On January 30, the New York Times acknowledged that it had been a victim of a security breach. The Times claims this was the result of a long, targeted attack allegedly committed by attackers located in China to gain access to corporate email and data. Now it’s also coming out that the Wall Street Journal and Washington Post were also compromised in similar attacks for similar reasons.
We’ve all heard of Personally Identifiable Information or PII (social security number, drivers license number, birth dates) and Protected Health Information or PHI (medical diagnosis codes, medical history), but have you heard of Personal Password Information or PPI? No?
Advanced Threats are deeply impacting the way we develop secure products by fundamentally changing our working assumptions. We used to design and develop products to be attack resistant assuming that the environment where they will be deployed may be compromised. We now have to develop and design products assuming that every system in the customer environment, in the development environment and in the supply chain may be compromised.
We can reinforce them with other form factors and can use multi-factor authentication in many places, but we have passwords all over the place and that is basically not going to change for the foreseeable future. Something must be done to beef up the security of passwords in general (and of other credentials) to force the bad guys to ever greater costs and difficulty (and lower likelihood of success), and that is the spirit behind RSA’s announcement today of RSA Distributed Credential Protection. But before diving into that, let’s talk about the landscape and the problem scope.
RSA Distributed Credential Protection (DCP) offers the industry a transformative approach to one of its most pressing security problems: Massive breaches of sensitive information, such as password databases. DCP distributes secrets across two servers or even two organizations and periodically rotates them through re-randomization. An attacker that breaches one server, or even both of them at different times, learns nothing.