Trustwave customers will benefit from its purchase of data encryption provider BitArmor, but the deal will have a limited effect on the mobile data protection market, which established vendors will continue to dominate.
On 12 January 2010, Trustwave, a provider of payment card industry (PCI) compliance management solutions and services, acquired BitArmor. BitArmor's DataControl provides encryption for files, full drives, removable media and e-mail attachments. The foundation of BitArmor's intellectual property is a technology called "Smart Tags" which contain encryption and protection policies that stay with data as it travels from device to device. The terms of the deal are confidential.
This deal continues Trustwave's strategy of acquiring complementary technologies to enhance its PCI-oriented managed services. Trustwave, which provides PCI security assessments to midsize merchants and offers managed services to meet PCI requirements, acquired data loss prevention vendor Vericept in September 2009 and sees the acquisition of BitArmor as the next logical extension.
The acquisition forms part of Trustwave’s plan to start penetrating the endpoint protection platform (EPP) and mobile data protection (MDP) markets, but will have little impact on either market for several reasons. Trustwave’s market strength concentrates on services for midsize and smaller merchants focused on complying with PCI mandates, and BitArmor's presence in the MDP market was limited in terms of client numbers. BitArmor provides data control software that secures, tracks and controls sensitive data by attaching tags to the data to facilitate policy management decisions on laptops, removable media, servers and e-mail attachments. The tagged data approach provides a granular control to data protection, because every file can directly assert its access policy, but will often be more than PCI mandates require.
Although this acquisition should bring financial stability to BitArmor's operations and increase its sales through Trustwave's direct sales force and strong channels, Gartner believes that the deal will have less impact on the encryption market than previous acquisitions, such as McAfee acquiring Safeboot. Previous Trustwave acquisitions have validated our opinion that Trustwave's core business is in PCI-related services, not in being an enterprise software product vendor.
Merchants looking for a managed encryption solution to meet PCI requirements: Evaluate Trustwave, but still be wary of using the same firm for qualified security assessor (QSA) and remediation services.
BitArmor customers that do not fit the profile for Trustwave's PCI services: Evaluate Trustwave's product road map against your incumbent encryption vendors that are focused on user workstations in Gartner's "Magic Quadrant for Mobile Data Protection" .
"Vericept Deal Will Bolster Trustwave PCI Managed Services" — Trustwave customers will benefit from its acquisition of Vericept, but the deal will have a limited effect on the data loss prevention market and will likely not result in Vericept's resurgence in the market. By Paul Proctor, John Pescatore and Eric Ouellet
"Limiting the Scope of Payment Card Industry Audits and Liability" — Proper network segmentation and outsourcing of as much card data processing and storage as possible can help enterprises limit PCI compliance efforts. By John Pescatore and Avivah Litan
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)