Soft Tokens: More of the Same Problems with Information Assurance?

by TCG in Action

Unfortunately for those concerned with protecting important data - whether financial, healthcare, national security, intellectual property, or the like - the whole brouhaha over the recent break of RSA tokens seems to be fading...replaced by other news, assurances by spin doctors about "no damage done", and bolstered by assurances from the token providers that a temporary "soft" token approach, followed by issuing new hardware tokens, will fix the problem.

 

Excuse us, but isn't this just asking for more of the same? Why are we in security wed to a mentality of fixing the problem AFTER it's discovered, then applying the same band-aid, over and over? What does it take for us to learn that old ways of doing business in IT and security are NOT working?

 

Perhaps we should step back and consider the reality. Yes, it's true that millions of users are issued tokens, and not all of them have been broken. And it's true that it's sometimes costly and a bit disruptive to change the ways we do business, or the way we ask our customers to handle their access to their data. But isn't protecting data before it leaks out and causes potentially irreparable harm really what we are supposed to do? We seem to have lapsed into the mindset of staying a half-step ahead of the bad guys, with a subsequent scramble then to fix the problem - kind of like the little guy with his finger in the dike, really. When a new hole appears - and it inevitably does -- we scramble to fix that one.

 

No doubt, as we saw recently stated in coverage of the many big data breaches like Epsilon and Citibank's, attackers are more clever, persistent and motivated than ever. And the IT security industry, no matter how smart, will not be able to achieve a crime-free nirvana. But what is really frustrating to many companies with real solutions, like the proven, widely available and very inexpensive Trusted Platform Module, is that such solutions are NOT being implemented, because they're a bit different.

 

There are 500 MILLION PCs and many more embedded devices that have a TPM right on them. Software to set up and manage that TPM has been available, tested, vetted and improved. The TPM supports multi-factor authentication and offers a hack-free approach, based in proven hardware security techniques, to protect data and systems. And it can protect against malware, detect system changes and protect networks.

 

What are you waiting for? See you in the headlines!

Categories: Authentication

* Required Fields