Skip navigation
All Places > Products > RSA SecurID Access > Blog
1 2 3 Previous Next

RSA SecurID Access

88 posts

The February release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. See below for this month’s key updates.

 

Monitor Current and Historic Cloud Availability

This month, we are publishing a web page where customers can learn the current status of the Cloud Authentication Service (CAS) and recent history - Monitor Uptime Status for the Cloud Authentication Service 

This page allows you to:

  • Check current service availability
  • View recent uptime percentage
  • View historical uptime percentage

The page displays a list of services. The embedded URL identifies which services belong to your company.

In addition, the RSA SecurID Access Health Check API  enables customers to access this information from their own monitoring applications, to incorporate the cloud authentication service status into their overall enterprise visibility.

 

Improved Availability with Global Disaster Recovery Sites

To help assure the highest availability, RSA maintains a disaster recovery environment for the Cloud Authentication Service across all regions. When the Cloud Authentication Service environment becomes unavailable for any reason, your deployment automatically switches to the disaster recovery environment. Please reference the release notes below and the set up documentation, for directions on how to test your configuration to ensure it can reach the alternate site when needed.


Go here for more details: 
Test Access to Disaster Recovery Environment 

Streamlining mobile application registration using AppConfig

For customers using enterprise mobile management tools (EMM) that support the industry “AppConfig” standard (info here), the RSA SecurID Authenticate app can now interface with those tools during registration.  Specifically, information from the EMM can be used to pre-populate the Authenticate application, streamlining and simplifying the device registration process for end users, and also making the process more secure since the registration information used in controlled. 

 

Go here for more details:  Deploying the RSA SecurID Authenticate App in EMM Environment 

 

For further details on all the new and updated capabilities of the February release, please refer to the Release Notes here:RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App  

 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

It's official - time to get your creative juices flowing as the RSA Charge 2019 'Call for Speakers' (C4S) is now open and awaiting your submissions!

 

As you are aware, the RSA Charge events represent all RSA products and an increasing number of customers across solutions attend this one-of-a-kind event each year. The RSA 2019 Charge promises to be the biggest event in our history of RSA Charge and Summit conferences. 

 

The RSA Charge event is successful in no small part because of the stellar customer submissions we receive each year. We invite you to submit your presentation brief(s) for consideration.(That's right, you may submit more than one submission brief!)

 

This year for the first time the '8' Tracks for RSA Charge 2019 are identical across all products and represent all RSA solutions. We are pleased to present the them to you:

 

Transforming Your Cyber Risk Strategy- Cyber-attacks are at the top of the list of risks for many companies today.  Tell us how you are approaching reducing this risk utilizing RSA products

 

Beyond the Checkbox: Modernizing Your Compliance Program - The regulatory landscape is always shifting.  How are you keeping up and what steps are you taking towards a sustainable, agile compliance program?

 

Aligning Third Party Risk for the Digital Transformation - Inherited risk from your business partners is a top of mind issue.  Third party risk must be attacked from multiple angles.  Share your strategy.

 

Managing Operational Risk for Impact-  Enterprise risk, operational risk, all things risk management.  Share your experience and strategy on how you identify, assess and treat risk across your business operations.

 

View from Above: Securing the Cloud - From security visibility to managing organizational mandates, what is your risk and security strategy to answer the "go to cloud" call.

 

Under the RSA Hood: Managing Risk in the Dynamic Workforce - The workforce has become a dynamic variable for many organizations - from remote users to BYOD to contractors and seasonal workers.  How are you addressing this shift?

 

Business Resiliency for the 'Always On' Enterprise - The world expects connectivity.  When the lights are off, the business suffers.  Tell us how you are ensuring your business is 'always on' - business continuity, recovery, crisis management and the resilient infrastructure.

 

Performance Optimization: RSA Product Learning Lab - Share your technical insights of how you use RSA products to meet your business objectives.  Extra points for cool 'insider' tips and tricks.

 

We know you have great stories to share with your peers, best practices, teachings, and how-to's. We hope you consider submitting a brief and thank you in advance for your consideration. More information can be found on the RSA Charge 2019 website (scroll to bottom of page) including the RSA Charge 2019 Call for Speakers Submission Form. Submission should be sent to: rsa.events@rsa.com.

 

Call for Speakers 'closes' April 19. 

RSA CHARGE 2019 CALL FOR SPEAKERS OPEN FOR SUBMISSIONS

It's official - time to get your creative juices flowing as the RSA Charge 2019 'Call for Speakers' (C4S) is now open and awaiting your submissions!

 

As you are aware, the RSA Charge events represent all RSA products and an increasing number of customers across solutions attend this one-of-a-kind event each year. The RSA 2019 Charge promises to be the biggest event in our history of RSA Charge and RSA Summit conferences. 

 

The RSA Charge event is successful in no small part because of the stellar customer submissions we receive each year. We invite you to submit your presentation brief(s) for consideration. (That's right, you may submit more than one submission brief!)

 

This year for the first time the '8' Tracks for RSA Charge 2019 are identical across all products and represent all RSA solutions. We are pleased to present them to you:

 

Transforming Your Cyber Risk Strategy - Cyber-attacks are at the top of the list of risks for many companies today.  Tell us how you are approaching reducing this risk utilizing RSA products.

 

Beyond the Checkbox: Modernizing Your Compliance Program - The regulatory landscape is always shifting.  How are you keeping up and what steps are you taking towards a sustainable, agile compliance program?

 

Aligning Third Party Risk for the Digital Transformation - Inherited risk from your business partners is a top of mind issue.  Third party risk must be attacked from multiple angles.  Share your strategy.

 

Managing Operational Risk for Impact - Enterprise risk, operational risk, all things risk management.  Share your experience and strategy on how you identify, assess and treat risk across your business operations.

 

View from Above: Securing the Cloud - From security visibility to managing organizational mandates, what is your risk and security strategy to answer the "go to cloud" call.

 

Under the RSA Hood: Managing Risk in the Dynamic Workforce - The workforce has become a dynamic variable for many organizations - from remote users to BYOD to contractors and seasonal workers.  How are you addressing this shift?

 

Business Resiliency for the 'Always On' Enterprise - The world expects connectivity.  When the lights are off, the business suffers.  Tell us how you are ensuring your business is 'always on' - business continuity, recovery, crisis management and the resilient infrastructure.

 

Performance Optimization: RSA Product Learning Lab - Share your technical insights of how you use RSA products to meet your business objectives.  Extra points for cool 'insider' tips and tricks.

 

We know you have great stories to share with your peers, best practices, teachings, and how-to's. We hope you consider submitting a brief and thank you in advance for your consideration. More information can be found on the RSA Charge 2019 website (scroll to bottom of page) including the RSA Charge 2019 Call for Speakers Submission Form. Submission should be sent to: rsa.events@rsa.com.

 

Call for Speakers 'closes' April 19. 

 

The January release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. These updates help enterprises provide secure and convenient authentication choices for their users.

Updated Android Push technology - update your app!

Google Android has migrated to new push notification technology - Firebase Cloud Messaging (FCM).  The RSA SecurID Authenticate mobile app for Android now supports the newer, more secure push technology.  As a result, all users of the Android app must update their phones with this latest app version (v2.2.1) by March 31, 2019 to continue using push authentications. Please be sure to notify all your Android users of this important update requirement.

Help Desk your way: Administration APIs to integrate CAS into your application

In November, we announced the release of a series of administration APIs, to support the integration of RSA SecurID® Access with your service desk applications.

 

Using these REST APIs, integrated into your service desk application, allows your Help Desk staff to use familiar user interfaces to perform various user management tasks for RSA SecurID® Access users. 

 

This month, we extend the range of these APIs to include user management functions (enable, disable, sync, delete), and expanded user search capabilities.

 

Using our APIs to integrate SecurID Access administrative functions into your existing service desk application can help accelerate administrators’ learning curve for adopting RSA SecurID® Access and reduce training requirements for your help desk administrators.

 

Related to this, the RSA Professional Services help desk solution “RSA SecurID Access Prime” (formerly known as “AM Prime”) has been updated, using these APIs to provide insight into cloud users. It’s really exciting to see how this great help desk solution, used by many of our largest customers, can now expose a single unified interface for management of both token and mobile (cloud) users.

Updated documentation on high availability configurations

RSA SecurID Access is so critical to the operation of our customers’ applications, that high availability configurations of the identity router are routine.  As such, we have updated our product documentation to better explain how to configure IDR connections for high availability deployment. We hope this will make your SecurID Access set up more straightforward.

Additional Identity Source option

RSA has qualified Microsoft Active Directory 2019 for use as an identity source with the Cloud Authentication Service, expanding your configuration options.  Note that this applies only the the cloud service - Authentication Manager will target the updated support in a future release.

 

Expanding MFA reach: monthly connector updates

RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

 

Later this week, these new connectors are planned for release: Pacific Timesheet, Illumio, Float, Teem, Keeper Password Vault.

 

Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

 

For further details on all the new and updated capabilities of the January release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

During 2018, RSA has made several improvements to better support your ability to protect RADIUS-based resources using RSA SecurID® Access Cloud Authentication Service capabilities.  In this way, RSA SecurID® Access becomes even more pervasive, supporting access across a variety of traditional and cloud use cases.

 

For RADIUS-based applications we delivered the following improvements to customers through our cloud offering:

  • Expanded the choice of authenticators (e.g., SMS, Voice support) to provide more flexibility
  • Helped customers meet the latest PCI 3.2 guidance by supporting multi-method mode for supported VPN clients
  • Enabled Auto-push for mobile MFA to reduce end-user friction during authentication
  • Improved end-user experience for application-specific clientless SSL VPN (e.g., VPN for OWA) when users access VPN through browsers
  • Provided MFA only option to achieve passwordless behavior where primary trust is established through certificates or SSH keys between end-user devices and RADIUS clients

Looking ahead into 2019...you may want to use Active Directory (AD) user attributes in making granular authentication decisions for your RADIUS-based applications, all controlled by RSA SecurID®  Access policies.  We will continue to improve your ability to protect RADIUS based applications and make it more powerful through granular controls and policies.

 

Below is a deep dive into RADIUS specific features that were delivered in 2018.

 

Auto-Push for RADIUS logins 

Auto-push for RADIUS, when configured for a user, can send a push notification on a registered phone, after the user enters User ID and password. The extra step (Fig 1.) of selecting an authentication method at each RADIUS-based login is not required.  (Note:  this Auto-Push capability is available ONLY if passwords are used for primary authentication).  

How and where to configure Auto-Push: Add a RADIUS Client for the Cloud Authentication Service 

RADIUS for the Cloud Authentication Service Overview  

Users always have the flexibility to choose other authentication options if their mobile device is not handy during the time of authentication (e.g., lost, left at home, the RSA Authenticate app not registered).

 

Fig.1 Auto-push for RADIUS (a sample screenshot using Cisco ASA AnyConnect desktop client)

 

Password-less / step-up only RADIUS

If the RADIUS client (e.g., a VPN, a privileged access management solution) is configured to perform primary (e.g., a password) authentication, RSA SecurID Access no longer prompts for the user to enter their password a second (redundant) time thereby improving end-user experience.

 

If certificates or SSH keys are used to establish trust in lieu of passwords (as primary authentication), the step-up only RADIUS becomes more beneficial as the user is only challenged once (for step-up) for proving the user’s identity.  This feature enables customers to have a password-less MFA experience for RADIUS based logins. A classic example could be your Privileged Account Management (PAM) systems where primary trust is established through SSH keys for your admins and RSA SecurID® Access used as secondary authentication.

 

The step-up only feature helps customers comply with the latest PCI DSS 3.2 guidance. Under this configuration (multi-method mode), RSA SecurID®  Access prompts for password and MFA in a single screen and doesn’t act on a second authentication factor sequentially, based on the outcome of the primary authentication. This approach to verification is consistent with the latest Payment Card Industry Data Security Standard (PCI DSS) guidelines. Any VPN application (e.g., Cisco, Palo Alto) that supports the multi-method mode could start using this feature to help be PCI DSS 3.2 compliant. 

 

For more information on these capabilities, refer to:  https://community.rsa.com/docs/DOC-75832#RADIUS5 

 

 

Fig.2 Sample RADIUS Multi-method mode & passwordless end-user screens

 

Improving end-user experience for Cisco Clientless SSL VPN (RADIUS)

This feature enhances the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, create captive portals on a wireless network for secure access. Most customers prefer RADIUS based integration for these type of integrations due to inherent flexibility and power of configuring security policies but at the expense of reduced user experience. With our new web toolkit, customers can continue to use RADIUS based integration all while providing a great user experience for their end users. You can provide better user experience whether a user is trying to access OWA (as an example) or a business partner trying to gain access to a wireless network.

You can also continue to use the Auto-Push notification and provide a passwordless experience to RADIUS-based applications using this new web toolkit and elevate your end-users experience.

 

Fig 3. Cisco ASA Clientless SSL VPN step-up authentication end-user experience

 

Adding Flexibility: SMS and Voice authentication comes to RADIUS

Although hardware tokens (and then software tokens) are the classic protection for RADIUS-based resources, RSA now supports a wide variety of additional modern mobile authentication methods. Mobile Push has been available for some time, as has a mobile application (RSA’s Authenticate app) OTP.  The RSA SecurID® Access Cloud Authentication Service added SMS and Voice authentication options for RADIUS in early 2018, so now even users without a token and without the Authenticate app on their mobiles can authenticate to RADIUS based resources via SMS (or voice) delivered OTP. This can be much more convenient for infrequent and external users.

 

 

Fig 4.  SMS used for RADIUS authentication

 

For more information on these capabilities and others, please see the product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs

Scammers and fraudsters are an unfortunate part of every day life in the early 21st century.  Companies buy RSA products to keep their networks, their data and their people safe from these bad guys.

 

The RSA SecurID Access community is a place to ask questions of our skilled support staff and share tips and tricks you have learned with other users.  

 

That being said, please be aware that this community, along with others on RSA Link, are open to the public and can be searched via web browser.  This openness allows for your posts to be mined for data you may have posted unintentionally.

 

For this reason, we want you to keep your data as secure on our community as you do in your deployments.

 

Please find our tips below for posting questions and comments on RSA Link:

 

1.  Do not include the FQDN and/or IP addresses in your posts or in screen shots.  

 

Before posting snippets of log data or a screenshot of an error message, be sure to scrub private data such as the FQDN of your Authentication Manager servers and agents, other authentication devices, etc.  This includes references to network devices in a network diagram, etc. 

 

If you need to post log data to RSA Link, it is easy enough to do a quick search and replace, changing authmgr83p.acme.com, authmgr83r1.acme.com and authmgr83r2.acme.com to primary.domain.com, replica1.domain.com and replica2.domain.com.  Be sure to also mask your agents and other devices in the same way. 

 

Replace IP addresses with x.x.x.1, x.x.x.2, etc. 

 

You will find FQDNs and IP addresses in the files contained in the troubleshooting logs generated via the Operations Console and in logs downloaded from your RSA Authentication Agents or other authentication devices, such as your VPN, PAM agents, etc.

 

For screen shots, the example authentication activity monitor shown below has any sensitive information redacted.

 

The logs above are only for two users (one user whose entries are white, the other user whose activity is in red).  If you have an authentication activity report with multiple users showing, you can scope the report to a specific user ID or, if you need to show multiple users in one report, you can color code the entries, as shown here:

 

 

It's not pretty, but it protects your data.

 

2.  Do not include user IDs in your posts.

 

If you give an example of a corporate standard for your user IDs, it is easier to extrapolate out the patterns your company uses, giving a nick in your armor to the bad guys.  Provide an example user ID in a format other than what you use in your environment.  If you format user IDs as smithj25, provide your example as jsmith.

 

3.  Do not include license numbers, token serial numbers or their output in your posts.

 

Providing even one token serial number from a batch that your company purchased allows scammers to know some or all of the token serial number ranges you own. 

 

Redact this information from screen shots or replace the numbers with xxxxxxxxxxxx.  To refer to multiple tokens, say for different users having an issue, try xxxxxxxxxxx1, xxxxxxxxxxx2, xxxxxxxxxxxx3, etc.  Never post any token seed media or output from token seed media to RSA Link.  This includes the following files and any content inside them:

 

  • The license xml file,
  • The token seed xml, 
  • A decrypt-codes[xxx-xxx-xxx].zip, 
  • A CT-KIP string, or
  • A Compressed Token Format (CTF) file, also known as an .sdtid file.

 

4.  Don't attach database exports to your posts.

 

They should be too large to attach anyway, but we just want to spell this out.

 

Best practice guidelines

 

We'd rather you err on the side of caution and have to request more information from you than have you provide too much that may not even be needed.  When posting follow these simple rules:

 

  • Redact all private information in your posts.
  • Be careful about the information you attach to the post.
  • Post your redacted information and wait for a reply from a support engineer who with either answer your concern or suggest you open a case by contacting RSA Customer Support.

 

If you have any questions about what is OK or not OK to post, drop a comment below and we will be happy to answer you.

 

 

The November release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. This month, we expand deployment flexibility in a number of different ways to provide even more business agility and operational efficiency, empowering your admins and users to have the flexibility they need to support business needs.

Identity Router in the cloud - Amazon Web Services Deployment

It is now possible to install the Identity Router (IDR) in your private Amazon Web Services (AWS) space, saving time and effort to deploy the IDR in your on-premises environment.

 

No longer does RSA require an on-premises footprint for the IDR.

 

From AWS EC2, the Identity Router connects back to your on premise Active Directory/LDAP identity source to support a hybrid cloud deployment. Using this hybrid cloud deployment model, you can continue to host your Authentication Manager on-premises and use RSA SecurID hardware/software tokens to protect critical cloud applications. The Identity Router in AWS will connect to your on-premises Authentication Manager via VPN connection or AWS Direct connect. Having said that, watch for further cloud deployment developments next month on the Authentication Manager side!

The Identity Source can also be hosted in AWS or other cloud environments (ex: Azure) to support a full multi-cloud deployment.

The download and distribution of IDR AMI image is fully automated. Administrators can launch an AMI image in EC2 by entering your relevant AWS account credentials in RSA’s Cloud Authentication Service console. The AMI image will be shared securely to your private EC2 space based on explicit permissions for those specific AWS accounts.

This now gives you 3 flexible deployment options for the IDR:  VMWare, Hyper-V and AWS.

Help Desk your way: Administration APIs to integrate CAS into your application

This month, we are announcing the release of a series of administration APIs, to support the integration of RSA SecurID® Access with your service desk applications.

Using these REST APIs, integrated into your service desk application, allows your Help Desk staff to use familiar user interfaces to search for RSA SecurID® Access users, unlock their devices, delete unused devices and update SMS and Voice option telephone numbers. 

This integration can help reduce the learning curve for adopting RSA SecurID® Access and reduce additional training requirements for your help desk administrators.

Stay tuned here! More APIs to support additional use cases are planned for subsequent releases.

Expanded device self-service to reduce Help Desk calls

This month, the new MyPage self-registration portal, adds a capability for a user to delete their device. Using this in conjunction with the previous registration capability means a user can add, delete or change (via delete of old and add of new) a device.  A major step forward to empowering end user self-service and thereby reducing Help Desk traffic!

Expanded RADIUS support - Clientless SSL VPN support

This month, we add a new feature enhancing the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, creating captive portals on the wireless network for secure access. Most customers prefer RADIUS-based integration for these types of integrations due to the inherent flexibility and power of configuring security policies. But this can come at the expense of diminished user experience. With RSA’s new web toolkit, you can continue to use RADIUS-based integration while still providing a great end user experience. You can provide a better user experience whether an end user is trying to access Microsoft OWA (as an example) or a business partner is trying to gain access to a wireless network.

You can also continue to use the recently introduced RADIUS Auto-Push notification and provide a passwordless experience to users of RADIUS-based applications using this new web toolkit and elevate your end users’ experience.

 

Figure 3.  Cisco Clientless SSL VPN step-up authentication end-user experience

 

Expanding MFA reach: monthly connector updates

RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

 

Later this week, these new connectors are planned: Barracuda Web Application Firewall, GoAnywhere, ProxyClick, Salsify, Scale FT, Shuffler, SignalFX, Workato.

Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

 

For further details on all the new and updated capabilities of the November release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

Hackers are eyeing your privileged accounts, so you better be using more than “admin123” to secure them. Multi-factor authentication from RSA SecurID Access provides the strongest security for your most sensitive access points. It uses risk and behavior analytics to ensure the users logging into your privileged accounts are legit, and not malicious insiders or external attackers exploiting weak passwords. Use it to protect privileged access management solutions like CyberArk.

CyberArk Enterprise Password Vault, a component of the CyberArk Privileged Account Security Solution, is designed to automatically secure, rotate and control access to privileged account passwords, based on flexible organizational policies reducing access-based security risks and supporting compliance requirements. RSA SecurID Access secures the CyberArk Enterprise Password Vault with MFA to ensure that only appropriate users access these highly sensitive resources.

Sign up for the webinar on securing privileged access >

Watch a quick demo   

RSA SecurID Access - CyberArk Password Vault Web Access RADIUS Integration

RSA Ready: RSA SecurID Access - CyberArk Password Vault Web Access SAML integration

 For more information visit:  Securing Privileged Access with Multi-Factor Authentication  

 RSA Ready Technical Videos:

The October release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. This release focuses on expanding the integration options for protecting SAML-based cloud applications for RSA customers.

SAML application protection - expanding integration options

   You can integrate RSA SecurID® Access into your environment to protect cloud-based applications using the Security Assertion Markup Language (SAML).  RSA supports multiple ways to achieve this, but often the simplest approach is “direct to cloud” using the Cloud Authentication Service Identity Provider (IdP).  Using this approach, these applications can be configured without setting up the Single Sign-on (SSO) Agent on the Identity Router (IDR).

   This month, we are releasing enhancements to the Cloud Authentication Service that will enable some of the most popular Software as a Service (SaaS) applications to support the above simplified configuration.These applications are:  Microsoft Office365, ServiceNow and Workday. These additional applications join VMWare and Salesforce in the ability to configure this direct cloud protection. For customers who want to use RSA’s SSO portal for these applications, they can continue to do so. This new capability is aimed at customers who do not use RSA’s SSO portal and prefer to configure a direct CAS-to-application connection for using RSA SecurID® Access multi-factor authentication.

   Note that although the new SAML cloud IdP integration option removes the necessity of configuring the SSO Agent, the IDR’s Enterprise Connector component is still required for accessing your on-premises identity source(s).

Partner Integration Guides for these updated capabilities are now available. Read on for more on our application connectors and reference locations.

 

 

                Fig.1  Configuring cloud IdP SAML applications

 

Expanding MFA reach: monthly connector updates

   RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

   We recently released these new and updated connectors: Bitglass, Dell (Boomi) , Domo, Netmotion Mobility, One Identity, Third Light, Watchguard Fireware XTM and Yardi (Voyager 7S). Additionally, later this week, these new connectors are planned: Cisco ISE Portal, Igloo, Inspired eLearning iLMS. We will also be releasing the updates for Workday, Service Now and Microsoft Office 365 as mentioned previously.

   Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

   For further details on all the new and updated capabilities of the October release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

 

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

   As a well-informed security professional today, you’ve recognized the need for continuous combat against the increasingly perilous threat landscape, populated by highly skilled and persistent intruders. You’ve known that simple password protection is insufficient to protect “crown jewel” data and want to incorporate multifactor authentication (MFA) for your critical digital assets into your defenses.

So now that you recognize the need to implement multifactor authentication for your organization, where to start?

   Choosing an appropriate set of access policies to fit all your target resources, across all your user populations, can be challenging given all the possible choices available.  Today, there is a wide variety of password alternatives to help deter infiltration, and more are emerging. RSA SecurID Access supports many such methods across hundreds of digital resources from “ground to cloud” - basic VPN protection to latest SaaS cloud applications such as Microsoft Office365.

   To help you navigate the process of selecting the most appropriate authentication methods and policies for your organization, RSA has developed a white paper which discusses RSA Security’s recommended approach for developing multifactor authentication policies for your organization. The key considerations include:

  • Setting clear business goals, to guide tradeoffs between cost, convenience (usability), protection strength and implementation complexity
  • Taking a phased approach to deployment - think big but start small with a limited pilot
  • Assessing your user population, understanding both the risk profile of their resource access and their tolerance for authentication complexity
  • Evaluating the target resources you need to protect, understanding the risk exposure of your business should they be breached
  • Investigate the array of authentication methods available to you, and consider the tradeoffs between security strength, convenience, cost and administrative complexity
  • Taking into account all the above, formulate your access policies, adding in context-based risk analysis to both security and convenience
  • Remembering to include end user education as part of your rollout plan.
  • Formulating your MFA implementation as part of a larger Identity and Access Management (IAM) strategy within your overall Enterprise Security foundation.

   Please see: https://community.rsa.com/docs/DOC-97431

 

   Furthermore, to supplement this guidance, expert assistance is available.  RSA’s highly experienced Professional Services team and certified partners can help you navigate the myriad of access security choices available, following these best practices.

 

   For more on RSA Security’s solutions and services, please visit:  www.rsasecurity.com or consult with your RSA Security representative.

September 2018 Cloud Authentication Service Release Highlights

The September release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to raise the bar to help customers improve their security posture while still supporting convenient access for end users and administrators.

Providing End Users with Device Registration Self-Service

To provide end users with more autonomy during the device registration process and reduce Help Desk call volume, we are introducing this month a new self-service portal, called “My Page”.  RSA understands, however, that while user self-service can dramatically improve the efficiency of your multi-factor authentication program, it cannot become the weak link in your security chain. As such, “My Page” not only provides convenient self-service for your end users, but also provides the security you need to safeguard your digital assets.

 

Using this portal, an end user can begin the registration process by following the step-by-step instructions displayed on screen that guide them to download the RSA SecurID Authenticate App (from the Apple App Store, Google Play or Microsoft Store). Then, using the installed app, the user can capture a displayed single use QR code containing information for easy app registration. Finally, the user can perform a test authentication to make sure that everything is working as expected. Device Registration in My Page also includes this easy-to-follow video guiding users through this process: https://www.youtube.com/watch?v=mx2c_4p7qo4&feature=youtu.be

 

Administrators can further increase the security of device registration by requiring multi-factor authentication for access to My Page. Check out this short My Page RSA SecurID Authenticate Device Registration Using RSA SecurID Access My Page, for tips and tricks on how to configure this and other features. 

 

Figure 1.  My Page

 

Supporting Broader User Activity Tracking and Governance

In July, we introduced the Log Events API, a REST-based web services interface allowing customers to retrieve administrator activity log events from the Cloud Authentication Service. This month we’ve added the ability to retrieve end user authentication logs.

 

For greater security visibility across your organization, you can leverage these REST APIs to share this authentication information with your security information and event management (SIEM) solution, such as RSA NetWitness.

In this way, RSA provides you with improved visibility into the activities of both privileged, administrative users and end users for forensic security, governance auditing and troubleshooting purposes.

For more information on these capabilities, refer to  Improved Logging for Security and Audit Compliance

 

Improved Protection of Windows Login:  RSA SecurID® Authentication Agent for Windows v7.4

This month, RSA released a new version of the Windows Agent designed to secure Windows machines when  with our award winning RSA SecurID® tokens, and when offline, with our industry leading unique solution that is trusted by many Fortune 500 companies globally. All this to ensure security from the start - allow users and administrators to securely and conveniently access their workstations and servers no matter what the situation calls for.

This new agent framework (architecture)  provides a path so customers can adopt future releases supporting the use of MFA and updated Authentication Manager capabilities for secure and convenient Windows protection.

Specific to this release are new capabilities which:

  • Expose customers to the updated authentication user interface supported by the latest Microsoft Credential Provider framework as seen natively in the latest versions of Windows and Windows Server, that is more intuitive and friendlier for users trying to authenticate to their machines
  • Provide customizable user authentication prompts and help texts so end users can securely authenticate to desktop with minimal friction
  • Provide administrators with several high value agent improvements aimed at boosting overall user productivity during machine login.

 

Faster Time to Value: Expanded Preconfigured Policies

Last month, RSA SecurID® Access introduced predefined access policy templates in all new cloud accounts to help new customers protect their resources faster. Using these policies, new customers need not create custom access policies before configuring their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  This month, we add an additional preconfigured access policy to the initial three delivered in August. The fourth policy applies a context-driven criterion that uses the Identity Confidence attribute to determine if additional authentication is required. This fourth preconfigured access policy is only available to Premium licensed customers.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414  

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

RSA SecurID® Access Now Locally Hosted for Australia and New Zealand Organizations

 

Good news for Australia and New Zealand organizations that need to keep critical identity information on-shore: RSA SecurID Access is now locally hosted inside Microsoft Azure data centers in Canberra. Local hosting comes as part of the August 2018 product release, opening the way for more organizations – especially in the areas of government, critical infrastructure and financial services, where local hosting is often a requirement – to benefit from RSA SecurID Access authentication capabilities.

 

RSA SecurID Access Cloud Authentication Service delivers secure access to the extended enterprise as an on-shore SaaS service, rather than having it hosted outside the region. Local hosting enables organizations to comply with legislation governing data privacy in the region, including the Australian Privacy Principles (APPs), as well as with related industry or corporate guidelines. The Microsoft Azure “protected”-level data centers that will provide hosting in Canberra are certified to meet federal security standards and accredited to handle classified defense data.

 

Any organization based anywhere in the world that has operations in the region can benefit from this development – not just Australia- or New Zealand-based organizations, and not just companies in critical sectors. Hosting locally not only keeps critical identity data on-shore, but also improves network latency locally for faster access to cloud applications.

Whatever the reason for adopting RSA SecurID Access Cloud Authentication Service – regulatory compliance, local control, faster application access – organizations that do will be using the most widely deployed multi-factor authentication solution in the world. RSA SecurID Access multi-factor authentication improves security by thwarting attempts to use stolen credentials while still keeping access convenient for legitimate users. This implementation brings those authentication advantages specifically to cloud application access.

 

With the addition of local hosting in Canberra, RSA SecurID Access Cloud Authentication Service is now available in three major regions around the globe, having been previously launched in the EU and US.

August 2018 Cloud Authentication Service Release

The August release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting global access across a variety of traditional and cloud use cases.

Facilitating Privileged User Authentication for the Cloud Administration Console

RSA SecurID® Access administrators in your organization have extensive access privileges. Therefore, access attempts of these privileged users need to be appropriately authenticated. In this release of RSA SecurID® Access validation of the multifactor authentication policies that govern console access is improved to prevent accidental user lockout, which would require a support call to RSA to resolve.

 

The graphic below  shows how the console prevents you from selecting a policy that locks you out of the console.

 

 

      Fig.1  Warning message to clarify the problems with selected policy

 

Improved Visibility of Cloud Authentication Service User Status

Over the last few months, we have significantly improved the ability of administrators to manage the status of Cloud Authentication Service users.

Past releases delivered capabilities to:

  • Manually enable and disable Cloud Authentication Service users, independent of identity source status for improved local control over user status
  • Automatically disable Cloud Authentication Service users when they become disabled or missing (due to deletion or transfer out of relevant groups) in the identity source directory.
  • Help administrators reverse deletion errors via a two-step delete process. With two-step deletion, deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives administrators the opportunity to “Un-delete” before the users are permanently purged in case of error.
  • Streamline user maintenance with automated deletion of long-disabled users. Busy administrators who prefer more automated user maintenance, can select an option to delete long-disabled users. On by default and set to select users disabled 90 days, this option can be configured for different number of days or turned off completely. In this way, all the automated cleanup processes can work together to remove users from the cloud who no longer need access.

In the August release, we’ve improved reporting of user status.  The previously available users report now provides better visibility into user status information to help organizations better manage user populations.  By exporting the user report file and importing into a spreadsheet, administrators can quickly identify disabled or deleted (awaiting purge) users for status confirmation and follow-up where needed. In addition enabled users can be counted for license management purposes.

Below is a sample of the report in spreadsheet format, highlighting the new column.

 

 

      Fig.2  User report

 

For more information on these capabilities, refer to: https://community.rsa.com/docs/DOC-75846

Faster Time to Value: Preconfigured Policies

RSA SecurID® Access now provides predefined access policy templates with all new cloud accounts. Using these policies, new customers need not create custom access policies before they can configure their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  If further customization is desired, these policies can be cloned and modified as desired, while maintaining the original copies to use as templates for future policy definition.

The new policies are shown below.

 

 

      Figure 3.  Preconfigured Policies

Serving a Global Customer Community

The RSA SecurID® Access Cloud Authentication Service is now available in Australia!

Hosted in Microsoft Azure Australia (Canberra), RSA SecurID® Access’s new hosting location enables compliance with Australian and New Zealand Privacy Legislation.  Furthermore, local hosting means faster network performance across the wider Asia-Pacific region.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96078

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

What is Salesforce? It was the 1st Software-as-a-Service (SaaS) Customer Relationship Manager (CRM) product and currently the leader with the most market share. So what is SaaS?  It is a way of delivering centrally hosted applications over the Internet—as a service. SaaS applications are sometimes called web-based software, on-demand software, or hosted software. What type of data does a CRM contain? Customer and prospect contact information, accounts, leads, and sales opportunities in one central location.

 

Since Salesforce stores client personal data it naturally becomes a target for hackers. These hackers want your data and they will stop at nothing to get it.

 

The video showcases me creating a policy that enables a secondary authentication method within the RSA SecurID Access Cloud Authentication Service to protect Salesforce. Thank you for your time in advance!  

 

 

 Here is the link to the RSA SecurID Access Salesforce Implementation Guide: Salesforce - Technology Integrations 

Sly Gittens Website: Lovecybersecurity.com 

Subscribe to my YouTube Channel: http://bit.ly/SlyGittensYouTubeChannel

LinkedIn Profile: https://www.linkedin.com/in/slygittens/

Instagram: https://www.instagram.com/slygittens/

Twitter:  https://twitter.com/SlyGittens

Facebook Networking Group: https://www.facebook.com/groups/ConnectCyberProfessionalstoday/

In the recent What's New in RSA SecurID® Access?  we are excited to announce the release of the RSA SecurID Access Log Events API to retrieve administrator and user event logs from the RSA SecurID Cloud Authentication Service.  You can use the Log Events REST API to import the log events into your security information and event management (SIEM) solution, such as RSA NetWitness, to ensure security and audit compliance. 

 

For more information on this feature – please check out this additional content.