Questions asked on the cost implications of RSA replacing SecurID
The replacement of 40 million RSA SecurID tokens will create huge cost issues for the vendor.
Andrew Kemshall, co-founder at SecurEnvoy, claimed that deployment costs for RSA's clients will cost around £4 billion, whilst the environmental cost will work at around 4.3 million tonnes of Co2.
He said: “Our observations suggest that the on-costs of deploying a single SecurID token is around £100 per token, this includes the direct and indirect costs for the organisation concerned.
“If it is necessary, then we recommend that businesses should start seriously thinking about switching to a tokenless authentication system, especially given the rising number of corporate hacks in recent months, which indicates that enhanced security should now be a watch word.”
Yesterday, RSA executive chairman Art Coviello said that it was offering to replace SecurID tokens for customers ‘with concentrated user bases typically focused on protecting intellectual property and corporate networks'. He also confirmed that RSA will offer to implement risk-based authentication strategies for consumer-focused customers with a large, dispersed user base, that are typically focused on protecting web-based financial transactions.
Philip Lieberman, president and CEO of Lieberman Software, said that the cost is not just bad news for RSA, but it paints the rest of the IT security industry in a bad light.
He said: “I put the fault squarely on the senior management of EMC for treating the SecurID division as a cash cow that received little to no investment after RSA was acquired by EMC. A quick review of the SecurID products show that the SecurID product line has languished in innovation and development investment since the takeover.”
However Jon Geater, director of technical strategy at Thales e-Security, said that replacing the tokens seemed 'like the right thing in my book', as it represented good PR and a responsible attitude to its customers.
He said: “It is undoubtedly an expensive move which leaves some questions open: do RSA know that all the tokens were breached, or are their systems simply unable to tell them which tokens were compromised? Will they change the seed model in future?
“What assurances can they now offer customers that the system is safe? In the cloud age, where transparency and third-party trust are becoming understood currency, can they keep their security procedures and seed model obscured any longer?
“Why did it take so long to find out? Or for them to admit it? It would be nice to be generous and assume they were simply ramping up production to cope with demand, but people will now surely be suspicious that the Lockheed breach is the real catalyst.
“Whatever the truth of the SecurID breach, the message is clear: the growth of concerted attacks on valuable IP, including Lockheed Martin and Sony, proves the need for defence in-depth and protection of data assets even inside the enterprise. The walls have come crumbling down.”