Uh Oh.

According to this article in CRN, encryption vendor Neoscale is insolvent and no longer selling maintenance contracts.

NeoScale has stopped selling maintenance contracts for its data encryption appliance, effectively killing the line, while exploring “strategic alternatives” in the wake of the bankruptcy of storage VAR MTI, one of its largest solution providers. That “strategic alternative” could be an acquisition of all or part of the company by storage and security giant EMC (NYSE:EMC), or even Hewlett-Packard (NYSE:HPQ), according to former employees.

While the encryption market isn’t nearly as big as most of the world wants you to believe, there should be plenty of business to support a company like Neoscale. My only conclusion is that there were serious execution errors, especially an apparently misplaced reliance on a single channel partner.

I’ve heard nothing but good things about the Neoscale product line, but upcoming challenges would have forced them to sell to a larger platform vendor within 2 years. Most users I’ve talked with want their tape encryption integrated into their backup infrastructure (preferably at the drive level). The tape vendors have been quite vocal about their future plans, even if current implementations are extremely limited and harder to implement than Neoscale or Decru. Many mid-sized organizations also have difficulty in justifying the cost of an inline appliance.

On the SAN/NAS front, where they also have products, there’s basically no market for inline encryption. The security benefits of encrypting a SAN are minimal; it’s only something you want to do if you’re worried about physical loss of the drives (a real risk, but not one all organizations face).

That leaves key management- the mystical market all sorts of pundits and vendors are betting on as the next big thing, yet no one is, you know, actually buying. Neoscale’s key management appliance looks extremely interesting but it’s not something most organizations are interested in today. I’m very skeptical that there will ever be a stand-alone market for uber-key management to rule over everything from backup tape encryption to email encryption.

I do, however, strongly believe that there are great opportunities for key management, just not as a stand-alone product. We’ll need key management for all that tape encryption, email encryption, database encryption, and even the occasional SAN or NAS encryption, but it needs to be integrated into that product line. Each kind of encryption solves a different business and security problem, and the key management needs to melt into the infrastructure and be tuned for that specific infrastructure. You’ll use one box to manage your storage encryption, another to manage database encryption, and another for email (or whatever). Some larger organizations might have another box hanging out on the back end for key archiving, but that’s about it.

No one wants to manage keys, they just want it built into whatever encryption they’re doing at the time.

The best opportunities for external key management will be in areas like database encryption, where the encryption engine is built into the various database products but there are no provisions for central management in a heterogenous environment. In those cases the external product will manage both the keys and the encryption implementation, leaving only the raw encryption to the native engine.

But back to Neoscale.

The Decru acquisition by NetApp hurt Neoscale badly, since large organizations prefer to work with a more established vendor when product functionality is close enough (which it is). Neoscale needed to sell, but either asked for too much or couldn’t find an interested partner. I’ve heard it was a combination of both.

As moderate as the storage encryption market is today, Neoscale clearly screwed up execution so significantly that they are effectively out of business, if CRN is accurate. I’m not sure how they could do that and it raises material questions for any acquirer.

EMC, HP, and a few others could clearly benefit from the Neoscale technology and integrate the key management across their product lines. It’s better than RSA’s key management (unless RSA has updated it) and well suited for integrating with their current offerings. EMC gains the added benefit of off the shelf datacenter encryption. I’d also consider Cisco, Seagate, IBM, and a few others as potential buyers.

But the real question isn’t the technology, it’s the company. Neoscale’s prospects for rescue now depend entirely on the books- such a sudden demise raises very serious concerns for any buyer. If the financial side makes sense, I think EMC could do well to buy Neoscale and their recent acquisition string shows they have a strong interest in data security.

I hope the technology survives- it’s good stuff, but it’s up to the accountants and Neoscale’s Board now…

(Rob Newby alerted me to this development, but since he’s a nice guy and a competitor he didn’t feel it appropriate to comment himself).