It’s big news that RSA’s infrastructure around their SecureID solution has been compromised. While information around this attack and its impact on customers is lacking (RSA is citing an ongoing investigation as a reason to limit public disclosure) a couple of lessons about general security management can be learned.
The first lesson is around vendor management. As a security assessment company, we get to hear a lot of people at organizations around the world describe their state of security. One thing that we hear a lot is about how secure their vendors are. With little support other than reading a vendor’s marketing materials, the existence of a SAS-70, or listening to the vendor’s sales team story about security, it is assumed that a vendor is secure. If the recent NASDAQ Directors Desk breach is an example of why a vendor’s big claims around security don’t necessarily actually imply security, then this week’s RSA breach exemplifies that a company is secure just because they are big or sophisticated. In our experience, vendors, big or small, often represent the biggest component of an organization’s security risk – no matter what the claim about their security.
Another lesson to be learned from the RSA breach is around complexity. In our experience complexity equates to security risk – the more complexity you have in your IT environment the more inherent security risk. While I wouldn’t say its time to throw away all of your multi-factor authentication solutions – after all, they are generally an effective way to mitigate the risk of a compromised password, I do think its important to realize that every time a new technology is introduced into your IT environment, you are increasing your overall complexity and thus adding some additional risk. So its important to think through any new technology deployment and ask yourself: does the upside of this deployment outweigh the downside of adding complexity to my data center? Security is all about operational discipline, structured process, rigorous testing and smart people – all of which tend to be in short supply; always be aware of how added complexity taxes your finite resources.
So, while it might be too early to get rid of all of your SecureID technology, its not too early to be aware that vendors may represent a big piece of your security risk and the added complexity of more layers of technology in an IT environment represent additional security risk to your organization. Not that vendors and technology are bad, they are necessary, but its important to understand their impact to your risk management strategy.