Comeback for PGP?
The popular encryption format gets a new lease on life, but can it finally reach critical mass in the enterprise?
The recent announcement of PGP 8.0 raises an important question. Does the popular encryption scheme have what it takes to wow enterprise IT?
After Network Associates Inc. bought PGP—short for Pretty Good Privacy, one of the pillars of e-mail and hard disk encryption—from its founder in 1997, it tried and failed to make PGP pay. Blame it on feature set, perhaps, or security apathy. In October 2001, Network Associates put the PGP business unit up for sale and dropped the product into “maintenance mode,” limiting upgrades.
Getting a new version of PGP looked out of the question until June 2002, when a group of backers, including former PGP executives and developers, banded together as PGP Corp. and bought the assets, vowing to continue the PGP legacy. Will that be enough, however, for PGP to finally reach the kind of mainstream adoption necessary to become must-have software and pave the way for ubiquitous key transfer and secure messaging?
For now, PGP Corp. (www.pgp.com) is making all the right moves. In August 2002, the company formed a technical advisory board, signing up security guru Bruce Schneier. Also on board is Phillip Zimmerman, the encryption and data security expert who created PGP in 1991. The company also quickly updated PGP version 7, which wasn’t completely compatible with Windows XP.
Still, PGP faces some big hurdles. One of its central concepts is that users create a private key to encrypt their e-mails, then swap public keys so others can decrypt those e-mails. Later versions incorporated more automated public key infrastructures to make it easier to find and use keys, as well as a web-of-trust approach that let someone vouch for you.
Given a small group of security-conscious people who want to e-mail each other, that’s fine. But given a large company filled with workers power-opening the “I Love You” virus, that approach breaks down.
“The challenge has been moving from desktop-user-managed software to enterprise, centrally administered software. That's a fairly tall order, but the new corporation seems to be very, very focused on this,” suggests Raymond Wagner, the research director for Information Security Strategies at Stamford, Conn.-based Gartner Group. “They have very good name recognition and a lot of seats out there and a fairly good revenue stream.”
PGP also reemerges in a time of heightened security concerns, and in some industries, mandates. Industry regulations such as HIPAA and Gramm-Leach-Bliley dictate that companies safeguard consumer and patient privacy information. PGP will have to especially target those companies that say, “We have HIPAA requirements, European privacy directives, Gramm-Leach-Bliley, we need to have secure communications, and we want a secure piece to do that without user intervention, so we can control whether something is secure or not,” notes Wagner. As many companies are still grappling with regulations, a “just secure everything” approach is becoming a popular way to maintain privacy compliance.
PGP probably has at least one million installed seats, as well as “great name recognition,” Wagner says. One issue, however, is that companies using PGP tend to have a small installed base. “A lot of enterprises buy it for the 25 or 50 people who need to communicate with a number of outside companies,” he says, adding that PGP needs to “make it 10,000 seats” in those companies.
To court the enterprise market, the company released several PGP 8.0 products in December 2002. PGP Enterprise begins at $125 per seat and includes a range of enterprise-administrator-friendly features such as automatic key setup and generation, and policy integration—essential for administering PGP for thousands of users—as well as PGP Mail and hard disk encryption tool PGP Disk.
Aimed at small-enterprise groups, PGP Desktop has fewer administration tools but includes PGP Disk and PGP Mail and costs $80. Macintosh OS 10.2+ or Windows versions are available. Both PGP Enterprise and Desktop integrate with Microsoft Exchange, Lotus Notes, Novell GroupWise servers, as well as some versions of the Novell GroupWise messaging client, and ICQ Instant Messenger.
PGP Personal is designed for the consumer market; pricing starts at $50. For all products, customers with previous versions of PGP may qualify for upgrade prices. A free version of PGP Mail is available for personal use only.
Phillip Zimmerman, founder of PGP, is something of a folk hero in privacy circles ever since he released the first PGP in 1991. In 1993, when the FBI was still arguing for back doors in all strong encryption, the U.S. government targeted PGP by filing suit against Zimmerman for export violation. Geeks everywhere rallied to his cause.
That sort of grass roots popularity will be crucial for making PGP really take off. In fact, it will be crucial for making any kind of secure messaging take off. “You have to develop this kind of community that PGP develops among the people you need to message with in order to do it. It's not something that's going to be offered in Sendmail or Exchange, it's something you have to add,” says Wagner. Like it or not, secure e-mail is likely to be an add-on for the foreseeable future until there’s some kind of critical mass. On the PGP Web site, CEO Phillip Dunkelberger says, “PGP is the only vendor to provide a solution that spans the areas of key infrastructure, enterprise admin tools, and desktop messaging and storage solutions.” In fact, PGP is uniquely poised to cross over between both the individual and enterprise markets; they already have a foot in both camps. Of course, notes Wagner, Entrust and RSA are moving in the same direction—toward spurring mass adoption of applications that would work with PKI. Both will inevitably compete with PGP, but for the moment their cost prohibits average users from adopting them.
If PGP can’t take the enterprise market by storm, it won’t be for want of trying. “These guys have made all the right moves. They've identified that their biggest issue is enterprise security,” and set up a savvy technical advisory board, notes Wagner. “They have to do those things to become successful, and if they don't, it will be because the market isn't there. For a small company, it's very positive.”
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.