Australian banks holding sensitive Australian data onshore while outsourcing token management offshore is hypocritical, according to SafeNet regional manager Vince Lee. However, IBRS advisor James Turner disagreed, saying companies should be more concerned about token vendor lock-in.
Following RSA's recent security breach, which caused it to reissue tokens for customers including several Australian banks, Lee has called organisations that store their encrypted data onshore and outsource the keys offshore hypocrites.
Lee wrote on SafeNet's The Art of Data Protection blog that some governments consider that data sent offshore can be stored locally if it is encrypted and the keys remain onshore. However, he stated that some Australian banks and government agencies are effectively doing the reverse by storing information onshore and outsourcing key or token management.
Westpac is one example of an organisation that moved its data to a private cloud in collaboration with EMC, the parent company of RSA. Westpac said that it couldn't let its data go offshore, limiting its choices to smaller Australian cloud providers. However, Westpac uses RSA tokens.
"That some Australian banks and government agencies [do this] is particularly ironic in the context of the data sovereignty debate about the security of cloud computing infrastructure and whether sensitive data should remain onshore," Lee wrote.
"In relying on RSA tokens, local customers find themselves in a similar position to organisations that host unencrypted information with an offshore cloud infrastructure provider. It has become clear that control over who accesses sensitive information protected by these tokens has, to a significant extent, been moved offshore."
However, Turner said that it doesn't matter where the keys are stored, just as long as organisations aren't locked to a single provider and can change if the vendor is compromised.
"Why on earth should we be so separatist as to pretend that there's something inherently unsafe about an overseas vendor — just because they're overseas?" he said.
"It doesn't matter where the vendor is from: if that vendor has a catastrophic incident, the more tightly an organisation depends on that vendor's product, then the most significant the impact will be."
While many organisations might benefit from committed relationships with vendors, Turner suggested avoiding vendor lock-in where possible.
"We saw an example of this recently where a local hosting provider was unable to support its clients. As long as the clients were locked in to that vendor, then they were suffering," he said.
"If the clients had been able to quickly swap to another vendor then the impact could have been lessened."
With so many different vendors having their own proprietary systems for providing two-factor authentication, the issue of vendor lock-in is more pronounced, he said, adding that customers would have problems if any vendor is hacked until authentication products were completely standardised and interchangeable.