Research

Publication Date: 23 September 2008 ID Number: G00161089

Magic Quadrant for Mobile Data Protection

John Girard, Ray Wagner

Mobile data protection products secure data on movable devices that can leave the
office, including notebooks, PDAs and smartphones. Buyers want products that work
equivalently across multiple platforms, need minimal support, provide for common
policies and extend protections to removable media.

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form
without prior written permission is forbidden. The information contained herein has been obtained from sources believed to
be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although
Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal
advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors,
omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein
are subject to change without notice.
WHAT YOU NEED TO KNOW

Mobile data protection (MDP) systems and procedures are needed to protect user privacy and to
comply with audit requirements, and every company must include MDP in its IT operations plan.
The Magic Quadrant is a snapshot of the overall market. The Leaders category denotes a vendor
with a balance of strengths. However, vendors in any category, as well as those not ranked on
the Magic Quadrant (see Figure 1), may support your enterprise's needs.

MAGIC QUADRANT

Figure 1. Magic Quadrant for Mobile Data Protection

Source: Gartner (September 2008)

Market Overview
MDP for notebooks and smaller handheld devices (PDAs and smartphones) is a rapidly growing
market that began with basic data encryption and has expanded beyond hard drives and local
files to encompass external data device controls and rights management. Most vendors in this
market started on desktops, but the clearly defined buying center is mobile. The MDP market has
been led for years by small independent software vendors (ISVs), some of which have been in
the market for up to 25 years. However, mergers and acquisitions are handing the reins over to
broader endpoint protection (EPP) vendors, such as Check Point Software Technologies and
McAfee. Protection schemes embedded in hardware or the operating system (OS) are

Publication Date: 23 September 2008/ID Number: G00161089 Page 2 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
incomplete, and leave plenty of room for ISVs to compete for years to deliver policy management
across platforms.
Interest in data protection is fueled by liability and privacy concerns. Across the U.S., legislation is
increasing to require public disclosure in the event of the real or suspected mishandling of
personally identifiable information. Civil and criminal penalties for data leaks, and pressure to
disclose leaks, are also growing in other countries. Even if information is not misused, negative
public reaction is expensive and embarrassing, and it damages buyer and investor confidence.
Demand for products in this market continues to grow. The following information is derived from
the 2008 Magic Quadrant survey results. Seats sold for 2007 — tallied for 18 vendors (15
reporting, three estimated) — totaled nearly 26 million, approximately 1.8 times higher than the
14 million seats tallied for 15 vendors in 2006. Early reports for 1H08 indicate that the market will
double again. Average sales per vendor are about 1.4 million seats, with a median of
approximately 650,000. Allowing for omissions and estimates, there is no doubt that the MDP
market continues to grow strongly. During the period from 2002 to 2006, the compounded annual
growth on global line of business (LOB) revenue tracked by Gartner in this market was greater
than 55% per year.
Revenue growth in the market remains strong. According to information derived from the 2008
Magic Quadrant survey results, 2007 worldwide revenues in the MDP LOB are estimated at $611
million, compared with $432 million in 2006 and $287 million in 2005. Performance is spread
broadly between a few large vendors and many small vendors, creating a median performance of
$11 million and an average of about $34 million. We expect total LOB revenue for 2008 to exceed
$1 billion.
Software as a service (SaaS) is available through 13 of the vendors in the survey. At this point,
vendors that rely on product sales as their main revenue streams are reporting that SaaS
represents, at most, 1% to 5% of their earnings. The few vendors we track that rely more heavily
on SaaS are facing challenges to grow revenue.
Client inquiry calls steadily continue to request assistance in understanding, choosing and
implementing data encryption. The numbers of calls and the size of pending installations suggest
that data protection is still inadequate across industries. Stories of stolen devices containing
exposed data continue to proliferate, and have not reduced in severity from prior years. Each
year, hundreds of thousands of laptops and potentially millions of smaller devices are estimated
by various sources to go missing through loss or theft, or are upgraded or exchanged without first
having their data removed. Others fall prey to network-borne attacks and data copying. Data loss
and theft are also increasing through removable portable storage devices that impact authorized
users, as well as those who lose their storage media.

Client Concerns for 2008

Hardware subsystems, including the trusted platform module (TPM) and Seagate Technology's
encrypting hard drives, are raising client awareness and interest in the potential for hardware
systems to strengthen data protection and improve performance, but they are not universal
solutions for all applications and all platforms. Buyers are not always able to integrate these
systems into their plans and will be challenged to attempt large adoption across all their
platforms. Additional hardware developments are appearing, which bring more opportunities but
also more fragmentation and procurement challenges. Examples include Intel vPro, a certificate-
based remote management platform that can directly interface with encryption tools; Intel
Danbury, a processor implementation of Advanced Encryption Standard to run in a CPU at
pipeline speeds; and competing hard-drive encryption systems at Fujitsu and Hitachi in line with
the Trusted Computing Group's Trusted Storage Specification. No hardware system is ready to
be a complete solution unto itself. ISVs in the market are increasingly taking advantage of these

Publication Date: 23 September 2008/ID Number: G00161089 Page 3 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
hardware systems when they are present, but at the same time, they can offer strong protection
in software without them.
BitLocker is an important step forward from Windows Encrypting File System (EFS), but Microsoft
has much room for improvement. BitLocker's full-drive encryption (FDE) is limited to a subset of
configurations on a single platform (Windows Vista) and is not suited to plug-and-play device
protection or for secure data sharing across multiple devices. Microsoft needs years to grow a
significant enterprise desktop market share. Buyers should invest now in ISV solutions that cover
all their platforms in use. Several ISVs have released management support for BitLocker, so
clients can find ways to use it.
The availability of multiple-platform support from a single vendor increasingly plays a role in
product selection. Buyers are looking for vendors that can support platforms, large and small, with
a similar look and feel, as well as provide common access and audit policies (see the "Vendor
Strengths and Cautions" section in this research for lists of vendor-supported OSs and platforms).
In 2008, the fruits of mergers between MDP vendors and EPP vendors have raised the value
proposition from simple coexistence and point to a future when configuration management,
encryption, host intrusion prevention system, personal firewalls and anti-malware defenses will be
aligned. Of particular visibility in this regard are Sybase iAnywhere, Check Point Software
Technologies (acquired Pointsec) and McAfee (acquired Safeboot). Sophos has an acquisition in
progress for Utimaco Safeware, and other EPP players, including Symantec and Trend Micro,
can be expected to pay attention. Other opportunities arise when vendors pursue partnerships for
software distribution, asset tracking, backup/restore, inventory and other nonsecurity operations.
These partnerships make it easier for enterprises to prove that user endpoint systems are secure
and up to date, and can reduce the total cost of ownership of supporting multiple endpoint agents.
Multiple-user capability is of growing interest, as companies move beyond knowledge workers
and begin encrypting shared workstations, retail and manufacturing systems.
Key management, storage and destruction methods are frequently on buyers' minds because of
concerns regarding recovery for lost user/system access credentials, as well as for data
destruction. Well-managed key destruction is tantamount to drive wiping and is essential to
defend against data breaches on lost systems. It also provides a low-cost, low-risk, green method
to dispose of old drives.
Removable media protection is a subject raised in every client inquiry. Vendors are responding
with policies based on user certificates, application type, document type and device type. Clients
expect more than simple drive blocking and, increasingly, are seeking solutions to provide
portable viewing of encrypted documents with some means to track access. However, few users
are prepared to deal with the complexity of implementing portable access tracking mechanisms
(see "Trusted Portable Personality Devices Promote Secure Access").
Government security certifications are increasingly important to nongovernmental purchases.
Enterprise buyers want to see that vendors are serious about delivering the best protection, and
they recognize Federal Information Processing Standards (FIPS), Common Criteria (CC) and
other designations as proof of vendor commitment (see the "Vendor Strengths and Cautions"
section in this research for lists of vendor certifications). Readers should note that vendors may
accrue a long list of certifications for algorithms for encryption, key management, quality
management and specific countries. This research primarily considers FIPS 140-2 because it is a
rigorous and internationally recognized certification for cryptographic engines. CC certification is
considered ahead of country-specific and industry-specific certifications, again, because it is, by
design, internationally recognized.
In June 2007, U.S. Federal Blanket Purchase Order Agreements were awarded, in a joint effort
by the Office of Management and Budget, U.S. Department of Defense and U.S. General

Publication Date: 23 September 2008/ID Number: G00161089 Page 4 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Services Administration, to several of the vendors tracked for the Magic Quadrant. These blanket
purchase orders can sometimes be used by other agencies, including state and local
governments, and will stimulate sales opportunities by virtue of expedience.

Market Definition/Description
Products in the MDP market are software tools that use strong encryption algorithms to protect
information on the primary storage system of mobile platforms, including notebooks, PDAs and
phones. Secondary protection for server volumes and removable media are increasingly
common. All the PC products can work on stationary desktops, but the market demand is for
systems that move. Encryption may be invoked at the level of individual files, as is common on
small mobile devices, or at the folder, partition or full disk for larger systems. Users must answer
a login challenge to gain access to data. The challenge may range from a simple PIN to a
complex password, token or smart card, and may combine with biometrics. Competitive
differences derive from different approaches to management, encryption strength, user
authentication, policy management and value-added features, such as protection of information
on removable media. Vendors must provide centrally managed access controls, lockouts and
recovery methods. Small mobile devices represent the largest number of platforms overall, but
the largest profits are still made on Windows laptop/desktop platforms. Products restricted to
Windows PCs may be considered, but the best rankings go to vendors that cross multiple
platforms and OSs.

Inclusion and Exclusion Criteria

Inclusion Criteria
Nineteen data protection vendors with mobile capabilities were contacted for our annual survey,
and seventeen vendors responded. Of those vendors, fourteen passed the inclusion/exclusion
criteria and were included in the Magic Quadrant, according to the evaluation of these attributes:

• The vendor must have had products that were generally available in 2007 and in 1H08
for a sufficient length of time to attract market attention, and the products must meet all
aspects of the functional definition of products in the market. The vendor must offer
products for use on PCs, because workstations represent most of the revenue for the
market. Vendors that sell and/or source third-party encryption products are allowed;
several vendors in this market license parts of their solutions, ranging from
cryptographic modules to larger program components. A synchronization agent running
on a workstation to support a product that only runs on a handheld device does not
qualify for inclusion.

• The vendor must generate client interest and inquiry sufficient to be noticed by Gartner
security analysts. Analysts must also receive feedback from clients indicating they are
using the products.

• The vendor's product must not be limited to a single or proprietary platform by restriction
of an OS or hardware component.

• Gartner analysts have a generally favorable opinion about the company's ability to
compete in the market.

• The company regularly appears on Gartner clients' shortlists for final selection.

• The company demonstrates competitive presence and sales to Gartner analysts.

Publication Date: 23 September 2008/ID Number: G00161089 Page 5 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 • Gartner analysts consider that aspects of the company's product execution and vision
are important enough to merit inclusion.

• Seat sales in 2007 needed to total more than one-fifth of the median, or 125,000 seats,
slightly less than 10% of the survey average of 1.4 million seats sold. The 2007 revenue
in the market must be more than $3 million, slightly less than 10% of the survey average
of $34 million. Exceptions may be granted if other inclusion factors merit consideration.

• The product must be commercially supported.

Seats sold by licensees, partners and others can only be counted once if reported. They will be
attributed only to the original vendor if the licensee is not already included in this market study.
OEM seats shipped without revenue may be attributed at a reduced percentage.

Exclusion Criteria
Vendors will not be included in the Magic Quadrant if the following conditions are not met:

• Vendors must return an annual RFI that is used to collect competitive and historical
data, within requested deadlines. Under limited circumstances at our discretion, we will
estimate vendor status from a prior year's survey, but vendors who decline to report for
two years in a row will be removed.

• Vendors must report seat sales in a format requested by Gartner to allow comparison.
Under limited circumstances at our discretion, we may estimate unreported seats based
on prior history, but vendors who decline to report for two years in a row may be
removed.

• Vendors must report financial information in a format requested by Gartner to allow

comparison. In a mature market, financial data is desirable to make execution
comparisons, and the majority of vendors report their results to Gartner. Wide variations
in discounting and OEM contract values make estimations problematic. Other factors will
be considered, including client interest, overall industry "mind share" and competitive
behavior. Under limited circumstances at our discretion, we may estimate unreported
financial performance based on prior history, but vendors who decline to report for two
years in a row may be removed.

Vendors Considered but Not Included in the 2008 Magic Quadrant

Aliroo, BeSeQure (now Corisecio), Eruces, infoLock Technologies, SecurStar and Verdasys did
not return the survey in 2007 and were not contacted in 2008. Motorola was invited to respond to
the 2008 survey, but it declined. These vendors do not generate significant Gartner client inquiry
in this market to consider placement by indirect information, nor do they appear to have influence
among the ranked vendors. They are retained on our grand list of market companies.
Apple's FileVault and encryption for disk image volumes are not enterprise-manageable in a
manner comparable to ranked vendors in this market. A lack of presence in the largest target
platform — Windows workstations — further disqualifies inclusion. Several ranked vendors
support the Macintosh and provide for common enterprise policy management, and still more are
developing products for release during the remainder of 2008.
BitArmor Systems provides data control software that secures, tracks and controls sensitive data
by attaching tags to the data to facilitate policy management decisions on laptops, removable
media, servers and backup tapes. This approach presents a powerful, strategic solution to data
protection because every dataset is able to directly assert its access policy. BitArmor's products
are not yet selling in sufficient volume to qualify for ranking, but will be re-evaluated in 2009.

Publication Date: 23 September 2008/ID Number: G00161089 Page 6 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Bluefire and Trust Digital are previously ranked companies that did not return the 2008 survey
and do not generate much client inquiry. They sell exclusively to the handheld market, and do not
meet the current inclusion criteria. Trust Digital's products are sold directly and licensed by
GuardianEdge Technologies, while Bluefire sells directly and is licensed by Symantec.
Microsoft's security products remain fragmented and do not meet the inclusion criteria. Windows
Mobile 6.1 was the first version to integrate core memory encryption but didn't enter the market
until 1Q08. Windows Mobile and Windows XP/Vista have separate management platforms.
Windows EFS has not changed since Windows 2000, so concerns raised in reports in the past
year continue, particularly on XP platforms. Vista has not penetrated the enterprise market to the
point where BitLocker is a competitive platform solution. Microsoft's products resemble niche
solutions. They have had negligible effect in attracting users away from ISVs. Several ranked
vendors do provide common enterprise policy management and/or key management for Windows
Mobile and BitLocker.
Mossec, a Spanish vendor, is pursuing the market to sell a handheld security and management
suite as a software service exclusively to the carrier channel. Lack of a Windows workstation
product and small sales numbers prevent qualification for this year's Magic Quadrant. Mossec will
be re-evaluated in 2009.
Open-source projects, such as AxCrypt (www.axantum.com ) and TrueCrypt (www.truecrypt.org
), offer free data encryption tools, but they are not commercially supported. Gartner monitors
open-source projects and will consider future project distributions that provide commercial
support.
Seagate Technology has created new awareness and demand for hardware-embedded
encryption. Seagate's encrypting drives are enabling technology, rather than a complete solution;
thus, they are not ranked on the Magic Quadrant. Buyers are best served by relying on third-party
vendors in this market to manage keys, recovery and access policies for Seagate's drives.
Vendors that support these drives will help you to use the drive, if it is present, so you get the
performance benefits; however, if you do not have the drive, vendors can use other encryption
facilities. Six vendors in the MDP market had some ability to manage Seagate's drives as of 1H08
(BeCrypt, Credant Technologies, Secude, Utimaco Safeware, Wave Systems and WinMagic),
and several others have Seagate on their road maps.
Secude is an 11-year-old Swiss company that has been developing its Finally Secure product in
stealth mode for the past two years. Sales through 1H08 amounted to approximately 53,000
seats. The company is betting on SaaS and preferred partnerships with Seagate and others to
ramp up sales through the remainder of 2008. Their product will run as stand-alone software
encryption or it can use hardware systems including Seagate encrypting drives, and it runs on
Windows XP and Vista. The current sales record is too low for inclusion; however, Secude will be
monitored and re-evaluated for 2009.
SMobile Systems offers a broad range of mobile security technologies for major handheld
platforms that are licensed by a number of companies, including carriers, such as AT&T and BT,
and some vendors in the MDP market, such as Sybase iAnywhere. Lacking a PC product, it does
not qualify for inclusion. Also, its encryption tool needs to be more visibly marketed. SMobile
Systems will be monitored and re-evaluated for 2009.
TechSec Solutions did not meet sales and revenue thresholds in 2007, did not return the 2008
survey, and does not generate client inquiry.
Venafi characterizes its product as system management for encryption (managing EFS in this
context) and is, therefore, not directly comparable with or competitive to products in this market.

Publication Date: 23 September 2008/ID Number: G00161089 Page 7 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Added
McAfee has entered the Magic Quadrant through its 2007 acquisition of Safeboot.
Mobile Armor has responded to the 2008 survey and met the inclusion criteria.
SafeNet has reported a qualifying market share and will now be tracked.
Wave Systems is becoming visible, with an attractive niche configuration for managing Seagate
drives and trusted platform modules (TPMs), initially on Dell platforms.

Dropped
Entrust sells an OEM version of Check Point Software Technologies' Pointsec product, and its
market contribution is now attributed to Check Point.

Evaluation Criteria
Ability to Execute
This market is well-established, and global pressure for data protection means that almost
anyone can find investment money and may sell enough seats to keep their doors open. Vendors
that learn to sell their products on the merits of ease of use and convergence with device
management processes win the largest sales across markets. Other factors, such as the U.S.
General Services Administration's SmartBUY program (www.gsa.gov/smartbuy ) help stimulate
sales, but are not a substitute for a good business strategy.
New products, new features and estimated sales in 1H08 are also considered in the final ranking.
Unofficial road maps, pending contracts and future sales agreements do not significantly
contribute to a vendor ranking or to inclusion in this research, but vendors that have official road
maps and that make consistent progress are recognized.
Product/Service compares the completeness and appropriateness of core data protection
technology. This factor is critical to demonstrating that the vendor can generate market
awareness.
Overall Viability considers company history and demonstrated commitment in the market, as well
as the difference between a company's stated goals for the evaluation period and the company's
actual performance compared with the rest of the market. Growth of the customer base and
revenue are considered.
Sales Execution/Pricing compares the strength of sales and distribution operations of the
vendors, as well as discounted list pricing for investments in seats ranging from fewer than 100 to
more than 10,000. Pricing was compared in terms of first-year cost-per-concurrent active license
seats, including cost of the management console and all hardware and support. Buyers want
demonstrable peace of mind more than they want bargains, and they respond more strongly to
sales techniques led by case studies and return on investment projections. In past years, that
urgent need for protection meant that vendors in this market could charge up to hundreds of
dollars per seat (obviously, lower prices are frequently negotiated). The arrival of EPP vendors in
the market changes the rules because antivirus (AV) products have been heavily discounted.
MDP buyers will expect deep discounting, and the average seat price can be expected to erode
by as much as a factor of 10 during the next three years. This will stimulate market penetration
but will challenge the survival of stand-alone and specialty vendors.
Market Responsiveness and Track Record, as well as Marketing Execution, rate competitive
visibility as the key factor, including which vendors are most commonly considered top

Publication Date: 23 September 2008/ID Number: G00161089 Page 8 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
competitive threats by each other and which vendors respond most effectively during buyer
RFPs.
Customer Experience is subjectively rated from client feedback to analysts; from opinions of
Gartner analysts in security, network and platform research groups; and from vendor-supplied
references, where needed.
Operations consider the ability of a vendor to pursue its goals in a manner that enhances and
grows its influence in all execution categories. Operations are already considered in the other
execution ranking categories (see Table 1).

Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria Weighting
Product/Service standard
Overall Viability (Business Unit, Financial, Strategy, standard
Organization)
Sales Execution/Pricing standard
Market Responsiveness and Track Record standard
Marketing Execution standard
Customer Experience standard
Operations no rating
Source: Gartner

Completeness of Vision
Vision is subjectively ranked according to a vendor's ability to show a broad investment in
technology developments that predict user wants and needs.
Companies that lead in vision typically own, license or partner on products in other security and
configuration management markets. They must also demonstrate management features that
make their products easy to integrate with enterprise directories, and to interoperate with other
enterprise security and management systems.
Market Understanding and Marketing Strategy are ranked together as Marketing Strategy,
assessed through direct observation of the degree to which a vendor's products, road maps and
mission anticipate leading-edge thinking about buyers' wants and needs. Gartner makes this
assessment subjectively by several means, including interaction with vendors in briefings and by
reading planning documents, marketing and sales literature, and press releases. Incumbent
vendor market performance is reviewed year by year against specific recommendations that have
been made to each vendor and against future trends identified in Gartner research. Vendors
cannot merely state an aggressive future goal; they must put plans in place, show that they are
following their plans and modify their plans as market directions change. Also considered are the
vendor's partnerships with vendors in related endpoint security markets, including antivirus, anti-
spyware, configuration management, authentication, device identification, virtual private network
(VPN), data encryption, gateway firewalls and others.
Sales Strategy examines the vendor's strategy for selling products, including sales messages,
techniques, marketing, distribution and channels. This topic is considered in execution; it does not
apply to product vision, which is ranked in terms of investment in functionality.

Publication Date: 23 September 2008/ID Number: G00161089 Page 9 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Offering (Product) Strategy is ranked through an examination of the breadth of functions, platform
and OS support for the MDP client. R&D investments are credited in this category. Mergers that
bring EPP vendors into the market have a strong impact on vision rankings for all vendors,
because these vendors are driving the types of integration that Gartner considers strategic and
competitive. Supported platforms are listed in the vendor comments. References to Windows
refer to currently supported full-end-user versions of the Windows XP and Vista OS. Support may
be available for older versions of Windows end-user platforms (9.x, 2000 and others) and servers.
Vendors cited for support of Windows Mobile are ranked for support of Windows Mobile 6.0 and
6.1. Support may be available for other mobile OSs from Microsoft.
Business Model takes into account a vendor's underlying business objectives for its products and
its ongoing ability to pursue R&D goals in a manner that enhances all vision categories.
Vertical/Industry Strategy considers a vendor's ability to communicate a vision that appeals to
specific industries and vertical markets. The Magic Quadrant doesn't consider vertical markets as
a distinctive ranking factor; therefore, this category is irrelevant.
Innovation takes into consideration the degree to which vendors invest in core requirements for
the successful use of their products.
Geographic Strategy takes into account a vendor's strategy to direct resources, skills, products
and services globally. All vendors are ranked in the Magic Quadrant for their performance as a
whole and in the frame of reference of Gartner clients; therefore, this category is not required
(see Table 2).

Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria Weighting
Market Understanding no rating
Marketing Strategy standard
Sales Strategy no rating
Offering (Product) Strategy standard
Business Model standard
Vertical/Industry Strategy no rating
Innovation standard
Geographic Strategy no rating
Source: Gartner

Leaders
Leaders have products that work well for Gartner clients in small and large deployments. They
have long-term road maps that follow and/or influence Gartner's vision of the developing needs of
buyers in the market. Leaders make their competitors' sales staffs nervous and force competitors'
technical staffs to follow their lead. Their MDP products are well-known to clients, and they
encounter little resistance in selling their products.

Challengers
Challengers have competitive visibility, market share, and financial and channel strengths that are
better-developed than similar niche vendors. They have greater success in sales and mind share
than similar niche vendors. Challengers offer all the core features of MDP, but typically their

Publication Date: 23 September 2008/ID Number: G00161089 Page 10 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
vision may not contain forward planning that will drive competitive sales in the overall market for
MDP. Challengers may have difficulty in communicating the effectiveness of their vision. For
example, if a vendor has implemented features ahead of the demand curve that do not attract
buyers, do not trigger new competitive responses and do not change the developmental course of
the market, then their vision is not improved by those features.

Visionaries
Visionaries have made investments in broad functionality and platform support, but their
competitive clout, visibility and market share don't reach the level of those of leaders. Visionaries
tend to be effective in making planning choices that will meet future buyer demands.

Niche Players
Niche players offer products that suit many enterprise needs. A niche ranking is assigned when
the product is not widely visible in competition, and it is judged to be relatively narrow or
specialized in breadth of functions and platforms, or, for other reasons, the vendor's ability to
communicate vision and features is not meeting Gartner's prevailing view of competitive trends.
However, because the MDP market is a niche area in IT security, MDP niche players include
stable, reliable and long-term players. Some niche players work from close, long-term
relationships with their buyers, in which customer feedback sets the primary agenda for new
features and enhancements. This approach can generate a high degree of customer satisfaction,
but also results in a narrower focus on R&D than would be expected of a visionary.

Vendor Strengths and Cautions

BeCrypt
Strengths
• BeCrypt is a respected and mature company selling more than 90% in European
markets, especially in the U.K. Though volumes are small, sales revenue is strong,
showing 50% year-over-year growth and a 100% increase from 2006 to 2007.

• Its European certifications are numerous and indicative of a solid product. For example,
BeCrypt is Communications Electronics Security Group (CESG) Assisted Products
Service (CAPS)-approved to Top-Secret level, and can export this level to major
countries.

• Embedded system support includes ability to manage BitLocker and the TPM, and
BeCrypt can provide key management for Seagate's drives.

• BeCrypt has the following FIPS and CC certifications: FIPS 140-2 (pending); CCTM
(equivalent to CC EAL1).

• Platform support is provided for: Linux (several distributions), Windows Mobile, and
Windows XP and Vista.

Cautions
• Seat sales rates are low for the time in business and compared to the overall market,
but the company has a baseline and market activity sufficient to continue appearance in
the Magic Quadrant.

Publication Date: 23 September 2008/ID Number: G00161089 Page 11 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 • Strong earnings are indicative of higher per-seat revenue from its classified solutions.
Downward pricing pressure from major new entrants, such as McAfee, are a threat to
BeCrypt's commercial market expansion.

• The company needs to develop aggressive and competitive marketing messages,

combined with increased sales efforts outside Europe, to increase visibility.

Check Point Software Technologies

Strengths
• Check Point Software Technologies acquired Pointsec in 2007, and continues to use the
Pointsec brand name. The company did not provide updated financial or seat sales
information for the 2008 survey. Historical extrapolations suggest that its estimated
growth is above industry average.

• The company tied with Utimaco Safeware as the second most commonly cited
competitive threat named by other vendors in the market (11 out of 16 vendor
responses).

• Check Point Software Technologies has the following FIPS and CC certifications: FIPS
140-2 (all products); CC EAL2 (removable media); CC EAL44 (FDE).

• Platform support is provided for: Linux, Mac OS, Palm OS, Windows Mobile and
previous, Symbian, and Windows 2000, XP and Vista.

Cautions
• The company's successful integration between Pointsec and its EPP suite earns some
vision points, but has not influenced buying decisions reported by Gartner clients.

• Platform instabilities during and after installation were reported by several clients. The
problems were resolvable, and would have been avoidable if buyers had been given
better preparation and direction by Check Point Software Technologies' resellers.

• The key business and product management leader from Pointsec (Bob Egner) has
departed.

• Seat pricing is above average. Buyers expect EPP vendors to offer steep discounts, in
keeping with the trend for AV and firewall products.

Credant Technologies
Strengths
• With four million seats sold cumulatively in years 2005 through 2007, Credant
Technologies continues to demonstrate that data-centric, data-policy-driven encryption
products can compete in a market dominated by FDE vendors.

• Embedded system support includes the ability to manage BitLocker, EFS, Seagate's
encrypting drives and the TPM. Credant had a strong early partnership with Intel for
integration with vPro.

• It was included in the U.S. General Services Administration's SmartBUY award.

• Credant has the following FIPS and CC certifications: FIPS 140-2-1; CC EAL3.

Publication Date: 23 September 2008/ID Number: G00161089 Page 12 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 • Platform support is provided for: Palm OS, Symbian, Windows Mobile, and Windows XP
and Vista.

Cautions
• Credant invests more effort in sales and education than many of the FDE vendors. In
past years, this has created strong growth potential in a market oriented toward FDE.
Earnings in 2007 were impressive, given the company's alternative market position as a
file encryption vendor, but seat penetration is behind key FDE vendors. Seat sales for
2007 were average and 1H08 has dropped to the market median (about one-third of
average), while many vendors are selling at rates that will exceed 2007. Credant's
performance earned a somewhat lower execution than 2007.

• The company must use more-informative and aggressive sales tactics to dispel industry
beliefs about drive versus file encryption, especially because FDE doesn't apply to the
largest-growing device populations, consisting of removable media and handheld
devices.

GuardianEdge Technologies
Strengths
• Growth continues to be strong, following a surge that began in 2006. Seat sales for 2007
and 1H08 are above average, and appear on track to stay that way.

• GuardianEdge Technologies' OEM relationship with Trust Digital provides commonly

managed products for handheld devices and is protected from loss through acquisition.
The relationship with Symantec has brought a surge in sales and encourages risk-
averse buyers.

• It was included in the U.S. General Services Administration's SmartBUY award, and it
benefited from a large deployment by the U.S. Veterans Administration.

• GuardianEdge Technologies has the following FIPS and CC certifications: FIPS 140-2;
CC EAL1; CC-EAL4 (in evaluation).

• Platform support is provided for: Palm OS, Symbian, Windows Mobile and previous, and
Windows XP and Vista.

Cautions
• The company needs to expand its revenue base outside the U.S.

• A stronger and deeper alliance with a major EPP vendor is recommended to hold its
visionary rating against the major EPP vendors.

Information Security Corporation

Strengths
• Clients have reported that Information Security Corporation is very responsive to its user
community.

• The company was included in the U.S. General Services Administration's SmartBUY
award.

Publication Date: 23 September 2008/ID Number: G00161089 Page 13 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 • It is the only ranked vendor besides Credant that specializes in file encryption instead of
FDE.

• Information Security Corporation provides its own certificate authority.

• Support for Apple platforms includes legacy PowerPC processors.

• Information Security Corporation has the following FIPS certification: FIPS 140-2.

• Platform support is provided for: Linux, Mac OS (Intel and PowerPC processors), Unix,
Windows Mobile, and Windows XP and Vista.

Cautions
• The company did not provide updated information for the 2008 survey. Historical
extrapolations suggest that its estimated growth is below industry average.

• Information Security Corporation lacks visibility in the Gartner client base (it is rarely
mentioned), and is not considered a competitive threat by any company that Gartner
tracks in the market.

• It lacks visibility in nongovernment markets. A limited set of buyers, combined with no

competitive sales and marketing, is a risk to growth, given that several of the SmartBUY
award winners have established strong and visible track records.

McAfee
Strengths
• McAfee is the most commonly named competitive threat (12 out of 16 vendor
responses). This is a promotion from 2007, when McAfee was No. 2 and Check Point
Software Technologies and Utimaco Safeware tied for first place.

• Seat sales for 2007 and 1H08 are the best reported by a wide margin.

• McAfee was included in the U.S. General Services Administration's SmartBUY award.

• Client feedback is positive, especially noted on large installations.

• Audit reports are designed to prove that a device was protected when lost or stolen.

• McAfee has the following FIPS and CC certifications: FIPS 140-2; CC EAL4.

• Platform support is provided for: Linux, Palm OS, Windows Mobile, Symbian, and
Windows XP and Vista.

Cautions
• McAfee needs to continue discounting its protection suite to displace other vendors. It
has the resources to undercut average and best-case pricing against most other
vendors on the market.

• The company must release support soon for embedded encryption systems, especially
Seagate's encrypting drives and the TPM, to maintain a strong visionary axis ranking.

Publication Date: 23 September 2008/ID Number: G00161089 Page 14 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Mobile Armor
Strengths
• Mobile Armor is one of the few vendors to offer embedded support for visual passwords.

• Network-aware preboot authentication can process system updates without unlocking

the hard drive or starting the host OS.

• A firewall and VPN are included for handheld devices (using technology licensed from
Certicom).

• The company was included in the U.S. General Services Administration's SmartBUY
award.

• Mobile Armor has the following FIPS and CC certifications: FIPS 140-2-2; CC EAL4+.

• Platform support is provided for: Palm OS, RIM, Linux, Windows Mobile, and Windows
XP and Vista.

Cautions
• The major source of growth for Mobile Armor stems from military agencies and is
developing after the closing date for the survey. Aggressive and competitive sales
techniques are needed to get Mobile Armor recognized by potential buyers outside the
SmartBUY program.

• Seat sales are slightly above the inclusion threshold after three years of selling openly in
the market.

PGP
Strengths
• PGP has relatively high reported worldwide LOB revenue, attributable to the market
definition, although seat sales are average in all categories, suggesting strong earnings
per seat and a base of profitable complementary products, but less than leading
penetration. Clients frequently ask about PGP, which demonstrates that visibility drives
sales opportunities.

• The company offers shared key infrastructure across multiple PGP products, including
e-mail and instant messaging.

• PGP has the following FIPS and CC certifications: FIPS 140-2; CC EAL4+; U.K. CAPS
(in progress).

• Embedded system support includes the ability to manage the TPM and integration with
Intel vPro.

• Platform support is provided for: Linux (several distributions), Mac OS, RIM (e-mail
only), Unix, and Windows XP and Vista.

Cautions
• PGP needs to develop deeper alliances and licenses with EPP vendors to hold up
against McAfee.

Publication Date: 23 September 2008/ID Number: G00161089 Page 15 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 • Its open-source heritage could be better-leveraged as a sales and marketing concept.

SafeNet
Strengths
• SafeNet is authorized to develop and sell U.S. Government Type 1 (Classified)
encryption products. Approximately 50% of LOB revenue comes from Type 1 products.

• It was included in the U.S. General Services Administration's SmartBUY award.

• SafeNet has the following FIPS and CC certifications: FIPS 140-2-2; CC EAL4.

• Platform support is provided for: Linux, Macintosh, Unix, and Windows XP and Vista.

Cautions
• SafeNet generates few inquiries in the MDP area from Gartner clients — end users and
other vendors — and lacks visibility in nongovernment markets. It is not considered a
competitive threat by any company that Gartner tracks in the market. ProtectDrive was
acquired less than three years ago, and investment in the product has increased in the
past 18 months.

• Platform support for small handheld devices should be expanded. Currently, the mobile
product, ProtectMobile, is deployed on a narrow basis for law enforcement in Europe,
the Middle East and Africa, and is available for OEM use.

• SafeNet cannot coexist with BitLocker; it will not install.

Secuware
Strengths
• Secuware is leveraging a unique position, selling in Spanish and Latin markets.

• The products have low-memory and high-performance characteristics because they are
developed as assembler-level programs.

• Secuware has the following FIPS and CC certifications: FIPS 140-2 (in review); CC
EAL2 (pending); CC EAL4 (certifying). Secuware pursued certification quickly since
2007.

• Embedded system support includes the ability to manage BitLocker and the TPM.
Secuware had a strong, early European partnership with Intel for integration with Intel
vPro, and has an early integration with Intel Danbury. The ability to diagnose and
recover an encrypted disk by remote control is included.

• Secure Virtual System (SVS) shields/encrypts virtual machine RAM so it cannot be read
by the host.

• Platform support is provided for: Windows Mobile (it manages it, rather than replacing it),
and Windows XP and Vista.

Cautions
• Secuware needs an effective multinational sales and marketing plan.

Publication Date: 23 September 2008/ID Number: G00161089 Page 16 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 • Sales are better than the minimum inclusion threshold, but must increase substantially in
2009 to fight off the effect of EPP vendors entering the market.

Sybase iAnywhere
Strengths
• Sybase iAnywhere offers the most complete set of configuration management and MDP
features owned by a single vendor.

• The company also offers a mobile e-mail platform that is competitive with Microsoft
Exchange and a bundled AV (SMobile Systems) for handheld devices.

• Sybase iAnywhere has the following FIPS certification: FIPS 140-2 (licensed from
Certicom for handheld devices); FIPS 140-2 (pending; licensed from BeCrypt for
Windows workstations).

• Platform support is provided for: iPhone (e-mail now, with full security in development),
Palm OS, RIM, Symbian, Windows Mobile, and Windows XP and Vista.

Cautions
• It has remarkably low sales, given the billion dollar investment power of parent company
Sybase. This is due, in part, to a preferential interest to ignore the PC market in favor of
the handheld market, where sales and revenue are more challenging. Sales have been
below market average for four years of history, including 2007, but are sufficient to
continue placement in the Magic Quadrant as niche execution.

• Unfortunately, the confusing naming and bundling of Sybase's products discourages

buyers. Gartner has recommended changes and simplification for several years.

• The breadth of the management platform is not driving sales, so vision is hampered
when, in fact, Sybase iAnywhere should be competitively challenging to the EPP
vendors that have entered this market.

• The company is behind the average with respect to access policies for data on
removable media.

Utimaco Safeware
Strengths
• Despite weaker name recognition in the U.S. than in Europe, Utimaco Safeware has the
second-highest-reported worldwide LOB revenue attributable to the market definition
after McAfee, and is tied with Check Point Software Technologies as the second most
commonly named competitive threat mentioned by other vendors (11 out of 16 vendor
responses).

• The proposed acquisition by Sophos would create a combined company that can
challenge McAfee. Company missions and management goals are highly compatible. A
successful merger will disruptively recalibrate vision for the 2009 Magic Quadrant.

• It is highly interoperable with other key management systems, and will generate its own
key structure if no certificate authority is present.

Publication Date: 23 September 2008/ID Number: G00161089 Page 17 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 • Embedded system support includes the ability to manage BitLocker, Seagate's
encrypting drives and the TPM. It is also integrated with Intel vPro, and has a long-term
relationship with Lenovo, which includes integration with Lenovo Rescue And Recovery.

• Utimaco Safeware has the following FIPS and CC certifications: FIPS 140-2; CC EAL4.

• Platform support is provided for: Linux, Palm OS, Symbian, Windows Mobile, and
Windows XP and Vista.

Cautions
• The U.S. market penetration has been slow.

• Gartner client recognition of Utimaco Safeware on shortlists has improved, but still is not
on a par with its strengths.

Wave Systems
Strengths
• Wave Systems offers a self-contained solution for managing keys, reporting and
recovery for PCs that are equipped with a Seagate encrypting drive and a TPM. The
company supports TPMs from many manufacturers.

• Released in late 2007, its product has gained visibility among Gartner clients.

• A stand-alone version of the product is included on qualified Dell PCs and is upgradable
to an enterprise managed platform. Additional bundling is available with some
motherboards from Intel, NEC (in Europe) and Acer.

Cautions
• Wave Systems must provide managed encryption on removable media as soon as
possible. This is a basic competitive requirement, and an immediate need that can't wait
for the Trusted Computing Group's specification to be adopted on flash drives.

• Primary distribution is by an OEM-embedded stand-alone client on selected PC

platforms. Users can deploy the client without purchasing Wave System's enterprise
management. The company should develop additional sales channels to sell its full
enterprise solution, to increase revenue and the opportunity to add value for customers.

• Wave Systems' solution is a management platform with no security certifications; it relies

on Seagate's encrypting drives and the TPM. Gartner recommends a CC certification for
the company's management framework.

• Wave Systems has shipped many tens of millions of OEM seats, but receives only a
small royalty, which generates revenue that is below the median and far below average
(even if some of those seats become enterprise accounts). The company's market
impact is, therefore, only fractionally considered, because stand-alone OEM seats are
not trackable and do not advance the goals of enterprise managed data protection.

WinMagic
Strengths
• WinMagic had better-than-average seat sales in 2007 and solid earnings, after a sales
lull in 2006.

Publication Date: 23 September 2008/ID Number: G00161089 Page 18 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
 • It was included in the U.S. General Services Administration's SmartBUY award.

• WinMagic has the following FIPS and CC certifications: FIPS 140-2-2; CC EAL4.

• Platform support is provided for: Linux, Windows Mobile, and Windows 2000, XP, and
Vista.

Cautions
• Recognition of WinMagic and the appeal of some of its innovative features is low among
Gartner clients posing inquiries. For example, methods to catalog encryption keys to aid
archival recovery have not generally caused Gartner clients to revise their shortlists to
prioritize WinMagic.

• Sales and emphasis continue to lean toward the high-security specialty markets, earning
a niche player ranking. WinMagic must position the product to appeal to the majority of
users that resist strong security products, and, in anticipation of the changes caused by
EPP vendors in the market, it should seek an alliance with a major EPP vendor.

RECOMMENDED READING

"Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors Within a Market"
"Windows Vista BitLocker: Good, but Not Great"
"Implementation Advice for Mobile Data Protection"
"Market Overview: Portable Storage Device Control Products, Worldwide, 2006"
"Use Pointsec Acquisition to Gain Incentives From Check Point"

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets
change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or
MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope
one year and not the next does not necessarily indicate that we have changed our opinion of that
vendor. This may be a reflection of a change in the market and, therefore, changed evaluation
criteria, or a change of focus by a vendor.

Evaluation Criteria Definitions

Ability to Execute
Product/Service: Core goods and services offered by the vendor that compete in/serve the
defined market. This includes current product/service capabilities, quality, feature sets, skills, etc.,
whether offered natively or through OEM agreements/partnerships as defined in the market
definition and detailed in the subcriteria.
Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an
assessment of the overall organization's financial health, the financial and practical success of
the business unit, and the likelihood of the individual business unit to continue investing in the

Publication Date: 23 September 2008/ID Number: G00161089 Page 19 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
product, to continue offering the product and to advance the state of the art within the
organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all pre-sales activities and the structure
that supports them. This includes deal management, pricing and negotiation, pre-sales support
and the overall effectiveness of the sales channel.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible
and achieve competitive success as opportunities develop, competitors act, customer needs
evolve and market dynamics change. This criterion also considers the vendor's history of
responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver
the organization's message in order to influence the market, promote the brand and business,
increase awareness of the products, and establish a positive identification with the product/brand
and organization in the minds of buyers. This "mind share" can be driven by a combination of
publicity, promotional, thought leadership, word-of-mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be
successful with the products evaluated. Specifically, this includes the ways customers receive
technical support or account support. This can also include ancillary tools, customer support
programs (and the quality thereof), availability of user groups, service-level agreements, etc.
Operations: The ability of the organization to meet its goals and commitments. Factors include
the quality of the organizational structure including skills, experiences, programs, systems and
other vehicles that enable the organization to operate effectively and efficiently on an ongoing
basis.
Completeness of Vision
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to
translate those into products and services. Vendors that show the highest degree of vision listen
and understand buyers' wants and needs, and can shape or enhance those with their added
vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated
throughout the organization and externalized through the Web site, advertising, customer
programs and positioning statements.
Sales Strategy: The strategy for selling product that uses the appropriate network of direct and
indirect sales, marketing, service and communication affiliates that extend the scope and depth of
market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that
emphasizes differentiation, functionality, methodology and feature set as they map to current and
future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to
meet the specific needs of individual market segments, including verticals.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or
capital for investment, consolidation, defensive or pre-emptive purposes.

Publication Date: 23 September 2008/ID Number: G00161089 Page 20 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the
specific needs of geographies outside the "home" or native geography, either directly or through
partners, channels and subsidiaries as appropriate for that geography and market.

REGIONAL HEADQUARTERS

Corporate Headquarters
56 Top Gallant Road
Stamford, CT 06902-7700
U.S.A.
+1 203 964 0096

European Headquarters
Tamesis
The Glanty
Egham
Surrey, TW20 9AW
UNITED KINGDOM
+44 1784 431611

Asia/Pacific Headquarters
Gartner Australasia Pty. Ltd.
Level 9, 141 Walker Street
North Sydney
New South Wales 2060
AUSTRALIA
+61 2 9459 4600

Japan Headquarters
Gartner Japan Ltd.
Aobadai Hills, 6F
7-7, Aobadai, 4-chome
Meguro-ku, Tokyo 153-0042
JAPAN
+81 3 3481 3670

Latin America Headquarters

Gartner do Brazil
Av. das Nações Unidas, 12551
9° andar—World Trade Center
04578-903—São Paulo SP
BRAZIL
+55 11 3443 1509

Publication Date: 23 September 2008/ID Number: G00161089 Page 21 of 21

© 2008 Gartner, Inc. and/or its Affiliates. All Rights Reserved.