Lockheed attack scares away RSA partners
UK security VARs gravitate towards tokenless alternatives and express fears that vendor's reputation has been damaged beyond repair
Some of RSA's top partners are turning away from the vendor amid growing fears over the security of its two-factor authentication tokens.
RSA chairman Art Coviello admitted in an open letter earlier this week that the attack on RSA customer Lockheed Martin's network could "reduce some customers' overall risk tolerance".
Lockheed is the first known victim of the March hack on RSA's systems and as a result the EMC-owned vendor has offered to replace SecurID tokens for customers concerned with corporate networks and protecting intellectual property. This could potentially impact all 40 million SecurID users globally.
Steven Malone, technical director at RSA Affiliate partner Infosec Technologies, said he had not received any communication on how the replacement process might work, other than being directed to the open letter.
The whole episode had "irrevocably damaged" the RSA SecurID brand, he added.
"We take a high profile breach involving one of our vendors extremely seriously and in light of the seriousness of the RSA hack, have taken the decision to focus 100 per cent on our other 2FA vendor SecurEnvoy," Malone said.
Mark Szubert, business development manager at RSA Affiliate partner IDsec, agreed that the trust that has built up between RSA and SecurID users had become "strained".
"I suspect some major users of SecurID that are nearing end of life will go another route unless RSA really does come up with a blinding deal to replace existing deployments of SecuID with tokenless, risk-based authentication," he said.
Simon Aron, joint managing director of Eurodata, added: "RSA has been very difficult to deal with since March and this plays into the hands of tokenless alternatives like Swivel."
Martin Hellawell, managing director of RSA Affiliate partner Softcat, admitted there was some customer concern but was among those to back the vendor.
"It's all moving in the right direction," he said. "The replacement strategy is a positive move and we will help facility it in any way. Obviously this will give us extra work but that's what we are here for."
Some of RSA's other larger UK partners, including Armadillo, are also known to be steadfast in their loyalty to RSA.
In a statement sent to CRN, an RSA spokesperson said: "RSA is absolutely meeting with our partners and considers them key allies in the remediation process with SecurID customers."
Rivals have also been quick to seize on RSA's latest announcement, particularly those offering tokenless 2FA alternatives that would not be susceptible to such attacks.
Andy Kemshall, co-founder of tokenless 2FA vendor SecurEnvoy, claimed it would be RSA customers and partners, and not the vendor itself that would have to foot the majority of the bill as new tokens are deployed.
"The fact Lockheed was compromised demonstrates that all of RSA's tokens are not as effective as they should be.
"These customers turned to two-factor authentication as they felt the risk had justified more than just a simple password and now they are in an untenable situation where there is nothing more than a pin protecting them. It is fair to say there are millions of tokens that need replacing."
However, RSA added in a statement that it would not make its channel partners bear the cost of redeployment for customers who choose to replace their RSA SecurID tokens.