RSA SecurID Replacement: VARs Respond

By Ericka Chickowski  |  Print this article Print

IT solution providers may forgive security giant RSA for the security breach that led to the compromise of RSA SecurID tokens. What may be unforgivable has been RSA's silence when it came to telling VARs about the severity of the breach in a timely manner.

RSA's confirmation of the severity of its March data breach this week and announcement that it will replace 40 million SecurID authentication tokens as a result has left partners scrambling with many questioning the reputation of the vaunted security vendor.

"Trust is the currency of business in information security," says Rick Moy, CEO of NSS Labs, a security analyst and testing firm. "Because people buy products from people they trust and they trust those products to do what they say they do and in this case the trust in RSA is technology and the corporate response to the customers is severely shaken."

It's a situation channel partners security partners should keep a close eye on, whether they're RSA partners or not.

"As a channel partner you should care about this because it's going to bring increased visibility to the pitfalls of remote access and how to secure it," says Bobby Kuzma, owner of managed security service provider Central Florida Technology Solutions, which isn't a direct partner of RSA but has many customers with SecurID deployments ."It's going to stir up a lot of discontent with the existing solutions, especially if RSA is the incumbent in the environment. Having plans to be able to migrate those end users to other solutions with minimum disruption is going to be a key thing."

It still remains to be seen how many customers will want to migrate away from RSA as a result of RSA's breach and its handling of disclosure in the months after it. Existing RSA partners are currently on edge, even if they aren't necessarily lining up to dump a security vendor with a strong legacy in the industry.

"Is my confidence shaken? You know, it casts doubt. You can't help but say you have doubt," says Don Gray, chief security officer for managed security service provider Solutionary. "But does it cast enough doubt that I'm going to say we're not going to be an RSA Partner? No.  Some of these attacks are very difficult to detect. Ten years ago, if this would have happened, everyone would have dropped them like a hot potato. In the book world they got breached, they're out of here. But you have to live in the real world."

Nevertheless, RSA has certainly done a lot to erode partner confidence. Communication beyond what has been publicly available about the recall has been spotty, as RSA has been "firmly entrenched in PR mode," Gray said.

In fact, communication about breach details has been an obstacle ever since the breach, says Moy, who believes that RSA's handling of the problem is actually the real issue in all of this.

"This is really a self-inflicted wound," Moy says. "I don't begrudge anyone getting hacked. It happens. The bigger problem is in the response to the hack and the impact on their customers."

For example, Moy says 'it doesn't wash' that RSA isn't releasing details about the information breached because they are afraid that it would help the bad guys in perpetrating attacks. In the end he believes that hurts customers more than it would help attackers who are already sophisticated enough to find the information in the first place.

"The ninjas that just crept into your castle and stole your gold -- is there anything they don't know that you might tell them at this point?" he says. "Seriously, I mean, the masters of the dark arts, you're going to potentially enlighten them by your disclosure?"

Even after RSA's announcement on Monday and its interview with big media players, the company has been mostly mum about the details around its planned recall. Partners and customers have been left to guess when and how tokens are going to be replaced. Regardless of the answer, it is clear that the offer for replacement is hardly going to be a magic wand to fix everything. Even with a free giveaway of tokens his is going to cost RSA and customers a lot of money.

"It's a real problem to switch out these tokens; it's not something that's easily done," Gray says. "In most cases when the tokens were implemented there was probably a big effort a long time ago but since then it's been incremental--now it is just a part of customers' provisioning process. It's a big enough of a disruption that RSA doesn't want to lose their customers, so they're giving these tokens away. But the reality is that that doesn't eliminate any cost for the organization."