Cost to Break: Authentication…Express
“There is no ‘overkill.’ There is only ‘open fire’ and ‘reload’.”
-Howard Taylor“An injured friend is the bitterest of foes.”
-Thomas Jefferson“…Others have no right to do things to you without your consent, or take the things you value without your consent.”
-F Paul Wilson attributed to the fictional “Second Book of Kyfho, Easter Sect Edition” in An Enemy of the State.
RSA announced the availability of Authentication Manager Express. This is a breakthrough for SMBs for simplicity, affordability and efficiency. Get the results with an optimal use of resources and little to no overkill*.
There are many definitions of security (such as the CIA one that I’ve mentioned in the past), and there’s much focus on risk (or at least risk mitigation) as the ultimate function of security personnel and functions. However, the best measure of security that I can think of is cost to break.
In the case of financially motivated cyber-criminals, it’s all about ROI (see Understanding the Crowd Part 1 and Part 2). The items they care about are revenue, cost, risk and, ultimately, profit. The “cost” part is a key part of this, and as I mentioned in my bear post, keeping the bad guys re-investing and high on a cost curve for their attack vectors is almost as important as the brute arithmetic involved in maintaining a high cost to break.
In the case of non-financially motivated cyber-activities (i.e. when money isn’t the primary motivator), there is still a cost function. In the event of a national espionage, labs or terrorist sympathizers or even hacktivism, the cost side of the equation, and all it’s components (cost to host, cost to develop, time to develop, tool cost, staging and operations costs and so on) are massive factors in feasibility and success. Given even near-infinite funds, costs play a slowing and complexity function in limiting the effectiveness of the bad guy.
Now risk is a little different – it’s about probabilities and likelihood. With an intelligent opponent and a complex system, there is always the chance of something bad happening…and the bad guy profiting (or even of suffering in the event of no cash-out for the bad guy since regulatory fines and penalties can pile up on operations that have poor procedures, training or automation).
In my previous post, “The Continued and Future Growth of Authentication,” I described the evolution at RSA of our authentication options and portfolio. Ultimately, the stages and milestones in that continued advancement have led to more options, flexibility and means to optimize investment in defense to minimize risk to an organization due to fraud and identity theft or impersonation.
RSA Authentication Manager Express Appliance
Optimization is a key word here: apply the right use of resource (before you hit diminishing returns) to achieve your results and no more. It’s hard to get this right, but in particular when you look at SMBs, it’s important to bring the right tools to play in a way that larger enterprises with their massive (relatively) resources sometimes have trouble appreciating.
So what do we get with the new offering? First of all we get simplicity: the solution must be simple. In the case of RSA Authentication Manager Express, we’ve borrowed from the amazing power of the RSA SecurID authentication infrastructure through RSA Authentication Manager, and with some additional innovation we’ve created a uniquely lightweight yet solid back-end for the new RSA Authentication Manager Express. That in itself isn’t challenging: what was challenging was making this an easy-to-use, install-and-go appliance.
Next, we get efficiency: combining the solidity and flexibility of RSA Authentication Manager with the risk-based tools pioneered in RSA Adaptive Authentication technology and a simple form factor to provide as little impediment as possible to productivity. The result? Apply the strong authentication when it’s needed to the right degree and increase the cost to break optimally.
In the case of RSA Authentication Manager Express, we are not using the more common enterprise strong authentication form factors (i.e. SecurID tokens or even digital certificates) with their inherently high cost to break but also higher costs from a management perspective and slightly more involved in ease-of-use. Instead, we use behavior profiling and a risk engine to establish normal and abnormal use patterns and, most importantly, to trigger high risk situations requiring strong authentications from the activities that are shown over time to be indicative of fraud and theft…in other words challenge and interrupt use flow when risk is most likely to be higher.
Why SMB focus? That one is simple: the traditional SMB has both less adoption of strong authentication and less IT staff and even less security expertise to draw on – witness the massive exploits of SMB infrastructures by botnet infection vectors. It’s arguable in many ways that as the financially motivated criminals out there assess their target choices, the SMB is a target-rich, high-volume environment. Beefing up security here (in several ways) may be the best way to raise the overall, average cost to break of Internet systems and make a dent in cyber-criminal activities.
The demands on SMBs are no less onerous than on large organizations, either. They still have constantly changing environments to deal with, and the same need for IT to “not get in the way” and “achieve results,” demands that are at odds with each other and can paralyze staff and weaken company defensive postures.
There’s more coming in the future, but I’m excited to see tools that are simple, efficient and affordable go down-market to help meet the real-world security needs and help beef-up security for those who need it most: those dealing with enterprise-caliber external attacks, those dealing with demands to support new collaboration and productivity tools, those dealing with the need to show compliance, those dealing with the need to be fast, strong and good out of the gates. So let’s raise the cost to break and give SMBs the tools they need to keep the bad guys out of their business too.
* “Overkill” is an amusing notion in itself – things that are “overkilled” are pretty much still dead.
