RSA’s confirmation of the severity of its March data breach
this week and announcement that it will replace 40 million SecurID authentication
tokens as a result has left partners scrambling with many
questioning the reputation of the vaunted security vendor.
"Trust is the currency of business in information
security," says Rick Moy, CEO of NSS Labs, a security analyst and testing
firm. "Because people buy products from people they trust and they trust
those products to do what they say they do and in this case the trust in RSA is
technology and the corporate response to the customers is severely
shaken."
It’s a situation channel partners security partners should
keep a close eye on, whether they’re RSA partners or not.
"As a channel partner you should care about this
because it’s going to bring increased visibility to the pitfalls of remote
access and how to secure it," says Bobby Kuzma, owner of managed security
service provider Central Florida Technology Solutions, which isn’t a direct
partner of RSA but has many customers with SecurID deployments ."It’s
going to stir up a lot of discontent with the existing solutions, especially if
RSA is the incumbent in the environment. Having plans to be able to migrate
those end users to other solutions with minimum disruption is going to be a key
thing."
It still remains to be seen how many customers will want to
migrate away from RSA as a result of RSA’s breach and its handling of disclosure
in the months after it. Existing RSA partners are currently on edge, even if
they aren’t necessarily lining up to dump a security vendor with a strong
legacy in the industry.
"Is my confidence shaken? You know, it casts doubt. You
can’t help but say you have doubt," says Don Gray, chief security officer
for managed security service provider Solutionary. "But does it cast
enough doubt that I’m going to say we’re not going to be an RSA Partner?
No. Some of these attacks are very
difficult to detect. Ten years ago, if this would have happened, everyone would
have dropped them like a hot potato. In the book world they got breached,
they’re out of here. But you have to live in the real world."
Nevertheless, RSA has certainly done a lot to erode partner
confidence. Communication beyond what has been publicly available about the
recall has been spotty, as RSA has been "firmly entrenched in PR
mode," Gray said.
In fact, communication about breach details has been an
obstacle ever since the breach, says Moy, who believes that RSA’s handling of
the problem is actually the real issue in all of this.
"This is really a self-inflicted wound," Moy says.
"I don’t begrudge anyone getting hacked. It happens. The bigger problem is
in the response to the hack and the impact on their customers."
For example, Moy says ‘it doesn’t wash’ that RSA isn’t
releasing details about the information breached because they are afraid that
it would help the bad guys in perpetrating attacks. In the end he believes that
hurts customers more than it would help attackers who are already sophisticated
enough to find the information in the first place.
"The ninjas that just crept into your castle and stole
your gold — is there anything they don’t know that you might tell them at this
point?" he says. "Seriously, I mean, the masters of the dark arts, you’re
going to potentially enlighten them by your disclosure?"
Even after RSA’s announcement on Monday and its interview
with big media players, the company has been mostly mum about the details
around its planned recall. Partners and customers have been left to guess when
and how tokens are going to be replaced. Regardless of the answer, it is clear
that the offer for replacement is hardly going to be a magic wand to fix
everything. Even with a free giveaway of tokens his is going to cost RSA and
customers a lot of money.
"It’s a real problem to switch out these tokens; it’s
not something that’s easily done," Gray says. "In most cases when the
tokens were implemented there was probably a big effort a long time ago but
since then it’s been incremental–now it is just a part of customers’
provisioning process. It’s a big enough of a disruption that RSA doesn’t want
to lose their customers, so they’re giving these tokens away. But the reality
is that that doesn’t eliminate any cost for the organization."