RSA has started providing more detail into the mid-March attack on its SecurID token-based authentication system, but to get a fuller story you have to be an RSA customer willing to sign a nondisclosure agreement (NDA).
An NDA means that you agree to keep secret what RSA would be willing to tell you. Sources say RSA is reaching out to its largest customers, especially those in sensitive industries, to get IT executives to sign such NDAs.
[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
ANALYSIS: Should you stop using SecurID tokens?
However, some RSA customers say they aren't willing to do that.
"RSA was asking that I sign an NDA," says Ron Gula, CEO at Tenable Network Security, which uses SecurID tokens for authentication. "I'm suspicious. Why hide it?"
Gula said he doesn't want to feel his hands are tied by agreeing to an NDA, though he hopes in the end it's "all a non-issue" about something that RSA will speak about soon anyway. But it's making him uneasy and he's looking at using other authentication products.
Jon Oltsik, senior principal analyst at Enterprise Strategy Group, says he did sign an NDA. "Let me put it this way, I learned a little more," he says, adding that as an analyst, he doesn't know whether he heard the same discussion RSA is sharing with its customers. He notes RSA is starting to discuss the topic of the break-in more. "We're in uncharted waters. They're trying to be cautious."
"I didn't want to sign an NDA. I think I need to be independent," says Bill Nelson, president of the Financial Services - Information Sharing and Analysis Center (FS-ISAC), the industry forum for collaboration against critical security threats, which interacts with government agencies such as Department of Homeland Security. IT-ISAC uses SecurID, and there's nothing known publicly related to the RSA data breach and SecurID so far to alter the decision to use it, Nelson says.
RSA itself says it has "executed a massive outreach program" that has reached more than 60,000 customers with its security notes about the painful topic, and there have been discussions with more than 15,000 customers by phone, more than 5,000 customers via conference calls and "hundreds of face-to-face meetings." RSA declines to say how many customers have been offered or declined an NDA briefing.
Nelson said he decided to decline to sign an NDA to get yet more information that would be secret. He notes many IT-ISAC members, however, some of whom were angry at first, have signed an NDA, and are now sworn to secrecy.
Nelson says he doesn't know what's in the NDA briefing from RSA. But much of the discussion from RSA in the wake of the March breach disclosure has been about best-practices deployments of the RSA SecurID token system.
Tales have been told over the years about poor implementation of SecurID, where lax security practices were followed, Nelson notes. "They're addressing poor implementations of their products," he says.
Sources close to RSA say not all RSA SecurID customers are being approached to sign an NDA, which means they would not be offered privileged information.