• United States



Senior Editor, Network World

Symantec encryption buyouts raise big questions

Apr 29, 20105 mins
ComputersComputers and PeripheralsData and Information Security

Symantec's announced acquisitions Thursday of data encryption specialists PGP Corp. and GuardianEdge Technologies have industry watchers wondering which products will stay and go, and how open source PGP will fare in the wake of the buyouts.

Symantec’s announced acquisitions Thursday of data encryption specialists PGP Corp. and GuardianEdge Technologies have industry watchers wondering which products will stay and go, and how open source PGP will fare in the wake of the buyouts.

Symantec has had analysts puzzling for years about why the company has only licensed rather than bought into encryption technology, but made a bold statement today with the $370 million worth of planned acquisitions in a bid to address customer needs related to regulatory requirements and growing mobile device usage.

Also see: 2010’s top tech M&A deals 

The acquisition of both companies, however, raises questions about which products and brands will survive. Symantec simply says at this point it will support products from both vendors into the future.

“There’s definitely overlap with PGP on the desktop,” points out Gartner analyst John Pescatore. “Our bet is GuardianEdge survives in the long run.”

He notes Symantec has cultivated a very close relationship with GuardianEdge, a favorite of the financial and government sectors, through OEM relationships and has integrated its technology into the Symantec Altiris management framework.One strength of PGP is its server-side encryption and security offerings, which compete with products from vendors such as nuBridges, Voltage, Vormetrics and RSA with its BSafe toolkit. Demand is growing for server-side encryption because of the Payment Card Industry data security requirements, Pescatore says. 

Symantec says PGP counts 100,000 enterprise customers with more than 1,000 employees, and 1 million small-to-midsized customers with fewer than 1,000 employees.

For its part, Symantec says it sees PGP and its public-key encryption technology as its ticket to innovations making use of key management.

Symantec is a market leader in the data loss prevention (DLP) product arena, and “for complete use of DLP, encryption is an important part,” Symantec CEO Enrique Salem told financial-industry analysts earlier this morning on a conference call to announce the acquisitions.

The PGP platform for key-management will contribute to Symantec’s focus on creating a “policy-based approach” in security, Salem said. In addition, a start-up acquired by PGP, called ChosenSecurity, offers another path into identity management related to establishing trust among users and sites, he noted.

“We will standardize on the PGP key-management platform,” says Francis deSouza, senior vice president, Enterprise Strategy group, Symantec.

PGP’s key-management technology is expected to be used as a way to manage keys for GuardianEdge, as well, deSouza says. Symantec intends to support both the PGP and GuardianEdge product lines, though the reality is there is product overlap. The PGP key-management technology is also expected to play a big role in many Symantec endeavors in cloud computing and storage.

As far as maintaining the GuardianEdge and PGP names, deSouza indicated that PGP seems to have a particularly strong brand.

But will Symantec be a steward for open-source PGP?

“We like open source,” deSouza replied, but also noted the question of PGP open source is being reviewed. “We’re evaluating it.”

Pescatore says he hopes that if they continue to support open source, which he’s inclined to think they should do, they should do it in the spirit that Sourcefire has done with open-source intrusion detection, rather than what Tenable has done with the Nessus tool. It would backfire on Symantec “if they try to be heavy-handed or go after people,” he noted.

Although both PGP and GuardianEdge are privately-held companies, there are those in the financial community that have had a peek into their numbers. PGP is about a $75 million a year company, says Joel Fishbein, software analyst at Lazard Capital Markets, and GuardianEdge is closer to $20 million.

When it comes to obtaining core encryption technologies, “Symantec is playing a little bit of catch-up here,” says Fishbein, noting that competitors such as McAfee bought SafeBoot years ago, Check Point bought PointSec, and Sophos bought Utimaco. 

However, Jon Oltsik, principal analyst at Enterprise Strategy Group, thinks Symantec has done well with these deals and “Symantec got a lot more for less money.”

While it’s unclear if there was a bidding war over PGP, it is known that IBM is very close to the company.

Fishbein says he hopes Symantec, which has made large-scale acquisitions in the past, will focus on retaining “the intellectual capital of the companies,” such as the core engineering talent, among other personnel. That’s something he thinks has not always gone well for Symantec in the past, he says, and “that’s the question mark.”

For its part, Symantec acknowledges the next step is to make it a smooth transition in bringing GuardianEdge and PGP into Symantec. GuardianEdge has 80 employees, PGP has 400 employees, and there’s the expectation that most will join, though as in most mergers, there could be the types of overlap that mean not all employees end up on board.

Symantec’s deSouza says there’s the strong sense of purpose to make it all work because the acquisitions may “give us a lead position in the fast-growing encryption market.”

For those with a long memory, the bargaining and buying is full of some ironies in the go-go software industry.

The PGP Corp. acquisition by Symantec is but the latest chapter in the turbulent history of PGP, started by Phil Zimmermann in the early 1990s to commercialize his groundbreaking open-source encryption software, PGP being the acronym for what he called “Pretty Good Privacy.” In 1997, PGP, Inc. was bought by Network Associates, which eventually lost interest in PGP technology, though ex-PGP people founded the new PGP Corp. in 2002 after buying assets from Network Associates.

Symantec itself, over a decade ago, was in the desktop encryption game, even perhaps the leader, with a product called ForYourEyesOnly, Pescatore says. The company eventually abandoned it, thinking Microsoft was going to take over its target market for encryption, even though that didn’t happen.

Read more about wide area network in Network World’s Wide Area Network section.