by Jo Rhett, Senior Technical Consultant at Taos
Over the past decade most companies have come to accept ongoing security evaluations as a cost of doing business. Companies take pride in the careful evaluation of vendor products and processes done to limit risk. However, the last two months of revelations have shown us that this straightforward approach is no longer enough.
Revelations in 2012 that Google, Microsoft, and other cloud business vendors were providing customer data to the U.S. government’s PRISM program without a warrant1 woke many up to the risks inherent in cloud storage. However, the last few months haven’t been easy reading for companies who avoid cloud storage either.
Enterprise businesses were shaken by December’s revelations that RSA helped the NSA promote a flawed random number generator, and shipped it as the default/preferred generator in their BSafe Toolkit2. The BSafe product line is intended for application developers, and used almost exclusively by large enterprises. Given that many freeware alternatives exist, a company chooses the BSafe toolkit to get security expertise from a top-ranked company.3
This point is important, so let’s spell it out. The NSA gave RSA a significant portion of RSA’s annual revenue to make an insecure random number generator the default in a product sold almost exclusively to large enterprises.
Many people are raising the obvious questions about violations of Trust. I think there is another lesson we need to keep in mind: you don’t have to put your data in the cloud to become the product your vendor is selling.
Security products have been cracked before, but it has until now cracks of encryption software created by industry leading companies had been a fairly rare experience. Most security failures to date have been due to broken processes, such as when Verisign gave two Microsoft software-signing certificates to a non-employee.4
Very few businesses can hire the best cryptographers to ensure the safety of each algorithm they depend on. Each business tries to select the best vendor, with the best processes, to provide that security. Without security expertize within the company, most look for market leaders to trust. RSA has demonstrated that this trust cannot be purchased.
The sad truth is that I doubt that they are the first to have done this, and I suspect that others who have or are now doing this have not yet been discovered. The only question is, who are they? We know that government-run venture capital firm In-Q-Tel 5 seeks out and finances companies who can assist their efforts in Intelligence Gathering. Are there other investments we don’t know about? Are their choices safe for my business? How can I identify the bad actors? Who can I trust?
I believe the answer lies in a core tenent of cryptographic verification: Trust No One. Or perhaps better as the Russians like to say: Trust, but Verify. I think that every company needs to choose their vendors carefully, then acquire or hire expertise to examine their choices. You cannot purchase security in a single product. One day you might become the product that vendor is selling.
Security can only be created through vigilance. More than ever before, businesses need competent partners who have no vested interest in any one solution to test and validate their security.
1. Details of the PRISM program were leaked to The Guardian http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-data ↩
2. Reuter’s report on the RSA/NSA deal: http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220 ↩
3. Information on why random number generation is so important to crypto, and how the generator that RSA promoted for the NSA is flawed, see http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115 ↩