Wallet, an application that stores payment card numbers and other sensitive data on your mobile phone. To its credit, Google acknowledged zvelo’s discovery, and moved quickly to develop a fix. But the episode offers a cautionary tale to vendors who, in their rush to market, ignore the vital role that consumer trust plays in adoption of virtual wallet technology. Read More

Updated January 17, 2012 by Steven Sprague, President and CEO

Zappos Breach of 24 Million Customer Accounts Underscores Weak Safeguards Protecting Customer Data

Another major breach is in the headlines. Zappos, an online shoe and apparel retailer owned by Amazon, disclosed Sunday night that more than 24 million of its customer accounts had been compromised. Hackers accessed customer names, email addresses, phone numbers, the last four digits of credit card numbers, and cryptographically scrambled passwords. Read More

Updated December 2011

Wave Systems recently announced an agreement to provide Samsung Electronics with engineering services, consulting, validation and a customized version of Wave's local management software for Samsung's Trusted Platform Module (TPM) security chips designed for OEM distribution.

"As businesses worldwide are seeking better security for their critical information and network access, the importance of a fundamental new approach to securing a powerful management infrastructure that ensures only authorized users on known devices are granted access or can execute critical functions has been crucial," said Dojun Rhee, Vice President of System LSI marketing, Device Solutions, Samsung Electronics. "By combining Wave's broad expertise/know-how, and strong OEM and enterprise customer relationships in trusted computing with Samsung's world-leading chip design and manufacturing capabilities, Samsung will provide reliable, competitive trusted computing security chips for our customers."

We look forward to providing Samsung's OEM customers the ability to turn on, manage and leverage the Trusted Platform Module with Wave's software, to deliver stronger security for end-users and better protection for their critical data," said Brian Berger, Wave's Executive Vice President of Marketing and Sales. "Samsung recognizes the power of trusted computing, and this move will empower partners and customers with new, silicon-based means to provide trusted hardware on numerous platform types in the coming years."

Trusted computing enables organizations to establish a more secure computing environment without compromising functional integrity, privacy or individual rights. The Trusted Computing Group is a not-for-profit organization formed to develop, define and promote open vendor neutral standards for trusted computing building blocks and software interfaces across multiple platforms.

"With billions of handhelds, tablets and slates in the hands of today's workforce, ensuring that these devices are known and trusted within the organization is paramount," said Eric Ouellet, Research Vice President at Gartner. "To date, the percentage of attacks against this class of device is relatively small, yet this is likely to change as these kinds of devices are increasingly becoming the primary computing platforms in today's enterprise environment. Implementing embedded security on these devices is a major step in the right direction and will provide the foundation for preventing tomorrow's threats and the loss of valuable corporate, employee and customer sensitive data."

Samsung is a global leader in advanced semiconductor solutions, combining cutting-edge designs, advanced manufacturing processes and quality, and innovative packaging technology to deliver a broad portfolio of semiconductor solutions including security chips for smart cards and NFC-enabled mobile devices. For more information

Updated September 22, 2011

Wave Systems said it has completed the acquisition of Safend a leading provider of endpoint data loss protection solutions, including port and device control, encryption for removable media, content inspection and discovery, for approximately $12.8 million.

The addition of Safend's complementary product suite creates strong cross-selling opportunities into the healthcare, financial and government verticals where data loss protection is a high priority. Safend's reseller channel, combined with its direct sales force and strong presence in EMEA, gives Wave new sales resources with access to new market opportunities. Headquartered in Tel Aviv, Israel, with offices in Philadelphia, Safend has approximately 70 employees. Prior to the acquisition, Safend was backed by prominent technology venture capital investors including Elron Electronics Industries Ltd.(TelAviv:ELRN.TA), Intel Capital and Walden Israel Venture Capital.

"With the escalation of cyber threats and an increasingly mobile workforce, many customers are looking for an integrated and cohesive security solution across the data lifecycle -- from data-at-rest to data-in-motion and, ultimately, to archiving," said Steven Sprague, Wave CEO and President. "Safend's award-winning suite of DLP, port control and removable media encryption software strengthens our existing portfolio of data encryption and device authentication solutions. The acquisition will enable Wave to deliver a holistic trusted computing management platform that roots software security to trusted computing hardware and provides the enterprise with interoperability across all platforms. More

Updated September 2011

Wave Systems Corp. (NASDAQ:WAVX) announced that it will join industry experts, government authorities and academics presenting at the National Security Agency's 2nd Annual Trusted Computing Conference , September 20th - 22nd at the Caribe Royal Hotel in Orlando, FL. The conference provides a unique forum for those interested in how trusted computing technologies can improve the security of sensitive data, enterprise networks and critical applications. Wave Systems' customer PricewaterhouseCoopers will also present a session on leveraging Trusted Platform Modules (TPMs) for authentication and key security.

"Wave is honored to participate in this one-of-a-kind event for the second year in a row," said Wave CEO Steven Sprague. "This event demonstrates NSA's commitment to cybersecurity, especially in a time of rapidly-changing threats that demand innovation and collaboration from all players. Wave is pleased to contribute to this discussion and looks forward to working with other participants to help advance NSA's mission."

Defending sensitive networks and information from unauthorized access presents a key challenge in the face of these growing threats. But as recent high-profile breaches have shown, user credentials and tokens alone aren't enough to secure the network. In his Wednesday session, "Mitigating Today's Most Pervasive Cyber Threats with Device Identification," Sprague will outline how the TPM, a security chip attached to a computer's motherboard, can establish automatic and transparent authentication of known network devices and users. Because the TPM chip is physically part of the device, it is uniquely suited for creating and verifying strong device identities and ensuring only authorized access to networks.

Updated August 2011

New "White Paper" Network Security:
How to Defend an Infinitely Expanding Frontier

"The increasing use of home offices and laptops has put an ever-expanding number of users, data, devices and applications beyond the security of the traditional enterprise network firewall. At the same time, organizations – and their IT administrators – are held to increasingly higher standards of accountability for breaches in data and network security. Unfortunately, the traditional tools for network security have not adapted well to the rapid decentralization of the enterprise network. Conventional security methodologies based on passwords and software fail to effectively authenticate users and machines on the network or secure data on lost or stolen laptops, or ensure compliance with laws that require disclosure of lost personal data.

This paper will outline perhaps the most powerful, cost-effective and simple solution for bringing the scattered end-points of today’s mobile networks back under the umbrella of a strong centralized network security architecture. It is built on three widely available, proven – but poorly understood – technologies: Trusted Platform Modules, Self-Encrypting Hard Drives and centralized (or remote) security management. This paper will not only help readers distinguish myth from fact about these technologies but will also build a strong case for how their combined application can re-establish network security as an enforceable corporate policy, rather than a strategy." More


Updated August 2011

"Throughout Q2, there were a number of high-profile network and data breaches on the global stage. The most significant of these was the compromise of a leading security token solution relied upon by a large number of Fortune 500 enterprises," commented Steven Sprague. "As these kinds of events continue to occur and receive broad media attention, we have seen an increase in interest and activity in trusted computing solutions.

"On the financial side, I'm pleased to report that we once again extended our track record of year-over-year and sequential quarterly growth in the second quarter. Given the new global focus on cyber security and related concerns over the efficacy of proprietary, software-only solutions, we've chosen to expand our investments in maintaining our leadership position in the trusted computing space at a time when we believe that many governments and enterprises are re-examining their network and data security protocols. We believe that there will continue to be receptivity to new approaches to security, such as those offered by Wave.

"But there remains much work to be done in communicating the security and ROI benefits of 'off the shelf' trusted computing solutions. We are deploying substantial resources in sales and marketing to help promote this message internationally, with a particular focus on North America and on expanding our presence in the EMEA regions. In addition, Wave will participate in the 2nd Annual NSA Trusted Computing Conference and Exposition NSA Trusted Computing Conference and Exposition September 20-22 in Orlando, FL, a forum sponsored by the NSA to educate public and private sector IT professionals on trusted computing solutions and how they are being used with success." More

Mr. Steven K. Sprague
President and CEO
WAVE Systems Corp.
Nasdaq: WAVX

Steven Sprague Thank you for joining us today, Steven. Much has happened with WAVX during the past year: revenues are up, the stock is up and the list of impressive partners working with you keeps growing. Please give us an overview of Wave Systems’ solutions and provide us with some background on the company.

Steven K. Sprague : Wave Systems is the leading provider of client and server software for hardware-based security on personal computers. We’re traded on the NASDAQ Capital Market Exchange under the symbol WAVX, and today we have about 165 employees worldwide.

Our business is based on providing the tools for the world to leverage the new hardware-based security solutions shipping on most PCs. Hardware security can mean different things, but in our world it revolves around a security chip called the Trusted Platform Module or TPM. The PC industry has spent ten years developing this hardware security chip to address the obvious security problems inherent in software products.

TPMs ship with virtually every business-class laptop and most enterprise desktops. These chips change the PC security paradigm, acting as a strongly protected system for securely generating and storing encryption keys. Since the TPM provides advanced security for keys and is invulnerable to both network and software attacks, the TPM chip can authenticate hardware devices. Therefore, an organization that turns on the TPM chips on its laptops can restrict all but “known” PCs to its network. That’s a simple, yet very powerful step to increase network security. The TPM can perform a host of other functions, too, from encrypting individual files to storing passwords, digital certificates and cryptographic keys. These chips can also perform a function called “remote attestation,” creating an unalterable summary of the hardware, boot and operating system’s configuration so that a third party can verify the state of the software to determine if it can be ‘trusted’ and that it has not been tampered with. Because information and functions occur within the security chip, it is far more secure from external software attacks and physical theft than other methods.

TPM chips have been shipping from major PC OEMs for several years, but today we’re fast approaching a “tipping point” for their adoption. Now that almost 500 million PCs with TPMs have shipped—and the number grows each day—a substantial market opportunity has been formed, and Wave is in a leadership position to take advantage of it. With embedded TPM chips and Wave’s EMBASSY® software, organizations of any size have the ability to easily deploy, manage and initialize these chips, establishing both policy and key management. Doing so will dramatically improve security today on a very cost-effective basis. Thank you, Steven, for that comprehensive overview. How else does Wave support hardware security?

Steven K. Sprague : Full disk encryption, or FDE, is the preferred mechanism for protecting sensitive data on a PC. This technology lets IT encrypt the entire hard drive so that sensitive data is always protected, no matter where it resides. In this way, it’s a more foolproof solution than encrypting only an individual folder on an employee’s laptop. Until only fairly recently, the sole option on the market was software-based FDE.  Software FDE certainly has its role, but it’s not without problems. It can be expensive to deploy and it slows down processing speeds.  It also involves additional licensing fees and ongoing support from IT. Perhaps more concerning is that it has been shown to be vulnerable to the highly publicized “cold boot” memory attacks.  Using this attack, a determined hacker can steal encryption keys stored in the system’s memory in “sleep mode,” even though software FDE was operating.

A more secure solution is new hardware-based FDE deployed in what are known as self-encrypting drives. Seagate was the first to offer these drives in early 2007. Today, most of the major drive vendors offer self-encrypting drives (SED), including Hitachi, Toshiba, Fujitsu and Samsung.  The Seagate and Samsung drives are available through Dell today, with the other vendors making their SEDs commercially available in the coming months. Bringing even more functional benefits is a new line of solid-state self-encrypting drives – using flash memory - that deliver substantial performance, size and weight improvements over conventional SEDs. 

Here’s a little insight into how the drives work. Essentially, the encryption takes place inside the disk itself. Every single “bit” that the user “sends down the wire” is encrypted before it’s written to the “platters.” As a result, if you were to take apart one of these drives, the data would be encrypted at all times. Further, the encryption keys are always protected in hardware and therefore aren’t vulnerable to the “cold boot” memory attacks as is software FDE. This is truly “game changing” technology that can allow enterprises and consumers to know that their data and applications are constantly protected.

So where does Wave fit in? Our EMBASSY software—yes, the same software that deploys and manages TPM chips—also supports the function of these self-encrypting drives, including providing “pre-boot” authentication to the PC, setting up security policies or centrally managing all the drives in the enterprise. We teamed up early on with the leading drive vendors and were vocal advocates behind the new Opal secure storage standard published by the Trusted Computing Group. Opal specifications provided a single framework for the design and function of self-encrypting drives. As the only vendor that supports all the drives on the market, and those soon to be made available, we feel Wave has a significant advantage. Also, I would reinforce our strong partnership with Dell as it relates to these drives. Today, when you buy a Seagate or Samsung FDE drive as an option on Latitude or Precision models, Dell bundles our client software with every drive, with Wave receiving an attractive per-unit bundling fee. Moving forward, encryption will just become a factory-integrated solution from the PC OEMs, not an aftermarket software add-on.

With all the reports of data breaches, there’s never been a stronger demand for encryption. Our figures show that self-encrypting drive volume is growing almost 100 percent per quarter in unit volume. With only 1 to 2 percent of the new laptops being supplied with SED drives, there is plenty of room for growth.In fact, the Gartner Group recommends that every laptop should include full disk encryption as a standard feature. I’m proud of our position as a market leader in this category with the best software solution out there for SED drives. Information Week, one of the most widely read media outlets for IT security, published an article in September on the evolution of hardware FDE. It is a good read for those trying to understand this space and Wave’s position. It’s available at

We feel that our broad compatibility and “first mover” presence are significant advantages for us as the value of FDE drives is reinforced on an almost daily basis with the growing number of data protection regulations. And because our software was designed from “day one” to work with hardware, we don’t have to worry about any of the vulnerabilities that others have who adapted software applications to work with hardware.


Mr. Lark Allen
Executive Vice President
WAVE Systems Corp.
Nasdaq: WAVX

Lark Allen Lark, please give us an overview of your background and role at Wave.

Lark Allen: My primary IT industry background came from 28 years at IBM where I held a wide range of positions in sales and marketing, development and consulting. I joined Wave in 1998 after retiring from IBM having seen firsthand the dramatic impact that personal computers and distributed technologies had on highly centralized IT infrastructures, including mainframes.   Wave was a vocal proponent for establishing “trust” in end user devices even back then. I fully realized the great potential that this strategic design represented to again revolutionize IT architectures, and I still believe that embedding “trust” in user devices is the future for all networks. 

For the past 13 years at Wave, I have been involved in the business and corporate development activities associated with this vision.  My focus has been on developing a wide range of relationships with technology providers, distribution chains and developing partnerships. Work in this arena has focused on the development of trusted applications in such areas as identity and access management, data protection, secure transactions and content distribution.  I’ve also been fairly active on the company’s behalf helping form, and serving on, a number of industry standards groups, including the Trusted Computing Group, OpenID and Information Card Foundations, International Security, Trust and Privacy Alliance (ISTPA) and the Liberty Alliance.

Most recently, I’ve been involved in the industry initiative to move data encryption and platform authentication out of software and into the trusted hardware of storage devices. That work culminated in the publishing of the first open industry specifications around encryption and access control by the "Trusted Computing Group Storage Work Group" in January, 2009, and announcements of self-encrypting drives by at least six major drive OEMs. Wave has taken a leadership role in this effort, working with most of the major storage vendors to develop the most robust management and control infrastructure for self-encrypting drives based on these standards. Could you comment on the fundamental difference between software FDE and hardware FDE? Do you foresee self-encrypting drives taking up a larger share of the data protection market? What factors would you point to for this to happen?

Lark Allen: Performing sensitive operations which rely on protecting “secrets”— like encrypting data and authenticating  users—in software such as Windows is very difficult, if not impossible, to do securely. That’s based on the open nature of software where all the other processes are sharing the system at the same time. Software is also vulnerable to incessant and pervasive attacks on the systems.

With self-encrypting drives or SEDS, both the encryption and decryption of the data and authentication of the users is removed completely from the operating system and is performed in the highly secure and trusted environment of the drive controller. This provides a dramatically more secure environment in which to protect all the secrets such as encryption keys and user passwords.

Self-encrypting drives are a relatively new technology, but SEDs are available from virtually all major drive manufacturers now and are offered as options by the major PC OEMs such as Dell, HP and Lenovo. The growth rate of SED deployment is very high and many enterprises have standardized on this technology. The overall growth of SEDs is tied heavily to the refresh cycles of new machines. Since SEDs are new hardware, the enterprises must make the decision to order new laptop and PCs with these drives.

While data protection is a high priority for almost every enterprise, the primary driving factor for full disk encryption has been the worldwide proliferation of data protection laws and regulations.  As high profile data breaches have sky rocketed in the past few years, many countries have passed stringent data protection laws calling for the encryption of all sensitive data on customers, users, transactions, health records, etc. New laws such as the HITECH regulation, which is part of the new healthcare legislation, have significantly increased the penalties and consequences associated with data breaches.  Complying with data protection laws is clearly a top driver of the market for self-encrypting drives. Could you give us a brief overview of the contributions each of the drive vendors are making in the development of SEDs?

Lark Allen: Seagate Technology has been the industry leader in the development of self-encrypting drives and the company is now shipping its fourth generation of these drives. They are the clear volume leader in shipments.  Wave has worked with Seagate for over six years in the development of this technology and the software infrastructure to manage and control self-encrypting drives, both locally in the PC and centrally from the data center.   Seagate was the chair of the Trusted Computing Group Storage Work Group in the development of the storage specifications.

At the same time, Hitachi, Samsung, Fujitsu, Toshiba, Western Digital and other drive vendors all participated actively in the standards development. Hitachi and Fujitsu first shipped encrypting drive hardware and, subsequently, added support for the TCG standards along with Toshiba.  Samsung introduced the first solid state self-encrypting drive based on the Opal specifications.