Can RSA repair the broken trust?
Despite Art Coviello's open letter offering to replace tokens for customers, we are still none the wiser as to what assets within RSA were compromised during the breach they suffered in March.
Reading the letter I see no admission from RSA that its tokens were compromised. Instead, we have an offer to increase certain customers' confidence in the RSA infrastructure which they have already invested in. Some are seeing this as an admission from RSA that its database linking tokens to users has been breached. However, RSA still has not confirmed what was breached or what information was accessed, therefore we are still in the realm of speculation.
This could also be a marketing ploy to rebuild customer confidence regarding the product. Careful reading of the letter shows that RSA is only offering to "replace SecurID tokens for customers with concentrated user bases typically focused on protecting intellectual property and corporate networks", which does not necessarily mean replacing every single token issued.
To me this lack of clarity and information about what was compromised is the worst part of the RSA breach. Without knowing what exactly was compromised and what impact it has on those using RSA products it is difficult for customers to know how to ensure their systems are safe. It should be noted that this incident is also a prime example of why companies should take a layered and in depth approach to securing their networks and information assets. Relying on one technology or solution alone will cause you security to fail should that technology or solution itself become compromised, and let us not forget that RSA is not the first security company to have security issues or concerns with their products.