Magic Quadrant for Mobile Data Protection
Mobile data protection products protect access to secure data on storage systems in notebooks, removable media, desktops and servers. Buyers want common protection policies across multiple platforms, minimal support costs and proof of protection.
In the mobile data protection (MDP) market, Gartner tracks software security utilities that enforce confidentiality policies by encrypting data, and then managing access to that encrypted data on the primary and secondary storage systems of end-user devices. The market primarily serves laptops, although the technologies and use cases originated in the desktop workstation area. Storage systems include the primary boot drive of a workstation and removable devices used for portability. Storage technologies affected by MDP products include magnetic hard-disk drives (HDDs), solid-state drives (SSDs), self-encrypting drives (SEDs), flash drives and optical media. Some vendors may be able to set policies for network storage, but that is not core to the current definition.
MDP products qualified for inclusion in this report consist of central and local (device) components. A central console controls client installations and activations, pushes data protection policies, interfaces with the help desk, acts as a key management facility, and generates alerts and compliance reports. A local endpoint agent manages encryption on the target workstation/device. Data copied to removable media may be encrypted and accompanied by a portable software security agent to manage password access. These agents can respond to central server directives, or can take local actions to lock, wipe and recover a device that falls out of compliance. To qualify for ranking, Gartner requires U.S. Federal Information Processing Standard (FIPS) 140-2 certification as a proof of strong commitment to data protection. Participation is expected in multinational guidelines such as Common Criteria (CC). Additional compatibility features noted in the evaluations include support for the Trusted Platform Module (TPM), SEDs based on the Trusted Computing Group (TCG) Opal standard, Intel Advanced Encryption Standard New Instructions (AES-NI), Intel Anti-Theft (AT), OS-embedded encryption such as Windows BitLocker and Mac FileVault, and so on.
MDP functions integrate with the OS and basic input/output system (BIOS), Extensible Firmware Interface (EFI) and Unified Extensible Firmware Interface (UEFI) services of their host platforms, so they can control primary storage input/output and insert themselves in the primary steps of user authentication. With few exceptions, MDP vendors are capable of providing all encryption/decryption processes as software services to the OS. New developments have allowed MDP products to offload part or all of this work to hardware elements, including the CPU and drive controller and to native capabilities in the OS. However, MDP cannot simply be replaced or made obsolete by the presence of encryption engines. A central MDP management framework will always be the focal point for encryption policy management, key access and storage, system recovery, and audit reports.
MDP-managed encryption may be invoked at the level of individual files or at the folder, partition or full drive/volume, depending on the use case. The latter method is typically called full-disk encryption (FDE). Users must satisfy a login event and perhaps other conditions to gain access to data. The challenge may range from a simple PIN to a complex password, token or smart card, and may also use biometrics, geolocation, LAN identity, and so on. Competitive differences derive from various approaches to management, key recovery, user authentication, policy management and value-added features, such as the protection of information on removable media and breadth of platforms supported.
The market is called "mobile data protection" because the primary buying decision has always centered on portable devices that cannot rely on traditional physical and locked-down security. However, the technology works well and has value on nonmobile systems, such as desktops and servers, and most vendors obtain a portion of income from stationary workstations.
About three-quarters of MDP revenue is generated from sales to support computers based on the Windows OS, but buyers frequently request Mac OS X support. Therefore, additional consideration will go to vendors that cross multiple platforms and OSs. Configuration management support for smartphones and tablets running nonworkstation OSs is satisfied by a different market called mobile device management (MDM). Several vendors in this report have MDM products and services. MDM is generally not integrated with MDP, and buyers give feedback to Gartner that they treat the purchases separately.
Source: Gartner (September 2013)
CenterTools has offered DriveLock encryption in European markets since 2003. Platform support is provided for Windows XP through 8 except RT, and for Mac OS X. CenterTools licenses the SafeNet cryptographic module for FDE, which is FIPS 140-2 certified to Level 2 in software and uses FIPS-certified OpenSSL for file and folder encryption. CenterTools does more than 90% of its current business in Europe, making it a geographical niche choice for midsize enterprise European buyers. Additional support is provided for Intel AES-NI.
- Buyers who prefer the personal attention of a Niche Player should note that CenterTools is self-funding and cash-positive since its incorporation. Product penetration is relatively small, but year-over-year growth rate is strong, and FIPS certification engages a larger buying audience.
- An optional encrypted file viewer is provided for iOS devices accessing files synchronized over popular cloud services.
- Simple integrated utilities are included for storing encrypted files in the cloud or on shared servers.
- OS X is supported, but only for file and folder encryption.
- DriveLock is unable to automatically lock a system that has failed to sync with a management server after a threshold has passed — for example, a system out of contact for 14 days.
- UEFI support is not planned until 2014.
Check Point Software Technologies
Check Point Software Technologies has offered MDP since 2007, through the acquisition of Pointsec. Platform support is provided for Windows XP through 8 except RT, and for Mac OS X and Linux. A policy-compatible encrypted container with VPN is available for consumer smartphones and tablets. Check Point is FIPS 140-2 certified to Level 1 in software, and was awarded CC EAL4. Additional support is provided for TCG Opal SEDs and TPM.
- Check Point has a legacy position in remote access for workstations and smaller devices, and sells MDP successfully into its customer base. Seat shares contribute substantially to the overall MDP market size.
- UEFI is fully supported for Windows 8, and retroactive support is being added to accommodate enterprise buyers who intend to downgrade to Windows 7.
- Check Point provides comprehensive guidance, alternate encryption and local partner assistance in foreign countries with prohibitive crypto regulations, such as China and Russia.
- Several long-term forensic partnerships provide extensive choices for recovery and investigative analysis, even on locked or wiped systems.
- Removable media encryption can enforce password retry limits, provides a business/personal dual-persona experience, and integrates with the optional Check Point UserCheck to enable data loss prevention (DLP) filtering rules.
- Example product pricing, accounting for quantity discounts, is relatively high among endpoint protection platform (EPP) vendors. Buyers of Check Point's larger product suites will be able to negotiate discounts. Many buyers have moved to annual/no-exit penalty contracts at a lower cost with included tech support.
- Evidence of sales is verified, but Check Point is not strongly competitively visible in the MDP market, whether through Gartner client interaction or from third-party sources.
- Software encryption on USB flash drives requires initial activation (a one-time step) on a Windows system. Buyers should account for this as a possible operational compatibility issue for Mac OS X users.
Dell acquired Credant during the evaluation period following a successful reseller partnership. Platform support is provided for Windows XP through Windows 8 except RT, and for Mac OS X. Dell is certified to FIPS 140-2 Level 1 in software and Level 3 in Dell hardware, and was awarded CC EAL3. Additional support is provided for Seagate Technology and TCG Opal SEDs, and TPM.
- The Credant acquisition and the Level 3 hardware certification demonstrate that Dell has an earnest commitment to strong data protection, including on its PC platforms. The product is available for non-Dell platforms.
- Credant's file-oriented technology continues to attract buyers that don't want a preboot authentication process, and prefer minimal interference with normal OS operations and conventional help desk procedures. This method is appropriate for multiuser and "bring your own device" (BYOD) systems, roaming profiles and unattended wake-on-LAN updates.
- Dell provides FIPS 140-2-compliant management for BitLocker to harden the default configuration and to enhance key management and user recovery, as well as to stop users from turning off encryption.
- Seat sales dropped between calendar year 2011 and calendar year 2012. Numbers are within the inclusion criteria but unimpressive for a company of Dell's size and global reach. Execution will be re-evaluated for the next full year, taking into account an improved start for 2013.
- Neither Credant nor Dell has made significant efforts to attract buyers to the value of file-oriented encryption in a BYOD or contractor use case, or for the BitLocker management use case.
- Dell has not yet released a health and configuration scanner to detect and resolve installation issues — for example, involving SED retrofits. Buyers should ask for guidance on how to scan systems via Microsoft's software change and configuration management (SCCM), and ask for a road map for installer enhancements.
McAfee's integration of SafeBoot MDP into its Total Protection suites and McAfee ePolicy Orchestrator (ePO) management architecture is among the most successful by an EPP vendor. Platform support is provided for Windows XP through Windows 8 except RT, and for Mac OS X. Support for consumer smartphones and tablets is offered in a separate product, McAfee Enterprise Mobility Management. McAfee is certified to FIPS 140-2 Level 1 in software and was awarded CC EAL4. Additional support is provided for Intel AES-NI and AT, UEFI and TCG Opal SEDs.
- Gartner client inquiries strongly associate McAfee's well-integrated MDP products and EPP products. Seat penetrations for McAfee's MDP are the highest in the survey, combined with the highest attributed revenue. McAfee was voted the highest competitive threat rating by its peer group in this year's MDP survey.
- The Endpoint Encryption Go (EEGO) utility performs a thorough analysis on systems to determine which encryption technologies will be used, and will predict and prevent installation failures as well as future problems. EEGO will monitor status of BitLocker-enabled PCs.
- Standard maintenance support, automated Windows platform migration and online training are included at no extra charge.
- McAfee's full-volume secure vault for USB flash drives presents an Explorer-like interface but doesn't fully support Windows drag-and-drop file operations. Users may be confused about how to open and save files.
- Software encryption for USB flash drives requires initial activation (a one-time step) on a Windows system. Buyers should account for this as a possible operational compatibility issue for Mac OS X users.
- MDP seat pricing is relatively high on scheduled lists. Buyers of McAfee's larger product suites will be able to negotiate considerable discounts, but stand-alone buyers of MDP will have no leverage.
- McAfee does not provide a method for escrow-quality data protection.
Microsoft BitLocker Administration and Monitoring (MBAM) provides central administrative functions to manage Microsoft's embedded encryption engines known as BitLocker and BitLocker To Go. Considered together, these qualify as an MDP solution. Supported platforms are Windows 7 (Enterprise and Ultimate editions) and Windows 8 (Pro and Enterprise editions). Additional support includes TPM, UEFI and next-generation TCG Opal SEDs.
- MBAM provides provisioning, reporting, help desk and recovery options, and links easily with BitLocker, which is included with the OS.
- Gartner client interest in BitLocker continues to grow, and is perceived as a low-cost or "free" option. However, MBAM must be purchased separately and accounted for as part of the Microsoft Desktop Optimization Pack (MDOP).
- Microsoft tied for second place among peers ranking each other for competitive threat.
- As an embedded OS process, BitLocker's setup is straightforward, and users experience minimal performance effects.
- Enterprises migrating to Windows 7 will miss out on new features exclusive to Windows 8, such as secure boot with UEFI. Companies that allow editions of Windows 7 or 8 that do not support BitLocker, as well as other platforms such as Mac and legacy XP, will need to maintain additional MDP products and services.
- MBAM doesn't manage BitLocker in FIPS mode. Also, users with administrative privileges can deactivate BitLocker even in FIPS mode.
- Other MDP vendors in this market increasingly view BitLocker as a low-level encryption engine that can be leveraged through their own third-party management.
- Best practices include use of a startup PIN at preboot on devices with enabled DMA ports or removable system memory. However, users are resistant to PINs. The Windows logon cannot be used at preboot to substitute for the PIN.
Novell, part of the Attachmate Group, offers file-based and full-disk encryption for workstations through Novell Endpoint Protection Suite (NEPS). Platform support is provided for Windows XP through 8 except RT. Novell is certified to FIPS 140-2 Level 1 in software and Level 2 with Seagate SEDs. Additional support is provided for Intel AES-NI.
- NEPS can be deployed stand-alone or through a common configuration management console shared with ZENworks.
- Location awareness capabilities enable dynamic adjustments to the encryption system for roaming users. For international travelers, this could include changes to encryption key length and type based on country rules and compliance requirements.
- NEPS shares Java and Visual Basic scripting support with ZENworks that enables real-time data protection decisions to be tied to event-driven changes in a client workstation.
- Novell's cooperation with this report was inconsistent. Novell declined to provide competitive revenue and seat data for 2012 and 1H13, and also did not provide customer references.
- A lack of Gartner client feedback in the past year, a scarcity of publication references or reviews, and a lack of peer vendor reaction continue to signal a lowered standing in competitive market presence. The main source of buyers appears to be the existing customer base.
Sophos SafeGuard Encryption, built from Utimaco Safeware, interoperates with the company's Endpoint Security Antivirus EPP. Sophos has developed improved messages to combine strategies for mobile devices and BYOD. Platform support is provided for Windows XP through Windows 8 except RT, and for Mac OS X. Sophos Mobile Control and Sophos Mobile Encryption are separate products supporting consumer smartphones and tablets. Sophos is certified to FIPS 140-2 Level 1 on PCs, and was awarded CC EAL3+ and CC EAL4. Additional support is provided for Mac FileVault, BitLocker, TPM, TCG Opal SEDs, Intel AES-NI and vPro, and UEFI.
- Seat sales and revenue were strong and show growth from 2012. The improved competitive awareness of Sophos evidenced in inquiries and RFP reviews is significant, since unlike its main EPP competitors, Sophos does not have a consumer market public presence to help drive visibility.
- FIPS level support for BitLocker with recovery features that support TPMs and PINs is included in the main MDP product or can be purchased stand-alone for a price point comparable to a calculated share of MDOP fees.
- Sophos guarantees that backed-up and recovered files from FDE, as well as file-based protected systems, will not be converted to clear text, nor will they have their keys exposed when the operation is performed with supported backup and recovery vendors.
- Sophos MDP integrates content-aware DLP to filter data written to external devices at no extra charge.
- Potential buyers with long memories of SafeGuard Easy and the pre-GUI versions are often unaware of more recent improvements and road maps. This is an ongoing visibility challenge for Sophos, and indicates that more work is needed to maintain and grow competitive execution.
- Sophos does not provide policy adjustments for geographic location, network identity or off-network conditions.
- Sophos is not currently FIPS certified on Mac OS X; however, it can use FileVault 2 on OS X, which was certified to FIPS 140-2 Level 1 at the close of this report's evaluation period.
Symantec acquired two MDP companies in 1H10: PGP and GuardianEdge. PGP Whole Disk Encryption (PGP WDE) has been rebranded as Symantec Drive Encryption (SDE) while the latter continues as Symantec Endpoint Encryption Full Disk (SEE-FD) edition. Platform support is provided via Symantec Drive Encryption, for Windows XP through 8 except RT, and for Mac OS X and Linux. Symantec Mobile Management is a separate product supporting consumer smartphones and tablets. Additional support is provided for Intel AES-NI and vPro, TPM and TCG Opal SEDs. Symantec is certified to FIPS 140-2 Level 1 in software, and was awarded CC EAL2 and CC EAL4+.
- Symantec's reputation, global reach and installed base continue to push sales forward. Sales were healthy for 2012 but not the highest among established EPP players.
- Symantec tied for second place among peer rankings as a competitive threat.
- The optional Symantec Mobile Encryption for iOS facilitates the sending and receiving of PGP-encrypted email on iPhones and iPads.
- Policy-compatible encryption can be enforced on files sent to email using Symantec DLP, and external shared storage, such as cloud systems, using Symantec File Share Encryption for additional fees.
- Three years after announcing a road map, Symantec was unable to complete the merging of products and technologies from the acquisitions of Guardian Edge and PGP with SEE, Symantec's OEM of Guardian Edge. The separate offerings confuse existing and new customers and drive interest to migrate to alternate third-party solutions, including BitLocker.
- MDP seat pricing is the highest reported on scheduled lists. Buyers of Symantec's larger product suites will be able to negotiate considerable discounts, but stand-alone buyers may be discouraged.
- Symantec declared end of life for PGP Remote Disable and Destroy with Intel AT in 2Q12, and for PGP Portable media encryption in 4Q11. Media encryption customers under maintenance could migrate to a different product family, Symantec Endpoint Encryption Removable Storage Edition.
Trend Micro offers MDP based on the acquisition of Mobile Armor in 2011. Platform support is provided for Windows XP through 8 except RT. MDM for consumer smartphones and tablets is available in separate products, but manageable under a common console. Trend Micro is certified to FIPS 140-2 Level 2 and was awarded CC EAL4+. Additional support is provided for Seagate and TCG Opal SEDs, TPM, Intel AES-NI and AT, and UEFI.
- Removable media access policy can be set to require remote authentication (to a company server). It can also set a policy to require remote authentication after a number of failed offline logins, or after a specific date.
- Trend Micro's Installation Advisor automatically performs disk and OS health checks before installation to prevent installation failure, and evaluates application compatibility.
- In the Magic Quadrant survey, Trend Micro offered especially helpful advice about international travel. It has a blanket license to sell products in multiple countries and can sell to U.S. companies and their subsidiaries, without modification, in any country not banned by the U.S. Department of State.
- After two years in the market, Trend Micro has yet to establish strong competitive visibility, as evidenced by the lack of Gartner client inquiries or feedback from peers about the company being a competitive threat. Prior to its acquisition by Trend Micro, Mobile Armor had a strong technical reputation but weak market presence.
- Line-of-business revenue is below the qualifying threshold for this report. The company remains in the Magic Quadrant based on its prior inclusion and because its product functions meet or exceed the current inclusion requirements.
- Trend Micro offers optional managed secure sync and file share tools but cannot detect and force encryption if the user writes files to an unauthorized network or cloud storage system.
Verdasys is a longtime content-aware player with premium tools focused on encrypting and protecting intellectual property in a DLP framework. Platform support includes Windows XP through Windows 8, except RT, and for Mac OS X and Linux. A fully compatible Digital Guardian app is offered for iOS. Verdasys is certified to FIPS 140-2 Level 1 and was awarded CC EAL2+.
- Verdasys' understanding and integration of content-aware DLP is extensive and mature. Its client base does not typically overlap with the EPP, MDP or MDM markets for buyer leverage. However, performance in MDP improved, and all criteria were met.
- Because of the way the DLP and encryption features are implemented, Verdasys provides one of the strongest sets of capabilities for the support of mobile-sensitive data protection across multiple media form factors.
- Verdasys typically does not appear in MDP-only shortlists, and MDP is not a major line of business. Buyers consider Verdasys if they are already customers of Verdasys DLP, which limits its ability to communicate its MDP vision.
- Verdasys has not pursued any of the advanced and/or embedded encryption technologies, such as SEDs, BitLocker, FileVault, Intel AES-NI, TPM and so on.
Wave Systems pioneered the use of Seagate SEDs and was the first to offer support for TCG Opal SEDs. The 2011 Safend acquisition brought DLP, file protection and removable media encryption in-house. Platform support includes Windows XP through Windows 8 except RT, and for Mac OS X. Through the Safend acquisition, Wave is certified to FIPS 140-2 Level 1 and has CC certifications for file and removable media protection. Additional support is provided for Intel vPro, TPM and UEFI.
- Schedule pricing is competitive, and the platform contains all major features, including DLP policies. FIPS-level support for BitLocker is provided to existing customers for a price point comparable to a calculated share of MDOP fees.
- A dedicated TPM key management server helps companies back up TPM keys to an existing platform and migrate keys to new platforms for recovery or migration. Help desk recovery information is stored in Microsoft Application Directory but is strongly defended.
- Wave has developed a highly scalable mass installation utility that will verify users and unlock systems upon receipt, even if the company LAN is not reachable. Trusted administrative connections may be set up directly over the Internet. Trusted drives can be moved and reauthorized remotely — for example, if a motherboard fails — without the need for special software.
- Wave Systems operated at a loss for parts of 2012 and sold stock to finance operations. Gartner clients have raised questions. This situation has been characterized by the company as a means to finance long-term vision. Otherwise, seat sales are more than satisfactory for inclusion in the Magic Quadrant.
- Gartner client feedback, a relatively low incidence of publication references or reviews, and lack of peer vendor reaction continue to signal a lowered standing in competitive execution.
WinMagic has sold complete workstation encryption solutions since 1997. SecureDoc is geared toward companies with high-security needs and strong authentication requirements. Platform support is provided for Windows XP through 8 except RT, and for all major Linux distributions. Fully managed and compatible SecureDoc agents have also been released for consumer smartphones and tablets. Additional support includes Seagate and TCG Opal SEDs, TPM, Intel AES-NI and AT, and UEFI. WinMagic is certified to FIPS 140-2 Level 1 and was awarded CC EAL4.
- WinMagic is highly responsive to change requests and maintains a customer advisory board with long-standing clients. Buyer loyalty has resulted in very long contract relationships — that is, those of more than 10 years.
- The company experienced revenue growth in the past year and has healthy overall seat sales.
- WinMagic has a native UEFI PBA and custom UEFI GUI signed by Microsoft that supports Secure Boot. The company works closely with the PC OEMs and BIOS companies to develop deeper compatibility to be able to support advanced features such as Windows 8 encrypted PC Refresh and full-touch UI support.
- In addition to last year's reseller agreement with Lenovo, WinMagic has garnered a preinstalled, preferred solution provider agreement with HP, which went public in May 2013.
- WinMagic's primary buyers continue to be organizations with high security requirements. However, WinMagic's historically government-oriented high-security reputation interferes with usability perception in buyers' minds and can cause SecureDoc to be overlooked.
- Scheduled prices are on the high side, but buyers can negotiate competitive discounts.
- The bulk of WinMagic's sales are made in North America, but this is the market most challenged against growth because of heavy competition. WinMagic is investing in sales relationships for far-flung markets in EMEA, which currently represent only a tiny fraction of revenue, but must rely heavily on partners to make or break the opportunity.
We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.
- CenterTools, based in Germany, recently obtained FIPS 140-2-certified crypto for FDE, under license.
- Secude is no longer reporting information about revenue or seat sales that can be used to compare it with other vendors in the market, and has insufficient visibility for a sizing estimate by indirect means. Secude was "grandfathered" in the 2012 report, but without sufficient sales to meet ongoing inclusion. A lack of Gartner client feedback or market presence data, a scarcity of publication references or reviews, and a lack of peer vendor reaction collectively indicate insufficient competitive market presence.
- Kaspersky Lab released an MDP product in 1Q13, which was too short a time in market to meet inclusion criteria for this year's report. Its standing will be evaluated for next year's Magic Quadrant.
Sixteen data protection vendors with MDP capabilities were notified of the annual survey. Twelve companies satisfied the inclusion/exclusion criteria and appear in the Magic Quadrant, according to the evaluation of these attributes:
- The vendor must have products that meet the market definition and were generally available in 2012 and in 1H13 for a sufficient length of time to attract market attention. The products must meet all aspects of the definition of products in the market, as set forth in this Magic Quadrant. The vendor must offer products for use on Windows-based PCs, because these workstations represent most of the revenue for the market. However, to qualify for a strong Completeness of Vision ranking, a vendor must support other platforms. Vendors that sell and/or source third-party encryption products are allowed. Several vendors in this market license parts of their solutions, ranging from cryptographic modules to larger program components.
- The vendor must be generally recognized as a participant in the market, as evidenced by Gartner client interest and inquiries, presence at tradeshows and conferences, and other forms of public and media mention that establish competitive presence. Our analysts must receive feedback from clients and case study reference organizations indicating that they are using the products. The vendor should appear regularly on Gartner clients' shortlists for final selection and should appear regularly in other sources (such as publications and support forums) as a product that's competitive with companies that are already qualified for this market.
- Companies that sell port controls and external/removable media protections as their only or main features, without meeting other core aspects of the MDP definition, did not qualify for inclusion in this Magic Quadrant.
- The vendor must own or license FIPS 140-2 certified encryption for the MDP product. Gartner considers this certification to be a minimum standard of commitment to the encryption market. Valid certifications may be acquired and, therefore, exist under several names. A vendor will be considered if its FIPS 140 application is processing during the study year.
- Seat sales in 2012 needed to total more than 125,000 seats, and 2012 revenue in the market must have been greater than $3 million. Exceptions may be granted if other inclusion factors merit consideration. These thresholds were continued from the prior report.
- The vendor must provide centrally managed access controls, lockouts, and key management/recovery and system recovery methods that operate in FIPS mode.
- The product must be commercially supported.
- Seats sold by licensees, partners and others can only be counted once if they are reported. They will be attributed only to the original vendor if the licensee is not already included in this Magic Quadrant. OEM seats that are shipped without revenue may be attributed at a reduced percentage.
Vendors are asked to participate in an annual survey that is used to collect competitive and historical data within requested deadlines. If data is not provided, we estimate a vendor's status from prior-year surveys, if available, and independent sources. Vendors that decline to report for several years in a row, and cannot otherwise be verified, may be excluded from or reduced in ranking consideration. Essential information that falls under this rule includes:
- Count of client companies under contract
- Count of seat sales (actual and estimated) over a three-year period
- Line of business (LOB) revenue, and other basic financial and organizational metrics
Technologies Not Qualified for the Magic Quadrant
- Hardware encryption subsystems offered in CPUs or storage drives are enabling technologies that may be utilized by MDP products, rather than complete solutions. Examples include Intel AES-NI and TCG Opal SEDs
- Embedded software encryption subsystems typically used without a full enterprise management framework. An example is Microsoft's Encrypting File System (EFS).
- Open-source projects that lack commercial support. An example is TrueCrypt. Gartner monitors open-source projects and will consider future project distributions when we see evidence of commercial support.
- Companies that otherwise did not meet inclusion criteria and, in most cases, have not responded to requests for several years were not pursued and are no longer mentioned here.
This market is well-established, and global pressure for data protection means that incumbent vendors can sell enough seats to keep their doors open. The recent economic slowdown has reduced the appearance of new companies.
New products, new features and estimated sales in 1H12 were also considered in the final ranking. Unofficial road maps, pending contracts, future sales agreements, future promises for recent acquisitions, and vague strategies do not significantly contribute to a vendor ranking or to inclusion in this Magic Quadrant; however, vendors that have official and public road maps, and make consistent progress, are recognized.
Execution weightings are considered standard because, within the research review, the relative merit of each ranking factor can be adequately expressed for the general case without additional adjustments. Weightings are contextual. Readers who conduct their own RFIs may choose to change weightings to suit the needs of their business and their industry:
- Product/Service compares the completeness and appropriateness of core data protection technology. This factor is critical in demonstrating that the vendor can generate market awareness.
- Overall Viability considers company history and demonstrated commitment in the market, as well as the difference between a company's stated goals for the evaluation period and the company's actual performance, compared with the rest of the market. Growth of the customer base and revenue are considered.
- Sales Execution/Pricing compares the strength of a vendor's sales and distribution operations, as well as the discounted list pricing for investments in seats ranging from fewer than 100 to more than 10,000. Pricing is compared in terms of first-year cost per concurrent active license seats, including the cost of the management console, and all hardware and support. Buyers want demonstrable peace of mind more than they want bargains, and they will respond to sales techniques led by case studies and ROI projections.
- Market Responsiveness/Record and Marketing Execution are rated together as Marketing Execution. This criterion rates competitive visibility as a key factor, including which vendors are most commonly considered to be top competitive threats by each other, and which vendors respond most effectively during buyer RFPs.
- Customer Experience is rated from client feedback to analysts; from opinions of Gartner analysts in security, network and platform research groups; and from vendor-supplied references, where needed.
- Operations considers the ability of a vendor to pursue its goals in a manner that enhances and grows its influence in all execution categories. Operations is already considered in the other execution ranking categories.
One of the interesting interpretive elements of the survey is an execution question in which vendors are asked to name three peers that constitute their greatest competitive threat. The result of this survey question is a good barometer for understanding the potential of vendors to maintain high performance in this market.
Source: Gartner (September 2013)
Vision is ranked according to a vendor's ability to show a broad commitment to technology developments in anticipation of user wants and needs that turn out to be on target with the market.
Companies that lead in vision typically own, license or partner on products in other security and configuration management markets. They must also demonstrate management features that make their products easy to integrate with enterprise directories, and to interoperate with other enterprise security and management systems.
Vision weightings are considered standard because, within the research review, the relative merit of each ranking factor can be adequately expressed for the general case without additional adjustments. Weightings are contextual. Readers who conduct their own RFIs may choose to change weightings to suit the needs of their business and their industry:
- Market Understanding and Marketing Strategy are ranked together as Marketing Strategy, and are assessed through direct observation of the degree to which a vendor's products, road maps and missions anticipate leading-edge thinking about buyers' wants and needs. Gartner makes this assessment by several means, including interactions with vendors in briefings and by reading planning documents, marketing and sales literature, and press releases. Incumbent vendor market performance is reviewed year by year against specific recommendations that have been made to each vendor, and against future trends identified in Gartner research. A vendor cannot merely state an aggressive future goal. It must put plans in place, show that it is following the plans, and modify plans as market directions change. Also considered are the vendor's partnerships with other vendors in related endpoint security markets, including antivirus, anti-spyware, configuration management, authentication, device identification, VPNs, data encryption, gateway firewalls and others.
- Sales Strategy examines the vendor's strategy for selling products, including sales messages, techniques, marketing, distribution and channels. In this report, sales strategy is considered to be a matter of execution. It does not apply to product vision, which is ranked in terms of investment in functionality.
- Offering (Product) Strategy is ranked through an examination of the breadth of functions, platform and OS support for the MDP client. R&D investments are credited in this category. Mergers that bring EPP vendors into the market have a strong impact on vision rankings for all vendors, because these vendors are driving the types of integration that Gartner considers to be strategic and competitive. Supported platforms are listed in the vendor comments.
- Business Model takes into account a vendor's underlying business objectives for its products, and its ongoing ability to pursue R&D goals in a manner that enhances all vision categories.
- Vertical/Industry Strategy considers a vendor's ability to communicate a vision that appeals to specific industries and vertical markets. However, this Magic Quadrant doesn't consider vertical markets as a distinctive ranking factor, so this category is irrelevant and not rated.
- Innovation takes into consideration the degree to which a vendor invests in core requirements for the successful use of its products.
- Geographic Strategy takes into account a vendor's strategy to direct resources, skills, products and services globally. All vendors are ranked in the Magic Quadrant for their performance as a whole, and within the frame of reference of Gartner clients. Therefore, detailed examination and ranking of this category are irrelevant. In 2010, North America was estimated to account for more than 63% of MDP revenue potential (on average) and, for many years, success in the North American geography has been the primary indicator of viability. Buyers in other geographies tend to react to vendors based on their competitiveness in North America and, to a lesser extent, in Europe.
Source: Gartner (September 2013)
Leaders have products that work well for Gartner clients in small and large deployments. They have long-term road maps that follow and/or influence Gartner's vision of the developing needs of buyers in the market. Leaders make their competitors' sales staffs nervous and force competitors' technical staffs to follow their lead. Their MDP products are well-known to clients and are frequently found on RFP shortlists.
Challengers have competitive visibility, market share, and financial and channel strengths that are better-developed than Niche Players, but not as broad as Leaders or Visionaries. They also have greater success in sales and mind share than similar Niche Players. Challengers offer all the core features of MDP, but typically their vision, road maps or product delivery are narrower than those of Leaders. Challengers may have difficulty communicating or delivering their vision in a competitive way, but they can be very disruptive to the sales of other vendors, particularly Leaders. For example, if a vendor has implemented features ahead of the demand curve that do not attract buyers, do not trigger new competitive responses from other vendors and do not change the developmental course of the market, then its vision is not improved by those features. The Magic Quadrant for MDP historically reports little or no activity in this quadrant. In general, companies that execute strongly become Leaders.
Visionaries make investments in broad functionality and platform support, but their competitive clout, visibility and market share don't reach the level of Leaders. Visionaries make planning choices that will meet future buyer demands, and they assume some risk in the bargain, because ROI timing may not be certain. Companies that pursue Visionary activities will not be fully credited if their actions are not generating noticeable competitive clout and are not influencing other vendors. The difference between Visionaries and Niche Players amounts to the risks that the company takes in terms of strategic R&D and the ability to realize competitive clout from those risks.
Niche Players offer products that suit many enterprises' needs and often are the best choice to get a stable product, combined with more-personalized service. A Niche Player ranking is assigned when the product is not widely visible in competition, and/or when it is judged to be relatively narrow or specialized in breadth of functions and platforms — or, for other reasons, the vendor's ability to communicate and deliver vision and features does not meet Gartner's prevailing view of broad competitive trends. MDP Niche Players include stable, reliable and long-term players. Market share may be limited or not easily measured. Some Niche Players work from close, long-term relationships with their buyers, in which customer feedback sets the primary agenda for new features and enhancements. This approach can generate a high degree of customer satisfaction, but also results in a narrower focus in the market (which would be expected of a Visionary).
MDP systems and procedures are needed to protect business data privacy, meet regulatory and contractual requirements, and comply with audits. This Magic Quadrant is a market snapshot that ranks vendors according to competitive buying criteria. Vendors in any sector of the Magic Quadrant, as well as those not ranked on the Magic Quadrant, may be appropriate for your enterprise's needs and budget. Every company must include MDP in its IT operations plan.
MDP is an established market with two primary purposes — first and foremost, to safeguard user device data by means of encryption and access control; and second, to provide evidence that the protection is working. Most companies, even if not in sensitive or regulated industries, recognize that encrypting business data is a best practice. Common motivations for protecting data are to comply with government or industry regulations, maintain privacy, and shield intellectual property. Legislation across the world mandates increasingly tough penalties, as well as requirements for public disclosure in the event of a real or suspected mishandling of personally identifiable information. Even if information is not misused, the public relations costs to quell negative public reaction are expensive. Gartner believes that the costs of a data breach are higher than the cost to invest in preventive measures, such as MDP (see "Pay for Mobile Data Encryption Upfront, or Pay More Later").
Press notifications of breach disclosures, mitigations and fines drive MDP deployments, and there is evidence that a significant number of systems are still unprotected. Most companies that invest in MDP conduct only partial installations for notebook/laptop computers, so there is still considerable room to upgrade and upsell to desktop and server platforms, including PCs, Macs and Linux-based systems, and to tie in with protection policies via MDM. Gartner recommends that all companies make efforts to install encryption across their endpoint platforms.
Public focus and most sales dwell on notebook (laptop) computers running versions of the Windows OS, because they are the most common business workstation platforms to be cited in stories of loss, theft and penalties. They also represent the most predictable sources of revenue. However, vendors cannot achieve higher vision scores unless they have broad support for multiple platforms, especially OS X, and a commitment to fully support older platforms still in migration, such as Windows XP.
The influence of EPP vendors that have acquired MDP products is significant. EPP vendors already aggregate MDP with the most common security needs, including enterprise antivirus, anti-spyware, personal firewall and desktop host intrusion prevention systems. For most organizations, selecting an MDP system from their incumbent EPP vendors will meet their requirements and will result in lower pricing.
LOB revenue is useful to gauge a company's health and Ability to Execute, and many companies ranked in this Magic Quadrant cannot otherwise separate the MDP revenue from the LOB containing MDP. According to information derived from the 2013 Magic Quadrant survey results, 2012 worldwide revenue within the LOB containing MDP for vendors in the scope of the report was estimated at $652 million, down from $683 million in 2012 and $715 million in 2011, as estimated in the past two reports. Decreases reflect discounted pricing from EPP vendors, some uptake of Microsoft BitLocker and increasing challenges for stand-alone vendors to differentiate their offerings. Slowdowns in laptop demand also have indirect but strong effects which are counteracted to some degree as enterprises migrate from Windows XP.
MDP seat sales estimates are slightly higher than in the 2012 report, in part because of better disclosure reporting by a large vendor, but for practical purposes, they should be regarded as flat at about 45 million, compared to 43 million in last year's report. Three-year cumulative seats sold (2010, 2011 and 2012 combined) are estimated at 119 million.
All vendors and all products tracked in this Magic Quadrant offer similar basic functions, comparable encryption algorithms and management functions. Differences in the Ability to Execute are based largely on financial and sales performance, but are strongly influenced by client feedback, and anecdotal research into matters of satisfaction and usability, favorable recognition in public settings and appearance in RFPs. Differences in Completeness of Vision are scaled according to the breadth of the platform and the ability of a company not only to offer the features that buyers want, but to also competitively communicate the vision.
National Institute of Standards and Technology's "FIPS 140-1 and FIPS 140-2 Vendor List"
Ability to Execute
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.