Systemic Risk, RSA Security Breach, and a Can of Worms

This morning we posted a set of essential guidance following the disclosure by EMC/RSA of a breach to their core SecurID system. You can find the guidance at the following URL

We wanted to put something in to the market for our readers to use to assess the potential impact on their operations as a result of the RSA break-in. In addition, with all the speculation and hysteria already in the blogosphere, it was important to point to only the facts and provide practical advise to users. Immediately following our post we were invited to a call with Sam Curry, CTO Marketing for EMC/RSA who appreciated our balanced perspective and provided more background on the event.

In our discussions with Sam, and a series of senior IT risk and security executives from US banks and investment firms over the weekend, it's pretty clear that RSA is being as proactive as they can given the sensitivity of the event in informing customers about the breach, the risks, the implications, and the options. RSA is quick to point out that while critical operational information on the SecurID system leaked out of RSA, additional leaks at customer sites would need to occur in order for the system to be completely compromised. The bankers and investment firms we've spoken with thus far reported a heightened sense of operational security at their firms, particularly those with significant SecurID deployments. However, these firms have stated that RSA has been responsive to their inquiries and helpful in determining risk mitigation strategies. However, more has yet to be learned.

Beyond this specific event, what has transpired over the past 5 days suggests that we re-open the can of worms surrounding global risk and the requirements for strong authentication systems. In 2005, the FFIEC advised banks that "effective authentication methods should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans". All well and good, in my opinion. But what about resistance to persistent threats or the ability to minimize systemic risks in the event of a failure in technology or a breach in one part of the system?

With the various types of authentication solutions in the market (see image below), which are best for a given risk profile, and what are the trade offs?

Personally I believe now is the time to re-open the authentication discussion, given recent events and the escalating cyber-risk threats, leaving all the NIH (not invented here) rhetoric behind.