Today, RSA once again becomes an independent company, after being owned by EMC and then Dell Technologies for the past several years. I’m commemorating this milestone by looking at a few of my favorite products from the RSA portfolio and set some context for the longevity of this iconic company.
Ironically, for those of you that might not recall the early days of RSA, you may not realize that the actual “RSA” name almost disappeared altogether. This was as a result of an early acquisition by Security Dynamics in July 1996 – fortunately the RSA name was adopted after the acquisition. Speaking of longevity, the company’s initials of course stand for its three founders:
It has been almost 40 years and RSA is still a significant player in the information security marketplace. Formed back when mainframes walked the earth, it has thrived during the Internet era and continues to innovate with new products and new ways to deliver security.
While RSA offers a range of products – from SIEM to integrated risk management – it’s their authentication and fraud prevention products that have frequently caught my attention. At a time when cybercrime is increasing and organizations need solutions to help them secure the future dynamic workforce, these three products will play a significant role in the future of many businesses:
The iconic, one-time-password generator RSA SecurID Access hardware or software token has been around for decades and can be found in the hands (or on the devices) of millions of workers globally. Over the years, the fob form factor has been tweaked, augmented by an added USB port, and other minor changes. This fob can be used in a variety of authentication circumstances, and is a significant multi-factor method. One of the most significant recent developments is something announced last year and involves the Vulcan mind-meld with Yubico’s Yubikey.
What I like about this partnership is that you never have to type another series of PINs ever again. All you need to do is to press the gold-colored button on the Yubikey to acknowledge that you have it in your possession, and the PIN stored within the device will make its way into the RSA SecurID infrastructure and authenticate you.
I like to think of this offering as a marriage between RSA’s longest running and most famous product and the latest authentication standards. It’s worth taking a closer look, especially if you are an existing RSA SecurID Access customer and want to step up your authentication game. As more passwords find their way to various security leak lists, having a hardware key is still the most secure method to protect all of your logins.
If you are using any kind of authentication system, you need to be using adaptive authentication (AA) and the RSA version is a solid product. The issue is that we all have to stop thinking about authentication as a binary event. In the past, you were either authenticated or you were not. What AA does is operate more continuously, checking your actions (defined variously) against trustworthy norms to evaluate whether you are who you should be as you go about your computing daily life. As the criminals get better about compromising our accounts with various phishing lures, AA is going to become an essential defense mechanism.
As I mentioned in a October 2018 blog post, AA can be combined with various RSA multi-factor authentication and biometric tools to beef up your identity and access management strategy and help improve your login security.
As an example of its use, the British credit company New Day has deployed AA to help reduce fraudulent credit card usage. The AA routines pre-screen questionable transactions and determine whether they should be allowed or escalate them to human examiners, thus creating fewer challenges for their customers. These screens include looking for geolocation conflicts (a consumer who is making withdrawals in two different places that aren’t physically near each other) or an odd purchase (someone who hasn’t recently bought a suit such as what happened to me once, which was mildly embarrassing), or making a large cash withdrawal at a new ATM location.
Speaking of fighting fraud, one of the more interesting RSA offerings is a service called RSA FraudAction. This is not a consumer offering but geared towards defending the consumer’s endpoints which are fraud and phishing targets. It is based on having two operations and command centers that provide fraud intelligence and defense. One of them is outside Tel Aviv (where I visited in 2018 and wrote this report for CSOonline) and another located on the Purdue University campus. The centers proactively monitor (typically) a bank’s transactions and block suspect ones, using the AA products mentioned above to provide the risk scores. The goal is to flag something suspicious before the transaction clears, so that both the consumer and the bank are protected. The team also produces regular intelligence reports (such as this sample report) for customers on the various, real-time threats on the Dark Web.
My point in highlighting these three products or services is that they all work together in an interesting way to help you harden your authentication and reduce potential compromises. It’s also a testament for a company that has helped pave the way for the rest of the information security industry and developed a portfolio of solutions that can work together to help you manage digital risk.
Nearly 40 years after its inception at the MIT campus, RSA remains at the forefront of this market and well positioned to help businesses both large and small addresses security, risk and fraud concerns in a world that’s increasingly complex.