RSA have finally broken their silence over the extent of the SecurID breach and the implications are not good.
When I last wrote about this breach, RSA were understandably coy about the details and were looking into the size of their exposure. As time went on without further comment, the only logical conclusion had to be that the breach was big. Really big.
So finally, and a little too late, RSA has announced that they will replace practically ALL SecurID devices in the field. To be honest once the story broke there didn't seem to be another option for the company. It was only a matter of when.
This seems like the right thing in my book - good PR, responsible attitude to their customers - but it is undoubtedly an expensive move which leaves some questions open:
- Do RSA know that all the tokens were breached, or are their systems simply unable to tell them which tokens were compromised?
- Will they change the seed model in future?
- What assurances can they now offer customers that the system is safe? In the cloud age, where transparency and third-party trust are becoming understood currency, can they keep their security procedures and seed model obscured any longer?
- Why did it take so long to find out? Or for them to admit it? It would be nice to be generous and assume they were simply ramping up production to cope with demand, but people will now surely be suspicious that the Lockheed breach is the real catalyst.
Art Covielo's open letter is appropriately warm and reassuring but the absence of detail will surely worry risk practitioners.
Whatever the truth of the SecurID breach, the message is clear: the growth of concerted attacks on valuable IP, including Lockheed Martin and Sony, proves the need for defence in depth and protection of data assets even inside the enterprise. The walls have come crumbling down.