Netherlands-based digital security firm Gemalto closed its $890 million purchase of SafeNet in January of this year and shortly afterward officially launched a new subsidiary focused on the U.S. federal market — SafeNet Assured Technologies.
Tom Callahan, vice president of sales at SafeNet AT, led SafeNet’s federal sales team as its VP prior to the transaction and is also a 20-year veteran of other federal information technology companies such as CA Technologies and TKSS.
ExecutiveBiz recently caught up with Callahan to discuss what he and SafeNet AT have worked on to stand up the business, his forecast for the cross domain and two-factor authentication markets and how information sharing can go beyond public-to-private sector.
ExecutiveBiz: Describe SafeNet Assured Technologies’ relationship with Gemalto.
Tom Callahan: SafeNet Assured Technologies was founded in January 2015 and is a subsidiary of Gemalto. As a U.S.-based company, our core mission is to provide high assurance data security products and technologies to defense, intelligence and civilian agencies. We were formed to better serve our government customers while also investing in the development of future solutions to secure the government most sensitive information.
Our solutions protect the government’s most sensitive information. We develop and offer high-assurance authentication solutions that secure access to sensitive data and networks, cross domain solutions that enable information sharing between agencies and government-specific hardware security modules that protect applications, transactions and information.
We also serve as provider of Gemalto’s SafeNet product line to the federal government.
ExecutiveBiz: What have you focused on since the transaction was completed?
Tom Callahan: SafeNet AT’s relationship with our federal customers is the core of our business. Our first step was to make sure we had the right personnel mix in order to support the needs of our federal customers. This included our sales arm, product engineers, and customer support and operations personnel.
Our first order of business was to create an organization that provides the same level of service we have been giving the federal customer and to have the right mix of personnel to support and continue the sales of SafeNet AT products and SafeNet-Gemalto technologies.
One of the initial priorities in setting up the organization included dotting the I’s and crossing the T’s on being compliant with our obligations to the federal customer. Our focus has been on ensuring that there is no drop-off in service to our customer base during a transition. We have been very fortunate because we’ve had fairly little turnover.
In fact, we have had a little bit of growth in personnel so our capacity to maintain our standard of service has prevailed. That was exceedingly important because we deal with technologies that are essential for protecting our government’s most sensitive information. Our work is important not only to our company but also to national security.
Our highest priority is making sure that we are able to maintain our standard of care. In addition to that, we make sure that we are maintaining the right level of focus on meeting the needs of different customers as they are emerging throughout the season of fulfilling the requirements and addressing the needs of our customers.
We have been doing business in federal for 30 years and when you have so many people that depend on you, the first order of business and the priority is to maintain that level of service, whenever there is any kind of corporate change at any level.
You don’t want anything to stop because we are in the risk business. We are in the business of helping our customers preserve very valuable information, upon which lives and the sanctity of our nation’s well-being depend. We’ve grown past the point of being able to take the day off. We have to be vigilant because our customers have to be vigilant.
We don’t have the luxury of being able to go soft for a while. We have to be at our post. It has always been our first priority because we can’t be in a situation to abandon our customers.
ExecutiveBiz: What areas of the cross-domain technology market does SafeNet AT emphasize in its portfolio?
Tom Callahan: Cross domain solutions enable mission-critical information to be shared between people, agencies, locations and security domains. They ensure the exchange of authorized data to authorized recipients. Cross domain technology came out from needs and requirements that have merged over decades.
We are different because we take a very product-centric approach. Other established cross domain solutions in the market, which have been around a long time, can be very people-centric. This means you are buying both a product and the people. The product presupposes that you also have the investment personnel to make changes, update and so forth.
We don’t take that approach. We approach the market by developing a robust platform, which can enter an environment with flexible policy engines, connectivity and the ability to support a lot of communication protocols so that customers are able to implement and sustain our technology without a very heavy services component.
Most of the other folks in the space are all integrators. We have a differentiated capability, which is very much a product-platform approach so that we can meet the flexible needs and requirements of our customers. We can also take a lot of the cost out of what tends to be a pretty heavy cost-centric discipline. Cross domain solutions are complex.
Companies like SafeNet AT take complicated things and make it easy to consume for the customers. Our competition is selling complexity and the bodies to go with it. We have taken a slightly different approach by making the complex capability manageable by customers so that we can drive out some of the costs that come with the complexity.
ExecutiveBiz: How do you see two-factor authentication evolving over the next year?
Tom Callahan: It went from evolving at a steady rate to an extreme state over the last 30 days because of the Office of Personnel Management situation which impacts the entire federal government and anyone who had been cleared. There appears to be a movement to change the way our administrative users are managed — from usernames and passwords to multi-factor authentication for administrative and privileged users.
Looking at PIV cards in DoD and civilian markets, there has been a long-established process of using multi-factor authentication for end users and in many cases, for administrators. There are many administrator types— network admin, storage admin and desktop admin. The vast majority of the access has been controlled without a second factor. We’ve had a breach of extreme proportions in terms of the information that was lost.
The information of basically anybody who has ever applied for a clearance, the apparatus of intelligence, defense and the entire government has been exposed because of an insufficient amount of protection that applies to administrative access. The next year or two will be about correcting that problem. Back in the day with laptop encryption, we learned that when the laptop was stolen, you can lose a lot of personal identifiable information.
However, when the system is compromised, there is much more data at risk and the infrastructure itself becomes at risk. If somebody has administrative access to the server and can control the systems, it is not just about loss of data but a catastrophic event. A general support system that gets compromised due to privileged user access could have an impact.
Due to the high level of risk, you will see multi-factor authentication for administrative access being a highly prevalent reality over the coming years or so.
ExecutiveBiz: What needs to happen to help public and private organizations share more data security information?
Tom Callahan: It is not simply a question of public to private; it is also public to public. Information sharing remains a big problem between different government branches. One area of the problem is studying how people can be on the same page in terms of defining risk tolerance. In this scenario, compliance happens when risk analysis has been done.
Somebody looks at the risk, makes a decision on the risk, makes a policy and the policy becomes compliance. With PCI or credit card data, the banks with the federal government made a decision about the definition of tolerable amount of risk relative to the protection of credit card information. Together, they have established the PCI standard, which is then applied to everybody who is going to use credit cards.
In other words, the risk assessment was done and then a policy was applied. Information sharing is a broad subject and, although plenty of risk analysis has been done, the risk criteria reside at the agency and corporate level. There hasn’t been a lot of agreement in terms of risk profiles and acceptable risk of information sharing.
For example, Langley may have a different point of view from the Pentagon, which may have a different point of view from Bank of America. Until there is a shared belief system relative to risk, it is difficult to establish and overcome the information sharing problem.
SafeNet AT is a data protection company so we don’t spend time trying to convince people about their risk threshold. We help people understand, remediate and reduce risk in terms of a balance of cost and risk. The government and corporate market should have useful conversations about true risk and establishing criteria by which risk is remediated.