CEOCFO-Members Login
Become A Member!
|
This is a printer friendly page!
Wave Systems: Using Hardware to Deliver a
More Secure Computing Environment
Security Software
(WAVX-NASDAQ)
Wave Systems Corp.
480 Pleasant Street
Lee, MA 01238
Phone: 413-243-1600
Steven K. Sprague
President and CEO
Interview conducted by:
Lynn Fosse, Senior Editor
CEOCFOinterviews.com
Published – December 7, 2007
BIO:
Steven Sprague is president and CEO of Wave Systems Corp.
Wave is a leader in delivering trusted
computing applications and services with advanced products, infrastructure
and solutions across multiple trusted platforms from a variety of vendors.
Sprague
was a vice president of Wave from 1992 to 1995. In June 1995 he founded Wave
Interactive Network, a specialized consumer distribution channel of Wave
Systems Corp. Wave Interactive Network was reacquired by Wave in 1996. That
year Sprague was elected president and COO of Wave and in 2000, he took over
responsibilities as CEO.
Sprague
has a B.S. in mechanical engineering from Cornell University.
Company Profile:
Wave provides software to help
solve critical enterprise PC security challenges such as strong
authentication, data protection, network access control and the management
of these enterprise functions. Wave is a pioneer in hardware-based PC
security and a founding member of the Trusted Computing Group (TCG), a
consortium of nearly 140 PC industry leaders that forged open standards for
hardware security. Wave’s EMBASSY® line of client- and server-side software
leverages and manages the security functions of the TCG’s industry standard
hardware security chip, the Trusted Platform Module (TPM). TPMs are included
on tens of millions of PCs and are standard equipment on many
enterprise-class PCs shipping today. Using TPMs and Wave software,
enterprises can substantially and cost-effectively strengthen their current
security solutions.
CEOCFO: Mr.
Sprague, what is your vision for Wave Systems?
Mr. Sprague:
“Wave Systems is building software to support trusted hardware security
within the enterprise. The industry has introduced hardware security on the
motherboard of all new corporate PCs based on a set of open standards. We
are also seeing the introduction of hardware security as part of the disk
drive in the form of Seagate Technology’s new Full Disk Encrypting hard
drives. Wave builds the software to help manage, deploy and maintain those
trusted devices within organizations.”
CEOCFO:
Who is using your software?
Mr. Sprague:
“Today we supply chip makers and PC manufacturers with our software and Dell
is our number one customer. We also supply Intel. In each of these cases,
Wave is providing an OEM version of its client software delivered directly
to the PC manufacturer. We also offer server products through Dell and other
resellers that will help a company manage their trusted devices. Those
server products are also sold directly to the enterprise by Wave.”
CEOCFO:
Please tell us about the hardware security industry in general, and where
Wave System fits?
Mr. Sprague:
“We are at the beginning of a critical transition between a security based
on software—user ID and passwords, for instance—to security based on
hardware. Most of us, as users, already know what it’s like using hardware
security, whether we realize it or not. We have hardware security in our
cell phones and in our TV set boxes. When you change channels from ESPN to
HBO, you don’t log into HBO every time you change the channel to HBO; your
cable box “magically” knows that you are a subscriber to HBO.
"Hardware
security provides the user with the ability to securely store credentials in
the form of cryptographic keys. Without getting extremely technical here, a
cryptographic key is a mathematical value that controls either encryption or
authentication; knowledge of this value, or key, allows for the correct
decryption or validation of a message. Keys can be issued by your company,
or by a service provider like a bank, or a company like eBay or Google or
others. They define that you are someone who has the right to access that
service. Either you paid for it or you are a member of a group with access
rights. The difference in our approach is that these keys are stored in a
hardware chip, rather than in software on the hard drive. This gives you
dramatically greater protection for your keys and personal information.
“Hardware
security ultimately will enable us to move away from the current paradigm of
user ID and password to a much stronger and more secure paradigm akin to
subscriber management on the PC. We really think of subscriber management in
the form of access, not necessarily in the form of payment.”
CEOCFO:
Would that be, for example, when my bank says if you fill this in, we will
remember it is you at this computer. Is that a case of hardware-based
security?
Mr. Sprague:
“Absolutely! There are many cases where it makes sense to verify a specific
PC to a specific user. Let’s use Quicken as an example. Where do you use
Quickbooks? At home, on a specific machine? Most of us don’t use personal
finance programs on a PC located at a friend’s house or at the library.
You’re usually using a specific PC to handle your personal finances, and
it’s easy to identify that specific computer as the one tied to your
account. Now when we think about this scenario, you have all the benefits of
the physical security of your house to protect that computer. You’re bound
to notice if it was stolen and, as a result, you have very strong
authentication that cannot be stolen by someone with the right software.
Someone has to steal your computer to access that program. As a user, you
have a PIN that you type into your computer that releases the use of a key;
that PIN is stored in one of these hardware security chips and no person or
rogue virus or program can gain access to that secret. By following these
simple steps, your computer now can provide a very strong authentication to
the service. Think about how useful this would be when accessing corporate
email, remotely accessing the corporate network, logging into Windows or
logging into different services within your daily business environment.
Ultimately, it will apply to us as consumers, conducting online banking,
etc.”
CEOCFO:
How do you break down between your OEMs and aftermarket products and what is
the growth pattern in each area?
Mr. Sprague:
“This is a business where we have to have the hardware in the customers’
hands before they can use our software. Therefore, it starts as an OEM
business, but ultimately will evolve into a much broader enterprise
business. Today, we supply software to manage a TPM(R)
security chip with Wave’s EMBASSY Trust Suite. We also provide software to
manage Seagate’s Full Disk Encrypting Drives. When customers buy a new
laptop with a Seagate Full Disk Encrypting Drive, it comes with our software
and we make money from that purchase. However, if you really want to take
advantage of the data protection that the Seagate drive offers you, it is
very beneficial to have centralized management, so we then sell the
enterprise a server product, which is typically around $50 or $60 per seat.
The server software allows the enterprise to manage all the trusted drives
within the organization. Today, we are shipping millions of copies of OEM
software on PCs; we are paid a few dimes and nickels per PC that ship and
now we’re seeing the enterprise business begin to engage. Though still in
the early stages, we have seen adoption grow over the course of the last
quarter, and we anticipate strong growth going forward. One barometer for
our company’s prospects is to consider that, since January 2007, more than
10 million copies of our client software have shipped through our OEM
partners. If we were to generate $50 a seat to upgrade each copy, that would
represent $500 million in market potential. Realistically, only a few
enterprises have begun to turn on the hardware security within their
companies because they are just reaching a point where there are enough
devices that it makes sense to turn on this new security capability.”
CEOCFO:
What can Wave Systems do to get companies to realize they should turn it on
faster; how do you generate business?Mr.
Sprague: “We do it at all
levels; we chair the marketing working group at the Trusted Computing Group,
which is the standards body that defines the technology around these
devices. We help carry the industry standard message. We work very closely
with our partners--our OEM partners, our software partners, resellers and
systems integrators to convey that message to the market. For example, we
have done quite a few events recently with Seagate to help educate the
market on the benefits of hardware-based Full Disk Encryption, so while they
are showing their products, in cooperation, we are showcasing our products,
as well. We also do direct sales calls, in most cases now with the Dell and
Intel channels directly to their customers on the advantages of hardware
security. We are pursuing a multi-pronged approach for this emerging market.
Given shipment volumes over the past few years, we estimate that the TPM
chips are now on over 100 million PCs in the marketplace and the shipment
volumes are growing rapidly. We are reaching a point where, if you look
inside your company, you’ll find a very high percentage of the computers
already have a TPM chip. It’s time to start turning them on.”
CEOCFO:
What is the competitive landscape?
Mr. Sprague: “In general, security is a
highly stratified market. There are some big players and small players. We
are now seeing the industry converge around a single standard where, in
essence, ultimately a billion PCs will have the same technology for strong
authentication. If we look back, the PC industry has a history of endorsing
or standardizing on single technologies: Ethernet, CD Rom, USB and different
aspects of multimedia became the industry standard and a common solution. We
believe that same effect will happen here; we are in the right position to
capitalize on that market as the standard gains traction and everyone begins
to take advantage of the fact that every computer you’ll see will contain
the same security mechanism inside it. Within that market dynamic, we see
little competition, particularly in server software enterprises, as they
need to manage their trusted computing deployments.”
CEOCFO:
We know there are hackers that get through software security. What makes
hardware security safe?
Mr. Sprague:
“When a chip is manufactured there are little wires inside that direct
simple processes. In the case of security, the creation, storage and
management of keys all take place inside a little piece of silicon; these
chips are basically resistant to hacking in that only certain functions are
exposed. It’s impossible for software to enter the chip and alter certain
processes.
“In a regular
computer if I take half of your software program and I change it, it is very
hard for you to know that I changed it; that’s how a virus operates. Yet it
is impossible for software to change a hardware configuration. That’s why
hardware brings much greater strength to the security of the PC. I can now
store a secret, I can check a PIN in silicon, which means that when I type a
PIN in, I can actually verify that the right PIN was provided—not in some
software program but in the chip itself.”
CEOCFO:
Would you tell us about your variety of products?
Mr. Sprague:
“Today our software supports two forms of trusted hardware. The first is the
Trusted Platform Module, or TPM, a hardware chip on the motherboard of your
PC. We build a software product called EMBASSY® Trust Suite, which provides
the management of that hardware device locally. We also produce a component
called the Trusted Drive Manager, which is part of that suite, which manages
Seagate’s new Full Disk Encrypting hard drive. The EMBASSY® Trust Suite is
a client side product. We also build a server product we call the EMBASSY(R)
Remote Administration Server (ERAS), which is the server partner to that
client product. It enables an administrator to reach out and manage and
control all the different characteristics for both the TPM chips and Seagate
drives. We also work with PC manufacturers in managing their biometrics. We
have a server we call the EMBASSY® Authentication Server, which plays an
important role in helping to manage biometric templates for an enterprise.
Biometrics are important because this is how I can replace the use of a PIN.
Most people have an ATM card; this is where you have what is often referred
to as two-factor authentication. The first factor is something I have – in
this case the card, and the second factor is a pin number, something I know.
In the case of trusted computing, the TPM chip in my computer is something I
have; and the something I know is the pin number. It’s actually possible to
replace that PIN with a swipe of your fingerprint, so you don’t have to
remember your PIN, you can just swipe your fingerprint and gain access to
your email or Internet.”
CEOCFO:
You have a strong future orientation!
Mr. Sprague:
“There is a very strong adoption of biometric sensors today in new laptop
PCs. If you buy a new PC, especially a laptop, there’s a good chance it will
have a biometric sensor. Think about how annoying it is to try to remember
the 27-gazillion user IDs and passwords you accumulate for every different
service. By authenticating to my PC using biometrics, I can open my Trusted
Platform Module, which, in turn, holds, manages and delivers the keys to
each different service, and the user doesn’t need to remember anything; it’s
all inside the TPM chip. It is a simple, elegant and cost-effective solution
to a very real problem we all encounter.”
CEOCFO:
Do you anticipate being available to consumers?
Mr. Sprague:
“Absolutely! Intel just announced their Integrated TPM, which is part of the
chipset of future Intel platforms. We think this is ultimately how TPM
functionality will be brought to the consumer platform. It will still take a
few years. There are a couple of years of work left to do for all this to
operate as seamlessly as possible for the consumer, but that is the
objective. There’ll soon be a day when I log into my machine and my machine
will “know” where I have the right to go. I’ll access my Facebook account,
my eBay account, my bank accounts—all without a user ID or password.”
CEOCFO:
What is your financial picture like?
Mr. Sprague:
“Wave has been raising money to support this endeavor. We are a publicly
traded company, and we have raised significant resources going down this
path. Today, we have not yet reached the cash flow break-even mark; but we
see strong growth across our enterprise business, which we hope will get us
there. We believe that can happen in 2008. Ultimately, our cash flow and
financial performance depends on the speed at which enterprises elect to
turn on the technology, and we are starting to see the early signs of that
happening. We’re very confident, but it hasn’t happened yet. We have cash
today to carry us through the first quarter. We have funded the company on a
series of equity placements of off-shelf registrations and, if we are in a
position where we need additional capital, then we will go back to the
market. We are not actively seeking funding today.”
CEOCFO:
In closing, why should investors pick you out of the crowd and what should
people know that might not jump off the page?
Mr. Sprague: “We have a firm hold
on an opportunity driven by an industry standard on the PC platform.
Historically, if you’re in that position, it’s a great one in which to be.
Look at the growth of the global market around Ethernet; it was driven
simply because Microsoft and Intel picked an RG45 port on the back of your
laptop as the method to allow networking. Ethernet is now a huge market.
Wave today is the undisputed market leader in supplying software to manage
these new industry standard security components. It is an emerging
market. We have the leading market share in sales, and though the sales
numbers are not yet large, the scope of the market we’re going after is
measured in tens and ultimately hundreds of millions of PCs. The market
opportunity associated with that has no ceiling. Therefore, it is about our
ability to execute in that space. We have continuously demonstrated that, as
new trusted devices appear, such as Seagate’s Full Disk Encrypting drives
and now what is emerging with Intel and their plans for integrated Trusted
Platform Modules, that Wave is part of these discussions. We have the best
available products today in the Trusted Computing space, and we have a
complete enterprise solution. We are seeing a very large emerging market
that will redefine the relationship between users with all Internet
services. Whether they be corporate services or consumer services that today
are user ID and password-centric, we believe they are going to move to being
supported by hardware security on the PC. We are a company that is
positioned to help make that happen.”
disclaimers
Any reproduction or further distribution of this
article without the express written consent of CEOCFOinterviews.com is prohibited.
|
