nCipher re-emerged from Thales as a separate stand-alone company manufacturing and marketing hardware security modules (HSMs) on January 7, 2019, and was officially launched on January 26, 2019. It had been acquired by Thales for just over $100 million in July 2008, after being founded by Alex and Nicko Nicko van Someren in 1996.
Its divestiture by Thales was a competition condition imposed by the European Union for the acquisition of Gemalto by Thales. Gemalto and Thales were the two major providers of HSMs. European Commissioner Margrethe Vestager explained, the condition “allows the creation of a strong European player in this market, while still ensuring that the merger will not prevent customers from continuing to enjoy fair prices and innovative products.”
Sacrificing nCipher for Gemalto carries the implication that Thales considers Gemalto to be more important to its future than its own HSMs (nCipher operated as nShield within Thales). This is not something that concerns the new nCipher. Peter Galvin, chief strategy and marketing officer at nCipher Security, told SecurityWeek, “It’s not like we are a new start-up with no customers. We have a strong and loyal customer base.”
Cindy Proven, CEO, believes that nCipher Security will do better outside of Thales. Agility is one reason. “Being part of a very large organization like Thales can have a lot of distractions,” she told SecurityWeek, “with its processes and procedures designed to fit multiple types of operation, from defense entities to smaller entities — such as HSM operations. We believe that we will be able to innovate and move faster in order to meet the requirements of the marketplace.” Lower overheads as a stand-alone company is another advantage.
Galvin stressed that the current marketplace is very different to the last time nCipher stood alone more than 20 years ago. He sees four separate new drivers. The first is a combination of increasing breaches and expanding compliance requirements. “Twenty years ago it was the hacker in his bedroom looking for kudos; today it’s organized and well-resourced criminal gangs and nation-state groups looking for information, monetary gain, political advantage, IP and so on.” This is compounded by the rapidly growing compliance sanctions imposed by Europe’s GDPR and the U.S. Federal Trade Commission.
A major solution to compliance requirements is the protection of personal data by encryption — but encryption alone is not adequate if the keys are at risk; and they are best protected by HSMs.
“A second area that has really grown,” he said, “is in digital payments. If you look at the way that you take a payment card on a digital device you essentially tokenize the data; so, you need to protect the underlying keys and infrastructure around that token.”
The cloud is also new. “Many organizations are making the move to the cloud, which simply increases the complexity they already have in securing both their on-prem environment and their cloud environment — so our new developments over the next 12 months will be to continue to add new capabilities around the cloud to make our products even easier to use in cloud environments.”
Finally, he added, there is new growth in PKI (public key infrastructure) based on the expanding IoT. “PKI has been around for years,” he said, “but companies are now beginning to install systems, and there are new opportunities with IoT. If you start to think about the 20 billion devices that are going to be installed over the next few years, you can protect the authenticity of the devices with a key or certificate associated with them, and you protect communication with and from them with encryption.”
One interesting element is that the new company has no intention of abandoning the UK despite the current economic uncertainties surrounding Brexit. One reason is that it cannot. About 18 months ago it opened a new R&D center in Cambridge, with a close relationship to the university and Ross Anderson’s security engineering department at the university. It also recruits crypto experts from the university.
This doesn’t mean it has made no plans. It currently outsources manufacturing to Plexus in Scotland. To mitigate any potential negative effects of Brexit, nCipher is taking advantage of the international nature of Plexus. “Plexus also has a large manufacturing facility in the U.S.,” Proven said, “so we are standing up dual supply. We don’t intend to turn off Scotland, unless Brexit starts to negatively affect us. Then we will be able to manufacture and ship from the U.S.”
For now, nCipher Security is a separate stand-alone business within Thales and held separate from the rest of the Thales Group pending its divestiture to a third party buyer (as per the EC’s conditions for the acquisition of Gemalto). Bids are already in, and Proven is confident of the new company’s future.