SecurID Breach: Customers Weigh Dumping RSA

By Ericka Chickowski  |  Print this article Print

After months of silence and little direction from RSA beyond the release of basic mitigating best practices, RSA's new recall of SecurID tokens is the worst-case scenario that partners dreaded, leading them to consider alternative vendors.

As frustration builds from customers fed up with RSA's handling of the SecurID breach and the deployment costs  of replacing ineffective tokens staring them in the face, many formerly loyal to the brand are considering the once unthinkable: casting RSA's authentication products in favor of mult-factor alternatives. According to the experts, smart channel partners should be boning up on their authentication know-how to answer customer questions and help them decide whether to stick with RSA through the SecurID recall or search for greener pastures.

"From a technical view, you can say if you've got tokens that were issued after the breach, you might be OK to stay, but then you still have the relationship trust issue," says Rick Moy, CEO of NSS Labs, a security analyst and testing firm. "Is RSA really going to stand by you? Can you trust that the vendor will do right by you? As a partner and as an enterprise, it’s hard to give them the benefit of the doubt after the series of events."

After many months of silence and little direction from RSA beyond the release of some basic mitigating best practices briefings to bolster potential weakening of SecurID deployments, this is the worst-case scenario that partners dreaded. 

"When the incident first became public, we would talk with RSA and they had kind of given us the story they gave everyone else: that there was no evidence any of the seed data had been compromised," says says Don Gray, chief security officer for managed security service provider Solutionary, who went to customers at that time to offer up those mitigating practices. "And we said 'Oh, by the way, we think you should prepare for the worst.' That we thought it was a good idea to explore alternative technologies, look at what it would cost to replace the SecurID tokens, understand likely cost and timeframe to implement that solution and communicate it to their management. Just to prepare for any potential worst case scenarios."

Bobby Kuzma, owner of managed security service provider Central Florida Technology Solutions, has been steering his customers away from SecurID since March. Monday's announcement of a recall that he says RSA should have done long ago is a confirmation of his advice doled out to customers.

"As of (that) morning, four of my customers have accelerated their plans to get off SecurID and get onto CryptoCard as an alternate two-factor authentication form," he says.

Partners whose customers are looking to jump ship would be well advised to stay on the lookout for incentive programs offered by competitive vendors circling in a swiftly as vultures over fresh carrion. For example, CA Technologies wasted no time to remind customers that ever since March it has been offering a hardware token replacement program in favor of its CA ArcotID software token product line. CA is one of several vendors saying that this breach should signal the end of an era for the inconvenience of hardware tokens.

"Hardware tokens are a security mechanism whose time has expired," says Mike Denning, general manager of security for CA Technologies. "The inconvenience of carrying an additional key fob or device for today’s increasingly mobile workforce is not practical, and the difficulty of remediation in case of a hardware token breach can be overwhelming."

Incentives offered by the competition and the costs of a recall may make a switch to an alternative an easy sell for many partners. According to Gray, regardless of RSA's decision to give new tokens away for free, customers will have to pay a pretty penny to make it happen. Many SecurID deployments have occurred over the course of years of provisioning--a rip and replace program, even done in waves, will be a logistical nightmare for many.

"It's kind of this incremental thing that you don't necessarily notice because it's part of your provisioning process, but now it's this big bang. The reality is that (the recall) doesn't eliminate any cost for the organization," Gray says. "So if they're inclined at all to look at an alternative solution because they're 'irritated' with RSA, now is the time to do it because they're going to incur almost the same cost."

At the same time, Gray says there is a 'flip side' to the decision matrix as to whether a customer should stay with RSA or go. Much like a restaurant is never so clean as right after it fails a health department inspection, RSA will inevitably clamp down harder than ever on its security in this incident's aftermath.

"I would say is that it has been my experience that organizations that experience a publicly acknowledged significant breach have a much, much increased security posture after that point," he says. "So if you have the RSA SecurID, you're comfortable with what it did up to the point of this breach happening and didn't have big issues with it, I wouldn't make any rash decisions. I would consider the fact that the RSA  controls around the SecurID fobs going forward is likely to be one of the most secure installations in the world."