Skip navigation
All Places > Products > RSA SecurID Access > Blog
1 2 3 Previous Next

RSA SecurID Access

84 posts

During 2018, RSA has made several improvements to better support your ability to protect RADIUS-based resources using RSA SecurID® Access Cloud Authentication Service capabilities.  In this way, RSA SecurID® Access becomes even more pervasive, supporting access across a variety of traditional and cloud use cases.

 

For RADIUS-based applications we delivered the following improvements to customers through our cloud offering:

  • Expanded the choice of authenticators (e.g., SMS, Voice support) to provide more flexibility
  • Helped customers meet the latest PCI 3.2 guidance by supporting multi-method mode for supported VPN clients
  • Enabled Auto-push for mobile MFA to reduce end-user friction during authentication
  • Improved end-user experience for application-specific clientless SSL VPN (e.g., VPN for OWA) when users access VPN through browsers
  • Provided MFA only option to achieve passwordless behavior where primary trust is established through certificates or SSH keys between end-user devices and RADIUS clients

Looking ahead into 2019...you may want to use Active Directory (AD) user attributes in making granular authentication decisions for your RADIUS-based applications, all controlled by RSA SecurID®  Access policies.  We will continue to improve your ability to protect RADIUS based applications and make it more powerful through granular controls and policies.

 

Below is a deep dive into RADIUS specific features that were delivered in 2018.

 

Auto-Push for RADIUS logins 

Auto-push for RADIUS, when configured for a user, can send a push notification on a registered phone, after the user enters User ID and password. The extra step (Fig 1.) of selecting an authentication method at each RADIUS-based login is not required.  (Note:  this Auto-Push capability is available ONLY if passwords are used for primary authentication).  

How and where to configure Auto-Push: Add a RADIUS Client for the Cloud Authentication Service 

RADIUS for the Cloud Authentication Service Overview  

Users always have the flexibility to choose other authentication options if their mobile device is not handy during the time of authentication (e.g., lost, left at home, the RSA Authenticate app not registered).

 

Fig.1 Auto-push for RADIUS (a sample screenshot using Cisco ASA AnyConnect desktop client)

 

Password-less / step-up only RADIUS

If the RADIUS client (e.g., a VPN, a privileged access management solution) is configured to perform primary (e.g., a password) authentication, RSA SecurID Access no longer prompts for the user to enter their password a second (redundant) time thereby improving end-user experience.

 

If certificates or SSH keys are used to establish trust in lieu of passwords (as primary authentication), the step-up only RADIUS becomes more beneficial as the user is only challenged once (for step-up) for proving the user’s identity.  This feature enables customers to have a password-less MFA experience for RADIUS based logins. A classic example could be your Privileged Account Management (PAM) systems where primary trust is established through SSH keys for your admins and RSA SecurID® Access used as secondary authentication.

 

The step-up only feature helps customers comply with the latest PCI DSS 3.2 guidance. Under this configuration (multi-method mode), RSA SecurID®  Access prompts for password and MFA in a single screen and doesn’t act on a second authentication factor sequentially, based on the outcome of the primary authentication. This approach to verification is consistent with the latest Payment Card Industry Data Security Standard (PCI DSS) guidelines. Any VPN application (e.g., Cisco, Palo Alto) that supports the multi-method mode could start using this feature to help be PCI DSS 3.2 compliant. 

 

For more information on these capabilities, refer to:  https://community.rsa.com/docs/DOC-75832#RADIUS5 

 

 

Fig.2 Sample RADIUS Multi-method mode & passwordless end-user screens

 

Improving end-user experience for Cisco Clientless SSL VPN (RADIUS)

This feature enhances the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, create captive portals on a wireless network for secure access. Most customers prefer RADIUS based integration for these type of integrations due to inherent flexibility and power of configuring security policies but at the expense of reduced user experience. With our new web toolkit, customers can continue to use RADIUS based integration all while providing a great user experience for their end users. You can provide better user experience whether a user is trying to access OWA (as an example) or a business partner trying to gain access to a wireless network.

You can also continue to use the Auto-Push notification and provide a passwordless experience to RADIUS-based applications using this new web toolkit and elevate your end-users experience.

 

Fig 3. Cisco ASA Clientless SSL VPN step-up authentication end-user experience

 

Adding Flexibility: SMS and Voice authentication comes to RADIUS

Although hardware tokens (and then software tokens) are the classic protection for RADIUS-based resources, RSA now supports a wide variety of additional modern mobile authentication methods. Mobile Push has been available for some time, as has a mobile application (RSA’s Authenticate app) OTP.  The RSA SecurID® Access Cloud Authentication Service added SMS and Voice authentication options for RADIUS in early 2018, so now even users without a token and without the Authenticate app on their mobiles can authenticate to RADIUS based resources via SMS (or voice) delivered OTP. This can be much more convenient for infrequent and external users.

 

 

Fig 4.  SMS used for RADIUS authentication

 

For more information on these capabilities and others, please see the product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs

Scammers and fraudsters are an unfortunate part of every day life in the early 21st century.  Companies buy RSA products to keep their networks, their data and their people safe from these bad guys.

 

The RSA SecurID Access community is a place to ask questions of our skilled support staff and share tips and tricks you have learned with other users.  

 

That being said, please be aware that this community, along with others on RSA Link, are open to the public and can be searched via web browser.  This openness allows for your posts to be mined for data you may have posted unintentionally.

 

For this reason, we want you to keep your data as secure on our community as you do in your deployments.

 

Please find our tips below for posting questions and comments on RSA Link:

 

1.  Do not include the FQDN and/or IP addresses in your posts or in screen shots.  

 

Before posting snippets of log data or a screenshot of an error message, be sure to scrub private data such as the FQDN of your Authentication Manager servers and agents, other authentication devices, etc.  This includes references to network devices in a network diagram, etc. 

 

If you need to post log data to RSA Link, it is easy enough to do a quick search and replace, changing authmgr83p.acme.com, authmgr83r1.acme.com and authmgr83r2.acme.com to primary.domain.com, replica1.domain.com and replica2.domain.com.  Be sure to also mask your agents and other devices in the same way. 

 

Replace IP addresses with x.x.x.1, x.x.x.2, etc. 

 

You will find FQDNs and IP addresses in the files contained in the troubleshooting logs generated via the Operations Console and in logs downloaded from your RSA Authentication Agents or other authentication devices, such as your VPN, PAM agents, etc.

 

For screen shots, the example authentication activity monitor shown below has any sensitive information redacted.

 

The logs above are only for two users (one user whose entries are white, the other user whose activity is in red).  If you have an authentication activity report with multiple users showing, you can scope the report to a specific user ID or, if you need to show multiple users in one report, you can color code the entries, as shown here:

 

 

It's not pretty, but it protects your data.

 

2.  Do not include user IDs in your posts.

 

If you give an example of a corporate standard for your user IDs, it is easier to extrapolate out the patterns your company uses, giving a nick in your armor to the bad guys.  Provide an example user ID in a format other than what you use in your environment.  If you format user IDs as smithj25, provide your example as jsmith.

 

3.  Do not include license numbers, token serial numbers or their output in your posts.

 

Providing even one token serial number from a batch that your company purchased allows scammers to know some or all of the token serial number ranges you own. 

 

Redact this information from screen shots or replace the numbers with xxxxxxxxxxxx.  To refer to multiple tokens, say for different users having an issue, try xxxxxxxxxxx1, xxxxxxxxxxx2, xxxxxxxxxxxx3, etc.  Never post any token seed media or output from token seed media to RSA Link.  This includes the following files and any content inside them:

 

  • The license xml file,
  • The token seed xml, 
  • A decrypt-codes[xxx-xxx-xxx].zip, 
  • A CT-KIP string, or
  • A Compressed Token Format (CTF) file, also known as an .sdtid file.

 

4.  Don't attach database exports to your posts.

 

They should be too large to attach anyway, but we just want to spell this out.

 

Best practice guidelines

 

We'd rather you err on the side of caution and have to request more information from you than have you provide too much that may not even be needed.  When posting follow these simple rules:

 

  • Redact all private information in your posts.
  • Be careful about the information you attach to the post.
  • Post your redacted information and wait for a reply from a support engineer who with either answer your concern or suggest you open a case by contacting RSA Customer Support.

 

If you have any questions about what is OK or not OK to post, drop a comment below and we will be happy to answer you.

 

 

The November release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. This month, we expand deployment flexibility in a number of different ways to provide even more business agility and operational efficiency, empowering your admins and users to have the flexibility they need to support business needs.

Identity Router in the cloud - Amazon Web Services Deployment

It is now possible to install the Identity Router (IDR) in your private Amazon Web Services (AWS) space, saving time and effort to deploy the IDR in your on-premises environment.

 

No longer does RSA require an on-premises footprint for the IDR.

 

From AWS EC2, the Identity Router connects back to your on premise Active Directory/LDAP identity source to support a hybrid cloud deployment. Using this hybrid cloud deployment model, you can continue to host your Authentication Manager on-premises and use RSA SecurID hardware/software tokens to protect critical cloud applications. The Identity Router in AWS will connect to your on-premises Authentication Manager via VPN connection or AWS Direct connect. Having said that, watch for further cloud deployment developments next month on the Authentication Manager side!

The Identity Source can also be hosted in AWS or other cloud environments (ex: Azure) to support a full multi-cloud deployment.

The download and distribution of IDR AMI image is fully automated. Administrators can launch an AMI image in EC2 by entering your relevant AWS account credentials in RSA’s Cloud Authentication Service console. The AMI image will be shared securely to your private EC2 space based on explicit permissions for those specific AWS accounts.

This now gives you 3 flexible deployment options for the IDR:  VMWare, Hyper-V and AWS.

Help Desk your way: Administration APIs to integrate CAS into your application

This month, we are announcing the release of a series of administration APIs, to support the integration of RSA SecurID® Access with your service desk applications.

Using these REST APIs, integrated into your service desk application, allows your Help Desk staff to use familiar user interfaces to search for RSA SecurID® Access users, unlock their devices, delete unused devices and update SMS and Voice option telephone numbers. 

This integration can help reduce the learning curve for adopting RSA SecurID® Access and reduce additional training requirements for your help desk administrators.

Stay tuned here! More APIs to support additional use cases are planned for subsequent releases.

Expanded device self-service to reduce Help Desk calls

This month, the new MyPage self-registration portal, adds a capability for a user to delete their device. Using this in conjunction with the previous registration capability means a user can add, delete or change (via delete of old and add of new) a device.  A major step forward to empowering end user self-service and thereby reducing Help Desk traffic!

Expanded RADIUS support - Clientless SSL VPN support

This month, we add a new feature enhancing the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, creating captive portals on the wireless network for secure access. Most customers prefer RADIUS-based integration for these types of integrations due to the inherent flexibility and power of configuring security policies. But this can come at the expense of diminished user experience. With RSA’s new web toolkit, you can continue to use RADIUS-based integration while still providing a great end user experience. You can provide a better user experience whether an end user is trying to access Microsoft OWA (as an example) or a business partner is trying to gain access to a wireless network.

You can also continue to use the recently introduced RADIUS Auto-Push notification and provide a passwordless experience to users of RADIUS-based applications using this new web toolkit and elevate your end users’ experience.

 

Figure 3.  Cisco Clientless SSL VPN step-up authentication end-user experience

 

Expanding MFA reach: monthly connector updates

RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

 

Later this week, these new connectors are planned: Barracuda Web Application Firewall, GoAnywhere, ProxyClick, Salsify, Scale FT, Shuffler, SignalFX, Workato.

Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

 

For further details on all the new and updated capabilities of the November release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

Hackers are eyeing your privileged accounts, so you better be using more than “admin123” to secure them. Multi-factor authentication from RSA SecurID Access provides the strongest security for your most sensitive access points. It uses risk and behavior analytics to ensure the users logging into your privileged accounts are legit, and not malicious insiders or external attackers exploiting weak passwords. Use it to protect privileged access management solutions like CyberArk.

CyberArk Enterprise Password Vault, a component of the CyberArk Privileged Account Security Solution, is designed to automatically secure, rotate and control access to privileged account passwords, based on flexible organizational policies reducing access-based security risks and supporting compliance requirements. RSA SecurID Access secures the CyberArk Enterprise Password Vault with MFA to ensure that only appropriate users access these highly sensitive resources.

Sign up for the webinar on securing privileged access >

Watch a quick demo   

RSA SecurID Access - CyberArk Password Vault Web Access RADIUS Integration

RSA Ready: RSA SecurID Access - CyberArk Password Vault Web Access SAML integration

 For more information visit:  Securing Privileged Access with Multi-Factor Authentication  

 RSA Ready Technical Videos:

The October release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. This release focuses on expanding the integration options for protecting SAML-based cloud applications for RSA customers.

SAML application protection - expanding integration options

   You can integrate RSA SecurID® Access into your environment to protect cloud-based applications using the Security Assertion Markup Language (SAML).  RSA supports multiple ways to achieve this, but often the simplest approach is “direct to cloud” using the Cloud Authentication Service Identity Provider (IdP).  Using this approach, these applications can be configured without setting up the Single Sign-on (SSO) Agent on the Identity Router (IDR).

   This month, we are releasing enhancements to the Cloud Authentication Service that will enable some of the most popular Software as a Service (SaaS) applications to support the above simplified configuration.These applications are:  Microsoft Office365, ServiceNow and Workday. These additional applications join VMWare and Salesforce in the ability to configure this direct cloud protection. For customers who want to use RSA’s SSO portal for these applications, they can continue to do so. This new capability is aimed at customers who do not use RSA’s SSO portal and prefer to configure a direct CAS-to-application connection for using RSA SecurID® Access multi-factor authentication.

   Note that although the new SAML cloud IdP integration option removes the necessity of configuring the SSO Agent, the IDR’s Enterprise Connector component is still required for accessing your on-premises identity source(s).

Partner Integration Guides for these updated capabilities are now available. Read on for more on our application connectors and reference locations.

 

 

                Fig.1  Configuring cloud IdP SAML applications

 

Expanding MFA reach: monthly connector updates

   RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

   We recently released these new and updated connectors: Bitglass, Dell (Boomi) , Domo, Netmotion Mobility, One Identity, Third Light, Watchguard Fireware XTM and Yardi (Voyager 7S). Additionally, later this week, these new connectors are planned: Cisco ISE Portal, Igloo, Inspired eLearning iLMS. We will also be releasing the updates for Workday, Service Now and Microsoft Office 365 as mentioned previously.

   Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

   For further details on all the new and updated capabilities of the October release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

 

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

   As a well-informed security professional today, you’ve recognized the need for continuous combat against the increasingly perilous threat landscape, populated by highly skilled and persistent intruders. You’ve known that simple password protection is insufficient to protect “crown jewel” data and want to incorporate multifactor authentication (MFA) for your critical digital assets into your defenses.

So now that you recognize the need to implement multifactor authentication for your organization, where to start?

   Choosing an appropriate set of access policies to fit all your target resources, across all your user populations, can be challenging given all the possible choices available.  Today, there is a wide variety of password alternatives to help deter infiltration, and more are emerging. RSA SecurID Access supports many such methods across hundreds of digital resources from “ground to cloud” - basic VPN protection to latest SaaS cloud applications such as Microsoft Office365.

   To help you navigate the process of selecting the most appropriate authentication methods and policies for your organization, RSA has developed a white paper which discusses RSA Security’s recommended approach for developing multifactor authentication policies for your organization. The key considerations include:

  • Setting clear business goals, to guide tradeoffs between cost, convenience (usability), protection strength and implementation complexity
  • Taking a phased approach to deployment - think big but start small with a limited pilot
  • Assessing your user population, understanding both the risk profile of their resource access and their tolerance for authentication complexity
  • Evaluating the target resources you need to protect, understanding the risk exposure of your business should they be breached
  • Investigate the array of authentication methods available to you, and consider the tradeoffs between security strength, convenience, cost and administrative complexity
  • Taking into account all the above, formulate your access policies, adding in context-based risk analysis to both security and convenience
  • Remembering to include end user education as part of your rollout plan.
  • Formulating your MFA implementation as part of a larger Identity and Access Management (IAM) strategy within your overall Enterprise Security foundation.

   Please see: https://community.rsa.com/docs/DOC-97431

 

   Furthermore, to supplement this guidance, expert assistance is available.  RSA’s highly experienced Professional Services team and certified partners can help you navigate the myriad of access security choices available, following these best practices.

 

   For more on RSA Security’s solutions and services, please visit:  www.rsasecurity.com or consult with your RSA Security representative.

September 2018 Cloud Authentication Service Release Highlights

The September release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to raise the bar to help customers improve their security posture while still supporting convenient access for end users and administrators.

Providing End Users with Device Registration Self-Service

To provide end users with more autonomy during the device registration process and reduce Help Desk call volume, we are introducing this month a new self-service portal, called “My Page”.  RSA understands, however, that while user self-service can dramatically improve the efficiency of your multi-factor authentication program, it cannot become the weak link in your security chain. As such, “My Page” not only provides convenient self-service for your end users, but also provides the security you need to safeguard your digital assets.

 

Using this portal, an end user can begin the registration process by following the step-by-step instructions displayed on screen that guide them to download the RSA SecurID Authenticate App (from the Apple App Store, Google Play or Microsoft Store). Then, using the installed app, the user can capture a displayed single use QR code containing information for easy app registration. Finally, the user can perform a test authentication to make sure that everything is working as expected. Device Registration in My Page also includes this easy-to-follow video guiding users through this process: https://www.youtube.com/watch?v=mx2c_4p7qo4&feature=youtu.be

 

Administrators can further increase the security of device registration by requiring multi-factor authentication for access to My Page. Check out this short My Page RSA SecurID Authenticate Device Registration Using RSA SecurID Access My Page, for tips and tricks on how to configure this and other features. 

 

Figure 1.  My Page

 

Supporting Broader User Activity Tracking and Governance

In July, we introduced the Log Events API, a REST-based web services interface allowing customers to retrieve administrator activity log events from the Cloud Authentication Service. This month we’ve added the ability to retrieve end user authentication logs.

 

For greater security visibility across your organization, you can leverage these REST APIs to share this authentication information with your security information and event management (SIEM) solution, such as RSA NetWitness.

In this way, RSA provides you with improved visibility into the activities of both privileged, administrative users and end users for forensic security, governance auditing and troubleshooting purposes.

For more information on these capabilities, refer to  Improved Logging for Security and Audit Compliance

 

Improved Protection of Windows Login:  RSA SecurID® Authentication Agent for Windows v7.4

This month, RSA released a new version of the Windows Agent designed to secure Windows machines when  with our award winning RSA SecurID® tokens, and when offline, with our industry leading unique solution that is trusted by many Fortune 500 companies globally. All this to ensure security from the start - allow users and administrators to securely and conveniently access their workstations and servers no matter what the situation calls for.

This new agent framework (architecture)  provides a path so customers can adopt future releases supporting the use of MFA and updated Authentication Manager capabilities for secure and convenient Windows protection.

Specific to this release are new capabilities which:

  • Expose customers to the updated authentication user interface supported by the latest Microsoft Credential Provider framework as seen natively in the latest versions of Windows and Windows Server, that is more intuitive and friendlier for users trying to authenticate to their machines
  • Provide customizable user authentication prompts and help texts so end users can securely authenticate to desktop with minimal friction
  • Provide administrators with several high value agent improvements aimed at boosting overall user productivity during machine login.

 

Faster Time to Value: Expanded Preconfigured Policies

Last month, RSA SecurID® Access introduced predefined access policy templates in all new cloud accounts to help new customers protect their resources faster. Using these policies, new customers need not create custom access policies before configuring their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  This month, we add an additional preconfigured access policy to the initial three delivered in August. The fourth policy applies a context-driven criterion that uses the Identity Confidence attribute to determine if additional authentication is required. This fourth preconfigured access policy is only available to Premium licensed customers.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414  

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

RSA SecurID® Access Now Locally Hosted for Australia and New Zealand Organizations

 

Good news for Australia and New Zealand organizations that need to keep critical identity information on-shore: RSA SecurID Access is now locally hosted inside Microsoft Azure data centers in Canberra. Local hosting comes as part of the August 2018 product release, opening the way for more organizations – especially in the areas of government, critical infrastructure and financial services, where local hosting is often a requirement – to benefit from RSA SecurID Access authentication capabilities.

 

RSA SecurID Access Cloud Authentication Service delivers secure access to the extended enterprise as an on-shore SaaS service, rather than having it hosted outside the region. Local hosting enables organizations to comply with legislation governing data privacy in the region, including the Australian Privacy Principles (APPs), as well as with related industry or corporate guidelines. The Microsoft Azure “protected”-level data centers that will provide hosting in Canberra are certified to meet federal security standards and accredited to handle classified defense data.

 

Any organization based anywhere in the world that has operations in the region can benefit from this development – not just Australia- or New Zealand-based organizations, and not just companies in critical sectors. Hosting locally not only keeps critical identity data on-shore, but also improves network latency locally for faster access to cloud applications.

Whatever the reason for adopting RSA SecurID Access Cloud Authentication Service – regulatory compliance, local control, faster application access – organizations that do will be using the most widely deployed multi-factor authentication solution in the world. RSA SecurID Access multi-factor authentication improves security by thwarting attempts to use stolen credentials while still keeping access convenient for legitimate users. This implementation brings those authentication advantages specifically to cloud application access.

 

With the addition of local hosting in Canberra, RSA SecurID Access Cloud Authentication Service is now available in three major regions around the globe, having been previously launched in the EU and US.

August 2018 Cloud Authentication Service Release

The August release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting global access across a variety of traditional and cloud use cases.

Facilitating Privileged User Authentication for the Cloud Administration Console

RSA SecurID® Access administrators in your organization have extensive access privileges. Therefore, access attempts of these privileged users need to be appropriately authenticated. In this release of RSA SecurID® Access validation of the multifactor authentication policies that govern console access is improved to prevent accidental user lockout, which would require a support call to RSA to resolve.

 

The graphic below  shows how the console prevents you from selecting a policy that locks you out of the console.

 

 

      Fig.1  Warning message to clarify the problems with selected policy

 

Improved Visibility of Cloud Authentication Service User Status

Over the last few months, we have significantly improved the ability of administrators to manage the status of Cloud Authentication Service users.

Past releases delivered capabilities to:

  • Manually enable and disable Cloud Authentication Service users, independent of identity source status for improved local control over user status
  • Automatically disable Cloud Authentication Service users when they become disabled or missing (due to deletion or transfer out of relevant groups) in the identity source directory.
  • Help administrators reverse deletion errors via a two-step delete process. With two-step deletion, deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives administrators the opportunity to “Un-delete” before the users are permanently purged in case of error.
  • Streamline user maintenance with automated deletion of long-disabled users. Busy administrators who prefer more automated user maintenance, can select an option to delete long-disabled users. On by default and set to select users disabled 90 days, this option can be configured for different number of days or turned off completely. In this way, all the automated cleanup processes can work together to remove users from the cloud who no longer need access.

In the August release, we’ve improved reporting of user status.  The previously available users report now provides better visibility into user status information to help organizations better manage user populations.  By exporting the user report file and importing into a spreadsheet, administrators can quickly identify disabled or deleted (awaiting purge) users for status confirmation and follow-up where needed. In addition enabled users can be counted for license management purposes.

Below is a sample of the report in spreadsheet format, highlighting the new column.

 

 

      Fig.2  User report

 

For more information on these capabilities, refer to: https://community.rsa.com/docs/DOC-75846

Faster Time to Value: Preconfigured Policies

RSA SecurID® Access now provides predefined access policy templates with all new cloud accounts. Using these policies, new customers need not create custom access policies before they can configure their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  If further customization is desired, these policies can be cloned and modified as desired, while maintaining the original copies to use as templates for future policy definition.

The new policies are shown below.

 

 

      Figure 3.  Preconfigured Policies

Serving a Global Customer Community

The RSA SecurID® Access Cloud Authentication Service is now available in Australia!

Hosted in Microsoft Azure Australia (Canberra), RSA SecurID® Access’s new hosting location enables compliance with Australian and New Zealand Privacy Legislation.  Furthermore, local hosting means faster network performance across the wider Asia-Pacific region.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96078

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

What is Salesforce? It was the 1st Software-as-a-Service (SaaS) Customer Relationship Manager (CRM) product and currently the leader with the most market share. So what is SaaS?  It is a way of delivering centrally hosted applications over the Internet—as a service. SaaS applications are sometimes called web-based software, on-demand software, or hosted software. What type of data does a CRM contain? Customer and prospect contact information, accounts, leads, and sales opportunities in one central location.

 

Since Salesforce stores client personal data it naturally becomes a target for hackers. These hackers want your data and they will stop at nothing to get it.

 

The video showcases me creating a policy that enables a secondary authentication method within the RSA SecurID Access Cloud Authentication Service to protect Salesforce. Thank you for your time in advance!  

 

 

 Here is the link to the RSA SecurID Access Salesforce Implementation Guide: Salesforce - Technology Integrations 

Sly Gittens Website: Lovecybersecurity.com 

Subscribe to my YouTube Channel: http://bit.ly/SlyGittensYouTubeChannel

LinkedIn Profile: https://www.linkedin.com/in/slygittens/

Instagram: https://www.instagram.com/slygittens/

Twitter:  https://twitter.com/SlyGittens

Facebook Networking Group: https://www.facebook.com/groups/ConnectCyberProfessionalstoday/

In the recent What's New in RSA SecurID® Access?  we are excited to announce the release of the RSA SecurID Access Log Events API to retrieve administrator and user event logs from the RSA SecurID Cloud Authentication Service.  You can use the Log Events REST API to import the log events into your security information and event management (SIEM) solution, such as RSA NetWitness, to ensure security and audit compliance. 

 

For more information on this feature – please check out this additional content.

 

July 2018 Cloud Authentication Service and Identity Router (IDR) Release

 

The July release for RSA SecurID Access is now available and contains updates for both the Cloud Authentication Service (CAS) and the Identity Router (IDR). In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting access across a variety of traditional and cloud use cases.

Simplifying the Multi Factor Authentication (MFA) Experience for users of RADIUS-based applications

The July release contains multiple improvements to RADIUS support:

  • Eliminating double password prompts:  If the RADIUS client (e.g., a VPN) is configured to perform primary (password) authentication, RSA SecurID Access no longer requires the user to enter their password a second (redundant) time.  Note that this can also help customers align with the latest PCI guidance for VPN logins. That’s because, under this configuration, RSA SecurID Access prompts for password and MFA in a single screen as PCI DSS 3.2 recommends, and doesn’t act on a second authentication factor sequentially, based on outcome of the primary authentication.
    You can find a video highlighting how this works on RSA Link at: https://community.rsa.com/videos/33333
  • Eliminating extra steps for push-based MFA:  When configured, the extra step of selecting an authentication method at each login is no longer required. After entering User ID and password, a push notification is sent automatically.  Note:  this Auto-Push capability is not enabled when other forms of authentication are enabled for RADIUS access instead of passwords, for primary authentication .

 

                Fig.1  Auto-push eliminates extra authentication steps

 

Improved Control and Security of Cloud Authentication Service user status

Over the last few months, we have significantly improved the ability of customer administrators to manage the status of the cloud authentication service users.

Past releases have included the ability to manually enable and disable Cloud Authentication Service users, independent of identity source status, and disable Cloud Authentication Service users when they become disabled in the identity source directory.  We have also added a two-step delete process, to help administrators reverse deletion errors. Using the two-step deletion, manually deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives the administrator the ability to “Un-delete” before the users are permanently purged.

This month, we’ve added a couple key new capabilities to help organizations address the risks associated with orphaned accounts:

  • Disable missing users: if the sync process cannot find a user in the Identity Source (out of scope or deleted), that user will be disabled in the Cloud Authentication Service.  This improves security: no one can use the Cloud Authentication Service unless they are enabled in the directory. It also supports license management by ensuring that only active Cloud Authentication Service users are enabled for license counting purposes.
  • Delete long-disabled users: for improved efficiency, Cloud Authentication Service users who have been disabled for over 90 days, will be marked for deletion automatically. This feature is configurable – it can be turned off, or set to a different time threshold (30 to 180 days). In this way, users who are unlikely to use the Cloud Authentication Service in the near future, will not appear in lists or searches, making it easier to manage the Cloud Authentication Service tenant. It also improves the efficiency of synchronizations.

 

 

Fig.2  Configurable auto-delete

 

Improving visibility: Administrator activity logs

RSA is providing a new log which records the activity of RSA SecurID Access administrators.  Examples of this type of activity are (list not exhaustive): unlocking a user, changing an authentication policy, adding a new Identity Source.

Customers can leverage the Log Events API which is a REST-based web services interface that allows audit log events to be retrieved from the Cloud Authentication Service. You can use this REST API to import the audit log events into your security information and event management (SIEM) solution, such as RSA NetWitness.

 

In this way, RSA provides customers with improved visibility into the activities of these privileged users for forensic security, governance auditing and troubleshooting purposes.

 

Additional Improvements

A number of miscellaneous security and troubleshooting enhancements were added:

  • Support of HTTPS Strict Transport Security (HSTS) forces use of HTTPS secure protocol as server-browser interface for SSO web portal and the Cloud Administration Console. This helps protect transactions and login requests against threats such as protocol downgrade attacks and cookie hijacking.
  • Improved visibility of NTP status to aid in troubleshooting
  • Improved support for proxy server configurations when downloading adapter updates and IDR package updates.
  • Enhanced diagnostics for IDR registration errors

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-60102

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID Access an even more convenient and secure solution for your authentication needs.

 

Are you a visual learner? I am too! This video showcases mobile fingerprint biometric authentication. 

 

If you love my video subscribe and like my youtube channel.

 

"Static passwords are adorable, but sophisticated attackers don’t just bypass them, they utilize them to advance their attack." Verzion Data Breach 2016 Report

 

What is mobile fingerprint biometric authentication?

Fingerprint recognition refers to the automated method of identifying or confirming the identity of an individual based on the comparison of two fingerprints. Fingerprint recognition is one of the most well-known bio-metrics, and it is by far the most used bio-metric solution for authentication on computerized systems.

 

Why use mobile fingerprint biometric authentication with your Fortigate?

If you are granting remote workers to your internal environment via a FortiGate, it is critical to ensure your employee's identity. It is essential to have a Multi-factor Authentication solution that provides you convenience without compromising security. Implementing mobile fingerprint biometric authentication provides strong second-factor authentication that is needed in today's business environments.

 

Why RSA SecurID Access?

Whether you need two-factor authentication (2FA), multi-factor authentication (MFA) or mobile MFA, RSA offers a wide range of authentication methods including push notifications, SMS, OTP, biometrics, and hardware, software and FIDO tokens. And whether you want to deploy on-premises or go with a SaaS option, RSA SecurID Access has you covered.

 

Follow me on Social Media 

✦ Sly Gittens Website: Lovecybersecurity.com

Subscribe to my YouTube Channel: http://bit.ly/SlyGittensYouTubeChannel

✦ LinkedIn Profile ➜ https://www.linkedin.com/in/slygittens/

✦ Instagram ➜https://www.instagram.com/slygittens/

✦ Twitter ➜ https://twitter.com/SlyGittens

✦ Facebook Networking Group ➜https://www.facebook.com/groups/ConnectCyberProfessionalstoday/

Amazon Web Services #AWS is a subsidiary of Amazon.com, which offers a suite of cloud computing services that make up an on-demand computing platform. AWS has more than 90 services that span a wide range including compute, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools and tools for the Internet of things. Amazon markets AWS as a service to provide large computing capacity quicker and cheaper than a client company building an actual physical server farm. RSA SecurID Access, the world’s most widely deployed multi-factor authentication #MFA solution, helps to secure access in a world without boundaries.

 

RSA SecurID Access provides convenient, secure access to on-premises, #web#mobile and #cloudapplications, and eliminates access blind spots by giving you visibility into and control over access across your organization. RSA SecurID Access offers a broad range of authentication methods including modern mobile multi-factor authenticators (e.g., push notification, one-time password, SMS, and biometrics) as well as traditional hard and soft tokens for secure access to all applications regardless of whether they live on premises or in the cloud.

 

✦ RSA Ready Amazon Technology Integrations: https://community.rsa.com/docs/DOC-72995 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If you’ll be connecting to your Identity Source securely, using LDAPS, you’ll need the SSL certificate from your LDAP directory server when configuring the connection in the Cloud Administration Console. Not sure how to get it? We’ve seen our customers use a few different ways to get this certificate. Here are just a couple:

 

  1. Ask your directory server administrator for the certificate chain. Really, it can be that easy. When you add your connection to the LDAP directory (following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.
  2. Can’t ask your directory server admin or don’t want to? OpenSSL can be an easy way to do it. Here’s how:
    1. After you add your identity router (following the steps in your Quick Setup Guide), access SSH on your identity router using these instructions: https://community.rsa.com/docs/DOC-75833 
    2. From the identity router command line, query the directory server to obtain the certificate chain using the following command:

       

      openssl s_client -showcerts -connect LDAP.SERVER:636

       

      where LDAP.SERVER is the LDAP directory server that has the full certificate chain loaded on it. (You might have to ask your directory server admin to know which directory server to query.)

    3. From the output, copy the sections starting from and including the BEGIN CERTIFICATE line to (and including) the last END CERTIFICATE line. Paste these lines into a local file on your desktop and call it something like ldaps.pem.
    4. When you add your Identity Source connection to the LDAP directory (again following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.

Do you have other easy ways to get your LDAPS certificate?  If so, please share your tips and tricks in the comments!