IDC has posted a set of essential guidance following the disclosure by EMC/RSA of a breach to their core SecurID system. You can find the guidance at the following URL.
We wanted to put something in to the market for our readers to use to assess the potential impact on their operations as a result of the RSA break-in. In addition, with all the speculation and hysteria already in the blogosphere, it was important to point to only the facts and provide practical advise to users. Immediately following our post we were invited to a call with Sam Curry, CTO Marketing for EMC/RSA who appreciated our balanced perspective and provided more background on the event.
In our discussions with Sam, and a series of senior IT risk and security executives from US banks and investment firms over the weekend, it's pretty clear that RSA is being as proactive as they can given the sensitivity of the event in informing customers about the breach, the risks, the implications, and the options. RSA is quick to point out that while critical operational information on the SecurID system leaked out of RSA, additional leaks at customer sites would need to occur in order for the system to be completely compromised. The bankers and investment firms we've spoken with thus far reported a heightened sense of operational security at their firms, particularly those with significant SecurID deployments. However, these firms have stated that RSA has been responsive to their inquiries and helpful in determining risk mitigation strategies. However, more has yet to be learned.
Beyond this specific event, what has transpired over the past 5 days suggests that we re-open the can of worms surrounding global risk and the requirements for strong authentication systems. In 2005, the FFIEC advised banks that "effective authentication methods should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans". All well and good, in my opinion. But what about resistance to persistent threats or the ability to minimize systemic risks in the event of a failure in technology or a breach in one part of the system?
With the various types of authentication solutions in the market (see image below), which are best for a given risk profile, and what are the trade offs?
- Credibility of the authentication approach - at a technical, operational, and policy level, is the FI using an authentication approach protects the user, the institution, and most broadly the industry?
- Convenience to the consumer - Is it hard to use? Does it require the use to adopt something completely new? Does it interfere with the convenience of doing business online?
- Deployment cost and complexity - how difficult is it to deploy and make operational?
- Operational complexity and support cost - How hard is it to operate this solution? Does it scale? What are the support costs, and who bears them?
- Opportunity - Does this solution enable new business opportunities? Does it strengthen or dilute my relationship with my customer?
- Recovery - if the system fails, how do I contain the risk? What are my options?
Personally I believe now is the time to re-open the authentication discussion, given recent events and the escalating cyber-risk threats, leaving all the NIH (not invented here) rhetoric behind.