Re: the delisting notice, you commented:


Was this a "goal" of the upper management?


A "rhetorical question" and a sarcastic one at that lol.

To help you better understand this space, think of a SIM (a container) as an authentication solution for the MNO ie. it authenticates the device to the MNO's network. A smart card, physical or virtual, is no less a self-contained authentication solution than is an RSA SecureID and they all use AD, LDAP etc. In any case, MS VSC requires ERAS-type centralized management, without it it's as useless for enterprise-scale deployments as an RSA SecureID is without RSA centralized management.

I suggest you consider user/device ID vs. user only. RSA is user only and once hacked an intruder can use an unauthorized device to gain access to the network. Think it over. I'm pretty sure the lightbulb will go on ie. hardware-rooted device ID eliminates an attack vector user ID by itself can't.

Again, TPMs and SEDs deployed by adversaries don't directly curtail our ability to perform surveillance on them. Much of our surveillance involves intercepting communication data-in-transit, a area TC doesn't directly address other than hindering our ability to deploy rootkits on the PCs of our adversaries in order to gain a physical presence on their devices. Even if an adversary has secured the pre-boot environement of their devices by using TPMs there are other ways to gain physical presence on their devices using other malware installation methods. That is why new anti-malware technology being developed by firms such as FireEye, Bromium and others are necessary to identity and mitigate OS-level malware attacks. TPMs don't eliminate every attack vector, only a significant class of them. Solms didn't state as much in his letter to the President but his point about multi-factor authentication rooted in hardware is valid ie. it eliminates a significant attack vector. Actually our adversaries are free to deploy the same protections.

Please understand the technology before making bold claims about the gov't impeding the deployment of TC. In any case how can they stop it? TPMs ship standard and SEDs can be procured. Our adversaries are free to deploy them. At least we can secure our devices against pre-boot level malware attacks and our networks against intrusion from unauthorized users operating from unauthorized devices before our adversaries do the same. Game is on.

Imo NSA is not undermining TC deployment. For one thing, how can they? It's open standards-based and some of the hardware (TPMs) ship standard with SEDs projected to ship standard as well. Obviously they are helpless to impede implementation by whomever including adversaries.

Any perceived reluctance of the NSA to implement TC within their own networks is basically the lack of their IT people to seize the initiative imo. They already have a PKI-based CAC infrastructure. It will take an initiative on the part of IT or a mandate from above to integrate their CAC with TPMs, pretty much what Wave's gov't VSC 2.0 customer has done.

orda, surveillance matters relating to encryption in large part involve data-in-motion vs. data-at-rest (SEDs). It's true if adversaries deploy TC for both data-at-rest (ie. SED-encrypted hard drives e.g Osama bin Laden's captured PCs) and network access (TPMs) it becomes both harder to hack their networks (ie. gain entry with an unauthorized device) and recover data from SEDs, but to say the NSA doesn't want TC to be deployed doesn't cover the entire spectrum ie. NSA/CIA/other can still intercept data-in-motion and decrypt it.

Imo NSA will ultimately deploy TC for all the right reasons and will have to deal with adversaries who do the same. Adversaries can deploy TPMs and SEDs right now along with everybody else and they can't be stopped so what's the point to the NSA inhibiting TC's proliferation?.

Remember. Wave does not sell an authentication solution. They sell an alternative to a physical smartcard.

Apparently a physical smart card isn't an authentication solution either.

In any case if VSC to you isn't an authentication solution, OK.

http://www.wave.com/products/wave-virtual-smart-card

Authentication tokens and physical smart cards (for logical access and the card readers they require) are legacy technologies waiting for a superior approach, and hardware-based root of trust is one possibility. Smart cards perform physical access functions, so a logical access alternative such as centrally-managed VSC doesn't supplant them, only the readers they require for logical access.

If you don't imagine it's possible Wave has large customers using external hardware tokens (or their software version) who are interested in Wave's solution or that it qualifies as an authentication solution in the first place, that can be your opinion.

We already debated your claim that Win10 will subsume ERAS and other Wave capabilities.

I concur that TPMs are primarily Windows although Wave probably supports TPMs on Linux or it's on the roadmap. You didn't mention Wave support of mobile devices but it's coming.

There must be something compelling about Wave solutions vs. tokens otherwise the CEO wouldn't reference large customers needing Wave and the mention of vendor risk management implying some have advanced to procurement. Also, Wave's marketing is all around VSC vs. tokens.

Cumbersome imo to have to use an SDK for every app for tokens, when issuing a certificate here or there will suffice, besides, hardware root of trust can lead to multiple capabilities beyond the functional range of external token authenticators which basically do user authentication and nothing else. User and not device authentication has been and remains one of the achilles heels of enterprise networks. One reason hardware root of trust is beginning to resonate with IT is they can credential devices in harwdare the way MNOs do, eliminating unauthorized users. Many of these cyber breaches involve unauthorized users gaining entry from unauthorized devices.

Magic Quadrant provides a view of competition. Competition isn't either a supply side or a demand side measure.

That's like saying the leaders in the space whose solutions are selling the most product doesn't supply the demand that customers provide, or that defining or describing the competition in the marketplace doesn't reflect customer demand that supply from vendors feeds.

Perhaps you dispute it's RSA, Vasco, CA Technologies, SafeNet, Gemalto and Technology Nexus, the Gartner "Leaders" in the user authentication market, who sell the most enterprise user authentication product (primarily tokens and smart cards) in the marketplace, or possibly if you agree they do, it doesn't help define customer demand for user authentication solutions and the vendor supply that feeds it.

I agree btw that numbers from sales will ultimately be the measure of Wave's success and that as of now they don't appear to be increasing, but that is not the issue I posted on. I was simply suggesting to look directly inside the space VSC 2.0 competes in. Why look for "a unicorn" anywhere else e.g President Obama, at least not re: VSC 2.0. RSA and Vasco alone have something like 40,000 customers. Demand for enterprise authentication is there and Wave finally has a scalable easy to manage solution that shows early signs of resonating in the marketplace. The launch was less than 2 q's ago. Not saying it's going to launch the company but why look elsewhere when the market is right in front of us?

It's not a theory, I know for a fact that Magic Quadrant for User Authentication depicts the space Wave is competing in today. If they win VSC 2.0 business there, basically displacing incumbent seats, sales go up, if they don't then they don't.

Some might view "supply side" or "potential supply side" as the $2b worth of user authentication product currently sold in the space (a large part is enterprise networks), with the "demand side" being when enterprises switch from incumbent solutions e.g. tokens to another solution such as VSC. If one wants to buy WAVX before significant "demand" ie. indication of product sold fully emerges, they have to take risk early for a higher return vs. later when the stock is priced higher. I would agree buying early has not served WAVX investors well to date.

To me, it looks as if Obama has not released the unicorn. Solms will have to look for one somewhere else.

If you want to better understand the space within Solms and team are directly competing, I suggest you google "2013 Gartner Magic Quadrant for User Authentication" and in addition to perusing through the report (in pdf), note the "Leaders" in the Magic Quadrant. There you will find the vendors who sell the most product in this space, the products VSC 2.0 competes directly against, in this case RSA The Security Division of EMC, SafeNet, Gemalto, CA Technologies, Vasco Data Security and Technology Nexus. Say what one might about Gartner Magic Quadrants but their "Leaders" do tend to be the ones who sell the most product.

ROT: You wrote: "Wave has a number of options to accomodate a potential customer's concerns over finances "


The most obvious one is to do a placement after an order or orders are announced. Of course the SP will skyrocket above a 1.00 even from prices lower than today on news of a contract or contracts and the offering (possibly at post-news prices) would put additional cash on the books to satisfy the customer's or customers' concern or concerns should the immediate additional cash resulting from the order or orders not suffice to alleviate any concerns.


Perhaps it has not occurred to you that Wave is not the first small company in history of enterprise IT to be in the position of having prospective new sales against a low cash position. You really think Solms, Shepard, the attorneys and others can't work a solution under such circumstances? That it's never been done before? Get creative BF, I'm not going to lay out all the options I may be aware of.

I am confident Wave has significant large customer interest in their solution and that it's advanced and continues to advance to the procurement stage. Your position more or less seems predicated on the basis that that is not the case. Perhaps we should continue our discussion down the road some instead of rather uselessly going back and forth now unless you are willing to concede there is some merit to my position. As far as your position, I'd be a fool not to admit I have zero concerns myself pending news of significant new sales.

If I were in competition with Wave Systems on a commercial opportunity, even if the PO had already been signed, I would bring a notice such as that into the buyer's office and make sure the CEO gets a copy.

I have seen commercial deals rescinded due to items such as that.


I would be surprised if any company considering doing business with Wave would not already have become aware of the SP and a potential delisting notice well in advance of the present. For one thing if the potential business reaches the procurement approval phase, vendor risk assessment is engaged and all to do with the stock price and it's ramifications would be out in the open. Furthermore, given's Wave relatively low cash position at the end of Q3 I would expect Solms, Shepard or whomever from Wave fields vendor risk assessment concerns would put Wave's finances and the SP out front to the customer.

Wave has a number of options to accomodate a potential customer's concerns over finances beyond how the company's cash flow and cash position would immediately improve upon booking significant business.

I assume the more customers who advance to the procurement/vendor risk assessment phase the stronger Wave's position to alleviate concerns over finances becomes, although I don't know the degree to which potential business from collective prospects can be shared by Wave among them.

Good thoughts New Wave. Of course SEDs need to be made standard at least on enterprise devices so the customer doesn't have to pay an upgrade or refresh just to get them. And the items you mention could be drivers for that. Again if Wave can get a significant installed base of ERAS-managed VSC/device ID (becomes user/device ID by default with ERAS) I like Wave's chances for seeing an increase in SED management. I also know something is up with the SED patent being monetized. I'm not sure what but we can't exclude the Micron partnership.

BF, given the number of shares outstanding don't you think your market cap point is redundant? Ie. as in, minimum bid requirement will also satisfy minimum market cap requirement.

As if the SP de-listing warning notification wasn't bad enough, Wave must also contend with a looming market cap deficiency warning. If prospective buyers are sold on Wave's tech, but then look at Wave's financial stability, one can see why nervous buyers might go in another direction.

It may be even more disconcerting to those in mgt watching the market cap decline rather rapidly below the listing min. of about $35M and seeing the shaky financial footings with all the threats and failed goals out front in the showroom for all to see.

Blue Fin, I was able to confirm in talking with Wave personnel earlier this week that although WEM is an official product and has been deployed by a special group of customers, it's being re-engineered to make it more scalable and easy to deploy. I believe it's continued development is also related to the Micron/Wave/Lenovo/AMI initiative, the technical nitty gritty of which is not public information.

http://www.wave.com/products/wave-endpoint-monitor


WEM data sheet updated 7/22/14 the day of the VSC 2.0 launch

http://www.wave.com/data-sheet-wave-endpoint-monitor-wem

checkinin, there is growing interest in Wave VSC 2.0 in the $2b enterprise authentication solutions marketplace today. Wave has finally created a product that resonates in the marketplace, is deployable without a lot of integration and does not require the purchase of additional hardware. It competes directly against external token devices such as RSA SecureID sold by RSA a Divison of EMC and similar products sold by vendors such as SafeNet, Vasco, CA Technologies and Trust Nexus (these five vendors are the "Leaders" in Gartner's Magic Quadrant for User Authentication ie. they sell the most product) and Wave has a real and growing pipeline of prospects evalauting VSC 2.0 some of whom have moved into the procurement phase. Unlike Wave's SED management solution which requires customers to buy new PCs/pads with the SED upgrade, TPMs are already 100% present in the customer's environment permitting them to deploy VSC 2.0 without buying additional hardware. One ROI on the solution vs. external tokens is the cost associated with distributing lost, stolen or worn-out tokens to the employee end user, costs not associated with a TPM-based solution. And once TPMs are deployed for a VSCs they can potentially be extended to solutions unrelated to user authentication for a versatility and breadth of functionality external hardware (or their embedded and less secure software version) authentication tokens don't offer.

It took eight months, beginning when Solms took over, to re-engineer the original Wave VSC into v2.0, a solution that is easy to deploy and manage across enterprises of all sizes. ERAS itself is now undergoing a major revision. As I stated in my last two posts, SED adoption appears to be dragging because SEDs are an option, not standard, and few customers are procuring them, choosing instead to stay with software FDE or use BitLocker (the Windows version of software FDE). Wave may see an expanding opportunity once SEDs ship standard just as TPMs do. ERAS manages both TPMs and SEDs within one console.

We are not yet two quarters into the July 22 launch of VSC 2.0. Stay tuned.

The main issue with SED management, as I said in my last post, is that SEDs are for the most part still an upgrade, that is as far as I know no major PC OEM ships them standard or if they do it's only on few select models. Once they become standard like TPMs there will be more adoption. It's an attractive technology that's inherently superior to software FDE.

I'm not sure how you claim that Lenovo is a sponsor of WinMagic's when it comes to SEDs. Lenovo does I believe pre-install some part of SecureDoc software FDE on some or many of their PCs and the customer has to choose a WinMagic option to buy an enterprise version. I don't know that WinMagic even receives a bundling fee...maybe but in any event it would be for FDE not SEDs.

Wave can sell SED management through HP, Lenovo and Dell channels, probably as much of a shot at Lenovo customers as WinMagic imo. For both WinMagic and Wave it's about finding their own customers to deploy SEDs as the PC OEMs aren't pushing them on their's. WinMagic claims to have 5m active SecureDoc licenses, so they have a lot more FDE seats to sell SEDs to than Wave. The impression though I got in speaking with the WinMagic guy is that WinMagic customers aren't migrating to SEDs in droves.

As I said, Wave's time for SED management is not ripe yet. It could come when ERAS for TPM management gains an installed base and SEDs ship standard on enterprise devices. Meanwhile I happen to know Wave is in the process of monetizing their SED patent.

Oh, and Wave does have this. Not much sales but probably the closest any SED management vendor comes to an OEM bundle.

http://www.wave.com/buzz/pr/wave-unveils-management-sandisk-x300s-solid-state-drive-encryption-secure-enterprise-data

The SanDisk X300s SSD will include a link to a fully functional download of Wave's EMBASSY® Security Center (ESC), a client application for SED management, as part of the SanDisk administration dashboard. For enterprise-wide deployments, Wave offers its EMBASSY Remote Administration Server, and Wave Cloud 2014, the first and only cloud service that manages SEDs from a single console. The combined offering delivers maximum data protection and performance to help address IT decision makers top data management and security challenges.

I talked to the WinMagic guy at the TCG booth at Storage Visions. WinMagic customers aren't doing much with SEDs, nobody is for now. WinMagic's bread and butter remains SecureDoc FDE.

I still consider Wave the leader in SED management and my prediction is their SED management sales will accelerate into an expending ERAS-managed VSC 2.0 installed base once SEDs becoming default hardware on PCs/tabs causing customers to extend their ERAS-managed TPM deployment to SEDs...great solution. ERAS manages both TPM and SED solutions on the same console.

Not having the hardware shipping standard on PCs/tabs like TPMS still remains major impediment for SEDs. One reason VSC 2.0 is attracting interest in the marketplace is the hardware is already embedded in the device. Not true for SEDs. Any deal still has to be timed with a customer's PC refresh and it's still some extra bucks for the drives.

SEDs are a great technology but still many IT people don't know much about it and it's a hardware upgrade to get them.

Thank you for that clarification New Wave. Nice to get some real facts on the board once and awile. Lots of pontificating and assertions made here but too often without specific knowledge of the products, customers and marketplace.

BF you must have misread my post. If you go back and reread it you'll see the conclusion I offer is that Wave failed to develop an enterprise-grade ROI TPM solution. When Solms developed VSC 2.0 is was a move in the right direction.

The challenges of the early days of TPMs, the clunkiness, I noted were all challenges Wave failed to address early on. The market was there back in 2006 with say 50,000 enterprises that had deployed an authentication solution that Wave should have set out to challenge with TPMs but not until 2014 did finally a Wave enterprise-grade solution worthy to compete enter the market. The 50m machines "tipping point" you mention, even with that Wave still needed years more to develop a competing solution. Classic mismanagement and lack of focus.

I don't believe evolving standards is the defining issue in Wave's history.

TPMs began shipping on enterprise PCs in 2006. It wasn't standards that held back organizations from deploying TPMs solutions. It was a myriad of other factors including initially the lack of TPMs in the customer's installed PC base. As I've postulated for a number of years this would have required Wave or any vendor to offer a certificate-based solution that used both TPM-equipped PCs and non-TPM ones, an approach Wave never sought to develop. There was also a general clunkiness to TCG technology from the enterprise IT perspective, most notably the inability to remotely access the BIOS to activate TPMs. Again neither Wave nor any other prospective TPM solutions vendor was able to address this. Finally beginning in WinVista there is a TPM initialization interface to the BIOS effectively providing remote BIOS access via Active Directory. But even with remote TPM activation becoming feasible using ERAS and AD, Wave still did not until VSC 2.0 in 2014 develop an enterprise-grade solution.

So really to blame Wave's failure on "chasing standards" is to not understand the real issues which was/is building an enterprise-grade solution with ROI attractive for enterprises to deploy.

BF, thanks for digging up those quotes.

"So we're starting to see progress. And as I mentioned before based on that timing and the sales cycle it'll be, you know, the second half of this year before we begin to see that stuff bear fruit. And, you know, that remains – it was true when I said it on previous calls; it remains true now that the good news is we're closer, you know, to what the end of that should be.

It's very possible imo that the second half of 2014 has borne fruit. It hasn't so far manifested in large orders, however as you know there's a growing perception that Wave has a number of large enterprises who have been doing solutions evaluations notably VSC 2.0 and are serious enough about procuring it to pass it along to their financial people for further evaluation and approval. We got an implied indication of that in the Q3 CC.


We legitimately thought that we had a couple deals that were going to close before the end of Q3 that didn’t, and you asked a question of why you thought they didn’t, and I would tell you that there’s a couple things. One is one of the advantages of being a small company is that we’re agile and can react quickly and can do things like you know, churn out a new product like virtual smart card 2.0 in a very small amount of time compared to the amount of time it takes for a large company to pivot to a new product.

One of the disadvantages is that big companies which - and big companies need our stuff, big organizations need our solutions - look at Wave and there’s a disadvantage to being a small company with small revenues, and so several times we’ve had opportunities that have been slowed down a bit that required us to go and talk to the potential customer and explain where Wave stands financially and what our roadmap is going forward and to give them the confidence that we’re a good partner to invest in.

And I would tell you that after those conversations we haven’t had anybody pull out of it, but as large companies do when they do their risk management, you know, they do ask those questions and it requires us to mitigate the downside by partnering with larger companies and as you throw those factors in, it has slowed down the discussions on a number of the opportunities. So I think I addressed the fact that like I’m frustrated that it didn’t occur when we thought it did.


I still can't find any claim put forth by Solms that Wave would be CFBE by the end of 2014. As I indicated, the 6/17/14 $9.9m capital raise put obvious time constraints on management to increase billings by year's end.

Root: I do not blame the Solms team for what went on before he got there. I have criticized him for setting goals with timelines, standing by them when it was clear they were not going to materialize--as a little too similar to what the past administration did. I have wondered why he would have even gotten himself into that position, knowing the history.

Please provide quotes from CC's on timelines set as I don't believe they were ever stated. Implied perhaps as in a $9.9m raise leaving until about the end of 2015 otherwise finances would be running thin. Solms has been careful to not make forward looking predictions. So no I don't agree Solms' posturing "is a little too similar to what the past administration did".


I appreciate and have noted the positives of the Solms regime--the pruning of diseased deadwood, the shuttering of family adventures that sucked out resources without the potential to contribute revenue and his firing of the old sales team and replacing them with eager beavers.

Imo "competent" would be a more appropriate description. Consider as well that selling to large customers requires a different skill set than SMB, and Wave needs both.


You seem to think the "transition" from SMB to large enterprise is simply a matter of time. I think the lack of sales is something far deeper and darker--reflective of a problem with the product itself--as evidenced by the many companies who have tried and rejected Wave, or simply shunned them in the first place.

Not quite. I am able to contemplate failure although knowing what I know of the product and what it competes against I don't believe there is a deep-rooted issue with it (VSC 2.0 and other products) other than ongoing engineering tweaks like other enterprise networking products.


I appreciate the kind words you do offer. I look forward to connecting on a more positive level pending Solms' plan coming to fruition.

Your anger though should be directed at Wave under SKS not under Solms. Your suffering in monetary terms and the frustration that went with it was presumably all from the SKS Wave.

As for the Solms Wave I can understand frustration relating to how long it's taking to transition from SMB to large enterprise (bear in mind if VSC 2.0 sells to large customers it will for all intents and purposes represent the world's first large organization adopters of a solution deploying centrally managed TPMs) but aren't you now out of the stock or in any case weren't badly hurt in the Solms era?

Again, please direct your anger at the past Wave not the Solms one. Let us worry about the new Wave until such time as you buy back in. It's quite tiresome reading your tirades about Wave's history and how it continues in the Solms era, especially when it's obvious how much the company has changed since Solms took over albeit still waiting for additional large enterprise customers. Trust us, we know the recent billings numbers already.

Then Wave contemplated that security in hardware at the edge of the network would need centralized management. Instead, things like “bring your own device” flourish without it.

I concur with your other points, however employee BYO devices still require centralized management by the enterprise. If BYO devices have a hardware root of trust, all Wave enterprise solutions can be applied to them providing IT wields some management control over them including in cloud environments. If IT is to protect their network, including cloud-hosted, they have to control the integrity of their employee BYO devices.

I'm inclined to think if there was a new large order by now they would find a way to let us know. In any case it will be interesting to see what the tone and pattern of your posting becomes if and when they do land some large accounts, to go with the ones they already have that is, including GM, BASF and BP. There are btw a number of, quite a few actually, other notable customers just not on the order of licenses of the BIG THREE.

The answer is yes. A real dollar in sales is worth far more than a dollar in Wave sales.

If any statement ever smacked of bias, it's that one lol.

I guess it can be taken to mean if Wave gets a $1m PO it's worth less than a $1m one Vasco gets.

I guess 50% constitutes swallowing up everybody else.

ISVs have to produce differentiators to keep a piece of the market.

What Windows has done starting in Vista makes it easier for enterprises to deploy TPMs and to potentially engage the services of ISVs. It will be the job of Wave going forward to further differentiate their product capabilities from what Windows provides.

In any case I would say Windows Server being able remediate corrupted MBRs or for Windows to be able to self-heal them using an SED, to name but one area of capability, is a long ways down the horizon.

Until we see enterprise-level TC fully managed by Windows it's all just talk talk talk.

Something similar was probably claimed for Windows swallowing network resource platforms such as Atiris and LanDesk and it hasn't happened.

obviously it is hard to guess why there are no signs of progress.

No signs of progress? An announced VSC 2.0 high security gov't customer, references to 100 VSC 2.0 prospects under various stages of development referenced nearly two months ago (before the VSC 2.0 video ad) all adds up to "no signs of progress".

You really think the gov't customer is the only one to have deployed VSC 2.0 or the original version? Revealed in a 2013 VSC webinar were references to fully deployed customers for VSC 1.0 dating back to 2012.

Solms' stated strategy is to diversify from SMB and move into the large enterprise customer segment for VSC 2.0 and that success in doing so at a sustained rate will increase the company's cash flow in a meaningful way, and while success to that end has yet to be shown, to state overall "no signs of progress" is not accurate.


the lack of a partner announcement at the launch date was troubling.

Again, not accurate. VSC 2.0 was co-launched with partner DMI.

https://www.wave.com/livestreaming-event-wave-virtual-smart-card


Do you stay current on Wave products by watching webinars, product launch events or reading product data sheets?

It is not possible if a customer (or customers) moves forward with a significant contract that the SP will rise? I would imagine that scenario is part of any discussion between Wave and the customer ie. the SP will rise both bringing the SP into compliance with the minimun bid rule and lessening dilution should the shelf be used.

It's very clear from a trading history of WAVX that the SP responds to billings-bearing news.

barge, I was referring to the ERAS-managed enterprise TPM solution not the Dell/other OEM-bundled client software.

I agree Dell was an important revenue generator, in fact it took the company to multi-millions, but imo it caused Wave to go to sleep on developing an out-of-the box scalable enterprise solution. It seemed to engender the notion that was up to enterprises that bought Dell PCs with Wave software bundled to upgrade to the enterprise version. I'm sure Wave made many sales pitches vs. leaving it up to the customer to find the solution but in the end it couldn't have had the ease of installation and management capabilities customers required to deploy it, otherwise customers would have gone with it.

Hardware root of trust was and remains the means to take security to another level, but from the beginning Wave's enterprise solution was not attractive to deploy even though the concept had merit. It was a matter of the company needing to be staffed with personnel who understood the challenges of deploying new solutions in existing enterprise network infrastructure and the pro-active demands of designing product to meet those requirements. A customer shouldn't have to and won't innovate to deploy a vendor's solution!

Yeah zen, once an enterprise has deployed a solution across their network it's no easy task for a vendor to come in and unseat the incumbent. It better be damn easy to do and functional ie. remote TPM activations in scale, build ERAS as a plug-in to the Windows Certificate Authority, comprehensive auditing and reporting compliance and more. In retrospect it was as though Wave was saying to the customer "here's the core interfaces it's up to you guys to make it work". To be fair there were challenges in the early days of TPMs such as needing third party tools for remote BIOS access to activate the TPM, partial TPMs in the network and more, but I feel with a more enterprise-solutions savvy staff that Wave could have better addressed the opportunity way ahead of the Solms era.

barge, Steven's comments criticizing lack of innovation in the enterprise was clearly him venting frustration regarding the lack of traction in Wave's efforts to sell their TPM solution. You can interpret it another way if you wish but it's clear now looking back that Wave's TPM solution was not what it needed to be to attract customers to unwind from their incumbent authentication solution and go with Wave. One only has to know that even naming it VSC was recent at the time and after Steven was fired Solms was tasked with re-engineering the solution into one that was marketable (VSC 2.0). The evidence is irrefutable...under SKS Wave failed to develop a saleable TPM solution, one that enterprises could both pilot and conclude from their evaluation that the solution warranted implementation. There were many pilots over the years. If none of them resulted in customers that can only mean the solution didn't warrant deployment, at least not at the time. Don't you think Wave could have taken the appropriate measures to make the changes necessary to make their solution deployable? Comprehensive remote activations of TPMs, comprehensive PKI management, whatever it took.

See barge one the problems with Steven's appreoach to selling a TPM solution to the enterprise is that he expected them to take Wave's CSP and ERAS and build everything to work in their environment. He avoided the challenge of building a scalable off-the-shelf solution that just worked for an average of large enterprise environments. Facilitate issuing certificates from the MS CA, managing them as required....to name just one element of what is an enterprise TPM solution has to do. Steven expected the customer to manage the specifics...let them innovate as they need to make the solution work. That's not how a vendor approaches the market. Anyways he was fired about three weeks after the interview.

“What we’ve discovered about the enterprise role in innovation is that it isn’t very good at it,” said Steven Sprague, CEO at Wave Systems,

Steven wasn't that good at building enterprise solutions. Probably if he built a TPM solution enterprises were able to buy and deploy he wouldn't have been of critical of their "inability to innonvate". In fact an IT department's inability to innovate creates an opportunity for a vendor to build and sell product to them. Build a prodcut that just works. No innovation by the customer required.

Intetesting. I for one favor the NSA having the ability to spy on the wireless communications of terrorists. It saves innocent lives.

TPMs would enable enterprises to prevent unauthorized devices from accessing their networks via e.g. a VPN if all their devices including cellphones have them. So if an organization's network access devices were all TPM-secured such that only devices with authentic (TPM-secured) credentials could gain access to the oganization's resources it would be more challenging even for the NSA to gain access. They'd have to put malware in e-mail for example, gain remote control of a desktop and go in that way or go in some other way that didn't involve using an outside device to gain access.

The TCG approach is not a 100% silver bullet but it does elimininate unauthorized devices from directly gaining access to the network which is a significant piece of the puzzle and it makes sense for the NSA to promote TCG technology because a hardware root of trust does eliminate a number of vulnerabilities in gov't networks including the NSA's.

Btw if desktop-controlling malware delivered via e-mail for example is a root kit, TPMs can defeat that.

External (or software) tokens though are far more widely deployed than are smart cards in commercial enterprise, therefore there is more opportunity in the replace-the-incumbent solution scenario, at least in the commercial enterprise sector.

Understand for the commercial enterprise smart card customer VSC is not really an add-on. It replaces the smart card for logical access (eliminating the reader) leaving the card for physical access functions (e.g. building access) and as a wallet ID.

The gov't smart card is more the add-on scenario because CAC is currently designated as the primary user credential, leaving the TPM VSC as the primary device credential which has merit in the gov't. As I pointed out, the CAC user credential could be linked to the TPM making the TPM PIN the primary user authentication method (instead of inserting the card in the reader). Actually in the current scenario the card has to remain inserted in the reader both to authenticate the user to the PC initially but also to maintain the session with the network server. Actually, TPM-based device ID is sufficient to establish and maintain a network session. We'll see how that plays out (whether the need to insert the card is eliminated) but meanwhile other customers could follow Wave's first gov't VSC customer and deploy TPM-based hardware root of trust for the device.

I'm sure Wave had some technology figured out back then but they never did build a TPM solution that was practical for enterprises to deploy until VSC 2.0 came along. As I pointed out there were TPM remote activation issues plus the inability to install and manage certificates on non-TPM devices. Actually even on machines with activated TPMs there were issues to do with making the ERAS solution scalable and manageable including from the certificate management perspective.

Before Solms came along Wave seemed to be willing to let the customer figure out how to scale a TPM solution into their own environment. That's not how an enterprise vendor sells product. You build something that scales and you sell it using personnel who have a track records selling to large enterprises and personnel who sell to SMB. If something needs improvement Sales reports to Management and Management gets on Engineering until the product is saleable. Enterprise security solutions 101.

My point is there's pent-up or latent demand for any viable alternative to enterprises spending up to millions of dollars a year replacing lost or worn out external tokens, in some cases FedEx'ing them around the world.

Of course the replacement solution has to be fully scalable across all users and devices and practical to install in the network. Actually the Wave solution doesn't yet scale to mobile devices, however this may be OK for some customers because with the existing deployment of an MDM solution an IT dept. has already separated it's support for mobiles from PCs making it feasible to support mobiles with MDM and PCs with another solution such as VSC.

They already closed a gov't VSC 2.0 sale and in my opinion a number of other non-material size orders. The PR stated dozens of pilots across multiple sectors and the CC mentioned around 100 VSC customers in various stages of development and the TV advertising more than likely helped grow the pipeline faster yet.

Imo it's too early to call VSC 2.0 a failure from a sales perspective or that it doesn't meet the demand enterprises have for better easier to manage security. VSC is also supported and promoted within Windows which provides additional visibility to the solution.

VSC is being marketed as a replacement solution for external tokens. Use it and get rid of the tokens.

In a smart card deployment however, TPM-based VSC can be an "additional layer" scenario, in fact for the gov't customer Solms referred to the solution as a "redundant means of system authentication" presumably meaning the Common Access Card (CAC) remains the customer's designated and primary means of user authentication. We'll see how that plays out. It's possible the customer has already linked a form of derived CAC credentials to the TPM eliminating the need for the user to log into their device using a CAC and card reader.

“This is an important milestone for Wave,” said Bill Solms, CEO of Wave. “Wave Virtual Smart Card 2.0 has been purchased by a government agency with significant security requirements and one that requires redundant means of system authentication due to national security interests. This initial sale is modest compared to the addressable market within the Federal Government sector, but it is important to our strategy for marketing the Virtual Smart Card to address critical government infrastructure defense.”

http://www.wave.com/buzz/pr/wave-systems-announces-first-us-federal-government-customer-wave-virtual-smart-card-2.0

As I've been suggesting for a long time, a TPM solution can replace smart cards for logical access (eliminating the need for card readers...a significant value prop) with the customer maintaining the smart card deployment for physical access functions. On the other hand, the solution can replace external tokens (e.g. OTP tokens) altogether ie. the customer no longer needs them for anything.