Is your security vendor in bed with the NSA?

This article is sponsored by Good Technology.

Enterprise security is a serious subject to both the employer and the employee, especially in today’s world of mobility and BYOD. Corporate VPN is the most popular access method offered to mobile workers, allowing them to log into the corporate network from anywhere. Typically the worker is issued an RSA SecureID keyfob that generates a six digit random number periodically to be entered as part of a PIN. Workers are told to keep this keyfob safe and immediately alert IT if it is lost.

Never mind all that. It’s all but a facade, as the latest bombshell revelation from the Snowden leaks tied RSA to the snoops at NSA.

It’s also a story about how the reputation of an industry leader can quickly dissipate.

RSA was a company founded in 1982 by cryptographers and also the namesake of their famous public key cryptography algorithm. It was sold to EMC Corp. in 2006 and is a market leader in enterprise security.

But apparently RSA placed a dollar value on security, and in turn, its reputation: $10 million.

That’s how much money the company received from the NSA to incorporate a flawed random number generator by default in its products. Dual_EC was a poor random number generator, and this was discovered all the way back in 2006! Yet for 10 big ones from the government spy agency RSA baked it into its products as the default, with a wink and a smile.

Initially it was thought that the NSA had only breached the trust of American allies, but the RSA case is evidence that the agency has tentacles much far reaching in domestic industry. How can anyone trust such security vendors again?

That is now the pervasive, troubling question that nobody has the answer to. As a customer, you can only demand so much transparency from a vendor, shy of asking to disclose source code or trade secrets. Plus, that’s the reason to find a vendor in the first place – to save the trouble of scrutinizing the technical details in a security solution.

The new reality for a company selecting a security vendor? Here are some of my own thoughts:

  • Stay open-minded about open source. What better software transparency than being able to see every line of code and having a community that constantly scrutinizes?
  • Ask the vendor uncomfortable questions. You know, like “Has your firm ever worked with the NSA in any capacity?”
  • Research outside of the comfort zone. Forget product data sheets, marketing PowerPoints, and analyst commentaries – hope that the Snowden files eventually get dumped on public ground for anyone to go through.

This article is sponsored by Good Technology.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s