Skip to main content

ViTM - The Vendor in the Middle

Enterprise security architects are traditionally very wary of systems that rely on 3rd parties for access, uptime or security. Ironically, many of these same architects deployed RSA SecurID systems not considering (or heavily discounting) the fact that RSA kept copies of the seeds for licensing purposes.

My intention here is not to pile on RSA, but rather to clarify the root cause because as organizations evaluate options to SecurID, they are often making the same mistake: Relying on a security vendor's infrastructure - or worse, using a system like SMS, where the provider is not even a security vendor!  That's not to say that some organizations might be better off using a service, but that they should be aware of the risks.  Just as some organizations will be better off "in the cloud" while some will not.

I dislike all the confusion around two-factor authentication.  Security people seem to ignore the difference between shared secrets and asymmetric encryption, services and software, etc. I don't know why that two-factor authentication is such an emotional issue.  Pundits like to say things like "too little, too late"

about it.  Excessive negativity does nothing to increase security. 

There are two big trends occurring now: an increase adoption in two-factor authentication due to cloud-based services and compliance requirements such as PCI and a re-evaluation of the price/benefit of expensive hardware tokens (which started well-before the RSA attack).  It is my hope that organizations will make intelligent decisions about the products they choose based on their risk profile and capabilities.  It is my concern that we are not giving any clear thoughts on the matter.

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom