As frustration builds from customers fed up with RSA’s
handling of the SecurID breach and the deployment costs of replacing ineffective tokens staring them
in the face, many formerly loyal to the brand are considering the once
unthinkable: casting RSA’s authentication products in favor of mult-factor
alternatives. According to the experts, smart channel partners should be boning
up on their authentication know-how to answer customer questions and help them
decide whether to stick with RSA through the SecurID recall or search for
greener pastures.
"From a technical view, you can say if you’ve got tokens
that were issued after the breach, you might be OK to stay, but then you still
have the relationship trust issue," says Rick Moy, CEO of NSS Labs, a
security analyst and testing firm. "Is RSA really going to stand by you?
Can you trust that the vendor will do right by you? As a partner and as an
enterprise, it’s hard to give them the benefit of the doubt after the series of
events."
After many months of silence and little direction from RSA
beyond the release of some basic mitigating best practices briefings to bolster
potential weakening of SecurID deployments, this is the worst-case scenario
that partners dreaded.
"When the incident first became public, we would talk
with RSA and they had kind of given us the story they gave everyone else: that
there was no evidence any of the seed data had been compromised," says says
Don Gray, chief security officer for managed security service provider
Solutionary, who went to customers at that time to offer up those mitigating
practices. "And we said ‘Oh, by the way, we think you should prepare for
the worst.’ That we thought it was a good idea to explore alternative
technologies, look at what it would cost to replace the SecurID tokens, understand
likely cost and timeframe to implement that solution and communicate it to
their management. Just to prepare for any potential worst case scenarios."
Bobby Kuzma, owner of managed security service provider
Central Florida Technology Solutions, has been steering his customers away from
SecurID since March. Monday’s announcement of a recall that he says RSA should
have done long ago is a confirmation of his advice doled out to customers.
"As of (that) morning, four of my customers have
accelerated their plans to get off SecurID and get onto CryptoCard as an
alternate two-factor authentication form," he says.
Partners whose customers are looking to jump ship would be
well advised to stay on the lookout for incentive programs offered by
competitive vendors circling in a swiftly as vultures over fresh carrion. For
example, CA Technologies wasted no time to remind customers that ever since
March it has been offering a hardware token replacement program in favor of its
CA ArcotID software token product line. CA is one of several vendors saying
that this breach should signal the end of an era for the inconvenience of
hardware tokens.
“Hardware tokens are a security mechanism whose time has
expired," says Mike Denning, general manager of security for CA
Technologies. "The inconvenience of carrying an additional key fob or
device for today’s increasingly mobile workforce is not practical, and the
difficulty of remediation in case of a hardware token breach can be
overwhelming."
Incentives offered by the competition and the costs of a
recall may make a switch to an alternative an easy sell for many partners.
According to Gray, regardless of RSA’s decision to give new tokens away for
free, customers will have to pay a pretty penny to make it happen. Many SecurID
deployments have occurred over the course of years of provisioning–a rip and
replace program, even done in waves, will be a logistical nightmare for many.
"It’s kind of this incremental thing that you don’t
necessarily notice because it’s part of your provisioning process, but now it’s
this big bang. The reality is that (the recall) doesn’t eliminate any cost for
the organization," Gray says. "So if they’re inclined at all to look
at an alternative solution because they’re ‘irritated’ with RSA, now is the
time to do it because they’re going to incur almost the same cost."
At the same time, Gray says there is a ‘flip side’ to the
decision matrix as to whether a customer should stay with RSA or go. Much like
a restaurant is never so clean as right after it fails a health department
inspection, RSA will inevitably clamp down harder than ever on its security in
this incident’s aftermath.
"I would say is that it has been my experience that
organizations that experience a publicly acknowledged significant breach have a
much, much increased security posture after that point," he says. "So
if you have the RSA SecurID, you’re comfortable with what it did up to the
point of this breach happening and didn’t have big issues with it, I wouldn’t
make any rash decisions. I would consider the fact that the RSA controls around the SecurID fobs going
forward is likely to be one of the most secure installations in the
world."