In The Boardroom With...
Mr. Steven K. Sprague
President and CEO
Wave Systems Corp.
Updated August 2011
"Throughout Q2, there were a number of high-profile network and data
breaches on the global stage. The most significant of these was the compromise
of a leading security token solution relied upon by a large number of
Fortune 500 enterprises," commented Steven Sprague. "As these kinds of
events continue to occur and receive broad media attention, we have seen
an increase in interest and activity in trusted computing solutions.
"On the financial side, I'm pleased to report that we once again
extended our track record of year-over-year and sequential quarterly growth
in the second quarter. Given the new global focus on cyber security and
related concerns over the efficacy of proprietary, software-only solutions,
we've chosen to expand our investments in maintaining our leadership position
in the trusted computing space at a time when we believe that many governments
and enterprises are re-examining their network and data security protocols.
We believe that there will continue to be receptivity to new approaches
to security, such as those offered by Wave.
"But there remains much work to be done in communicating the security
and ROI benefits of 'off the shelf' trusted computing solutions. We are
deploying substantial resources in sales and marketing to help promote
this message internationally, with a particular focus on North America
and on expanding our presence in the EMEA regions. In addition, Wave will
participate in the 2nd Annual NSA Trusted Computing Conference and Exposition
NSA Trusted Computing Conference and Exposition
September 20-22 in Orlando, FL,
a forum sponsored by the NSA to educate public and private sector IT professionals
on trusted computing solutions and how they are being used with success."
Updated June 2, 2011
Amidst media reports that the nation's largest defense contractor experienced
a network intrusion last week allegedly involving the use of RSA SecurID®
tokens, organizations using tokens should consider additional measures
for safeguarding their information and securing their network infrastructure.
Incorporating device identification as a second layer of defense can help
to thwart future cyber attacks, according to officials at Wave Systems
"The Lockheed Martin breach has been a wake-up call for CSOs and
CIOs, as this type of breach is a risk for any organization with the same
vulnerability," commented Steven Sprague, CEO of Wave Systems, a
leading provider of Trusted Computing solutions. "Security in today's
IT infrastructure is more about layers than any single point of defense.
We believe that organizations should add device identity as an independently
managed layer for network access control, where only known devices --
those authorized by the organization -- are granted access to information
and sensitive resources. This is device-based security." More
SecurityStockWatch.com: Thank you for joining us today, Steven. Much has happened with WAVX during the past year: revenues are up, the stock is up and the list of impressive partners working with you keeps growing. Please give us an overview of Wave Systems’ solutions and provide us with some background on the company.
Steven K. Sprague : Wave Systems is the leading provider
of client and server software for hardware-based security on personal
computers. We’re traded on the NASDAQ Capital Market Exchange under the
symbol WAVX, and today we have about 165 employees worldwide.
Our business is based on providing the tools for the world to leverage the new hardware-based security solutions shipping on most PCs. Hardware security can mean different things, but in our world it revolves around a security chip called the Trusted Platform Module or TPM. The PC industry has spent ten years developing this hardware security chip to address the obvious security problems inherent in software products.
TPMs ship with virtually every business-class laptop and most enterprise desktops. These chips change the PC security paradigm, acting as a strongly protected system for securely generating and storing encryption keys. Since the TPM provides advanced security for keys and is invulnerable to both network and software attacks, the TPM chip can authenticate hardware devices. Therefore, an organization that turns on the TPM chips on its laptops can restrict all but “known” PCs to its network. That’s a simple, yet very powerful step to increase network security. The TPM can perform a host of other functions, too, from encrypting individual files to storing passwords, digital certificates and cryptographic keys. These chips can also perform a function called “remote attestation,” creating an unalterable summary of the hardware, boot and operating system’s configuration so that a third party can verify the state of the software to determine if it can be ‘trusted’ and that it has not been tampered with. Because information and functions occur within the security chip, it is far more secure from external software attacks and physical theft than other methods.
TPM chips have been shipping from major PC OEMs for several years, but
today we’re fast approaching a “tipping point” for their adoption. Now
that almost 500 million PCs with TPMs have shipped—and the number grows
each day—a substantial market opportunity has been formed, and Wave is
in a leadership position to take advantage of it. With embedded TPM chips
and Wave’s EMBASSY® software, organizations of any size have the ability
to easily deploy, manage and initialize these chips, establishing both
policy and key management. Doing so will dramatically improve security
today on a very cost-effective basis.
SecurityStockWatch.com: Thank you, Steven, for that comprehensive overview. How else does Wave support hardware security?
Steven K. Sprague : Full disk encryption, or FDE, is the preferred mechanism for protecting sensitive data on a PC. This technology lets IT encrypt the entire hard drive so that sensitive data is always protected, no matter where it resides. In this way, it’s a more foolproof solution than encrypting only an individual folder on an employee’s laptop. Until only fairly recently, the sole option on the market was software-based FDE. Software FDE certainly has its role, but it’s not without problems. It can be expensive to deploy and it slows down processing speeds. It also involves additional licensing fees and ongoing support from IT. Perhaps more concerning is that it has been shown to be vulnerable to the highly publicized “cold boot” memory attacks. Using this attack, a determined hacker can steal encryption keys stored in the system’s memory in “sleep mode,” even though software FDE was operating.
A more secure solution is new hardware-based FDE deployed in what are known as self-encrypting drives. Seagate was the first to offer these drives in early 2007. Today, most of the major drive vendors offer self-encrypting drives (SED), including Hitachi, Toshiba, Fujitsu and Samsung. The Seagate and Samsung drives are available through Dell today, with the other vendors making their SEDs commercially available in the coming months. Bringing even more functional benefits is a new line of solid-state self-encrypting drives – using flash memory - that deliver substantial performance, size and weight improvements over conventional SEDs.
Here’s a little insight into how the drives work. Essentially, the encryption takes place inside the disk itself. Every single “bit” that the user “sends down the wire” is encrypted before it’s written to the “platters.” As a result, if you were to take apart one of these drives, the data would be encrypted at all times. Further, the encryption keys are always protected in hardware and therefore aren’t vulnerable to the “cold boot” memory attacks as is software FDE. This is truly “game changing” technology that can allow enterprises and consumers to know that their data and applications are constantly protected.
So where does Wave fit in? Our EMBASSY software—yes, the same software that deploys and manages TPM chips—also supports the function of these self-encrypting drives, including providing “pre-boot” authentication to the PC, setting up security policies or centrally managing all the drives in the enterprise. We teamed up early on with the leading drive vendors and were vocal advocates behind the new Opal secure storage standard published by the Trusted Computing Group. Opal specifications provided a single framework for the design and function of self-encrypting drives. As the only vendor that supports all the drives on the market, and those soon to be made available, we feel Wave has a significant advantage. Also, I would reinforce our strong partnership with Dell as it relates to these drives. Today, when you buy a Seagate or Samsung FDE drive as an option on Latitude or Precision models, Dell bundles our client software with every drive, with Wave receiving an attractive per-unit bundling fee. Moving forward, encryption will just become a factory-integrated solution from the PC OEMs, not an aftermarket software add-on.
With all the reports of data breaches, there’s never been a stronger demand for encryption. Our figures show that self-encrypting drive volume is growing almost 100 percent per quarter in unit volume. With only 1 to 2 percent of the new laptops being supplied with SED drives, there is plenty of room for growth.In fact, the Gartner Group recommends that every laptop should include full disk encryption as a standard feature. I’m proud of our position as a market leader in this category with the best software solution out there for SED drives. Information Week, one of the most widely read media outlets for IT security, published an article in September on the evolution of hardware FDE. It is a good read for those trying to understand this space and Wave’s position. It’s available at http://www.informationweek.com.
We feel that our broad compatibility and “first mover” presence are significant advantages for us as the value of FDE drives is reinforced on an almost daily basis with the growing number of data protection regulations. And because our software was designed from “day one” to work with hardware, we don’t have to worry about any of the vulnerabilities that others have who adapted software applications to work with hardware.
SecurityStockWatch.com: What can you say about your customer base?
Steven K. Sprague: Wave sells our products to both PC OEMs and enterprises. Today, our largest PC OEM customer is Dell. Last year we also partnered with Acer, the world’s third-largest PC vendor, which has elected to bundle our client software on several PC models and helped us greatly expand our penetration into Asia. Even though this has been a tough year for the PC industry, we’ve been able to substantially grow our OEM revenue and our software footprint through the distribution per quarter of four to five million copies of our software.
Wave also sells our products to enterprise organizations. We’re seeing substantial growth in the adoption of our EMBASSY Remote Administration Server or ERAS, across all the major industry verticals: healthcare, financial services, education, manufacturing and government. ERAS is our flagship server software for the remote deployment of both SED drives and TPMs. In addition to selling to the government, we’ve also furnished security consulting services to government agencies.
Across the board, we’ve assembled a strong base of OEM partners who are bundling our software with PCs and drives while we are building a growing base of enterprise customers. These enterprises continue to add to the number of licensed seats for our software and every month new customers are arriving. Enterprise software sales are a long term source of growth for Wave. The industry clearly requires the stronger security that hardware provides. As the world begins to transition to hardware-based security for authentication and data protection, Wave is in a great position to profit from the growth of this emerging market in the coming quarters.