Skip navigation
All Places > Products > RSA SecurID Access > Blog > 2018 > November
2018

Scammers and fraudsters are an unfortunate part of every day life in the early 21st century.  Companies buy RSA products to keep their networks, their data and their people safe from these bad guys.

 

The RSA SecurID Access community is a place to ask questions of our skilled support staff and share tips and tricks you have learned with other users.  

 

That being said, please be aware that this community, along with others on RSA Link, are open to the public and can be searched via web browser.  This openness allows for your posts to be mined for data you may have posted unintentionally.

 

For this reason, we want you to keep your data as secure on our community as you do in your deployments.

 

Please find our tips below for posting questions and comments on RSA Link:

 

1.  Do not include the FQDN and/or IP addresses in your posts or in screen shots.  

 

Before posting snippets of log data or a screenshot of an error message, be sure to scrub private data such as the FQDN of your Authentication Manager servers and agents, other authentication devices, etc.  This includes references to network devices in a network diagram, etc. 

 

If you need to post log data to RSA Link, it is easy enough to do a quick search and replace, changing authmgr83p.acme.com, authmgr83r1.acme.com and authmgr83r2.acme.com to primary.domain.com, replica1.domain.com and replica2.domain.com.  Be sure to also mask your agents and other devices in the same way. 

 

Replace IP addresses with x.x.x.1, x.x.x.2, etc. 

 

You will find FQDNs and IP addresses in the files contained in the troubleshooting logs generated via the Operations Console and in logs downloaded from your RSA Authentication Agents or other authentication devices, such as your VPN, PAM agents, etc.

 

For screen shots, the example authentication activity monitor shown below has any sensitive information redacted.

 

The logs above are only for two users (one user whose entries are white, the other user whose activity is in red).  If you have an authentication activity report with multiple users showing, you can scope the report to a specific user ID or, if you need to show multiple users in one report, you can color code the entries, as shown here:

 

 

It's not pretty, but it protects your data.

 

2.  Do not include user IDs in your posts.

 

If you give an example of a corporate standard for your user IDs, it is easier to extrapolate out the patterns your company uses, giving a nick in your armor to the bad guys.  Provide an example user ID in a format other than what you use in your environment.  If you format user IDs as smithj25, provide your example as jsmith.

 

3.  Do not include license numbers, token serial numbers or their output in your posts.

 

Providing even one token serial number from a batch that your company purchased allows scammers to know some or all of the token serial number ranges you own. 

 

Redact this information from screen shots or replace the numbers with xxxxxxxxxxxx.  To refer to multiple tokens, say for different users having an issue, try xxxxxxxxxxx1, xxxxxxxxxxx2, xxxxxxxxxxxx3, etc.  Never post any token seed media or output from token seed media to RSA Link.  This includes the following files and any content inside them:

 

  • The license xml file,
  • The token seed xml, 
  • A decrypt-codes[xxx-xxx-xxx].zip, 
  • A CT-KIP string, or
  • A Compressed Token Format (CTF) file, also known as an .sdtid file.

 

4.  Don't attach database exports to your posts.

 

They should be too large to attach anyway, but we just want to spell this out.

 

Best practice guidelines

 

We'd rather you err on the side of caution and have to request more information from you than have you provide too much that may not even be needed.  When posting follow these simple rules:

 

  • Redact all private information in your posts.
  • Be careful about the information you attach to the post.
  • Post your redacted information and wait for a reply from a support engineer who with either answer your concern or suggest you open a case by contacting RSA Customer Support.

 

If you have any questions about what is OK or not OK to post, drop a comment below and we will be happy to answer you.

 

 

The November release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. This month, we expand deployment flexibility in a number of different ways to provide even more business agility and operational efficiency, empowering your admins and users to have the flexibility they need to support business needs.

Identity Router in the cloud - Amazon Web Services Deployment

It is now possible to install the Identity Router (IDR) in your private Amazon Web Services (AWS) space, saving time and effort to deploy the IDR in your on-premises environment.

 

No longer does RSA require an on-premises footprint for the IDR.

 

From AWS EC2, the Identity Router connects back to your on premise Active Directory/LDAP identity source to support a hybrid cloud deployment. Using this hybrid cloud deployment model, you can continue to host your Authentication Manager on-premises and use RSA SecurID hardware/software tokens to protect critical cloud applications. The Identity Router in AWS will connect to your on-premises Authentication Manager via VPN connection or AWS Direct connect. Having said that, watch for further cloud deployment developments next month on the Authentication Manager side!

The Identity Source can also be hosted in AWS or other cloud environments (ex: Azure) to support a full multi-cloud deployment.

The download and distribution of IDR AMI image is fully automated. Administrators can launch an AMI image in EC2 by entering your relevant AWS account credentials in RSA’s Cloud Authentication Service console. The AMI image will be shared securely to your private EC2 space based on explicit permissions for those specific AWS accounts.

This now gives you 3 flexible deployment options for the IDR:  VMWare, Hyper-V and AWS.

Help Desk your way: Administration APIs to integrate CAS into your application

This month, we are announcing the release of a series of administration APIs, to support the integration of RSA SecurID® Access with your service desk applications.

Using these REST APIs, integrated into your service desk application, allows your Help Desk staff to use familiar user interfaces to search for RSA SecurID® Access users, unlock their devices, delete unused devices and update SMS and Voice option telephone numbers. 

This integration can help reduce the learning curve for adopting RSA SecurID® Access and reduce additional training requirements for your help desk administrators.

Stay tuned here! More APIs to support additional use cases are planned for subsequent releases.

Expanded device self-service to reduce Help Desk calls

This month, the new MyPage self-registration portal, adds a capability for a user to delete their device. Using this in conjunction with the previous registration capability means a user can add, delete or change (via delete of old and add of new) a device.  A major step forward to empowering end user self-service and thereby reducing Help Desk traffic!

Expanded RADIUS support - Clientless SSL VPN support

This month, we add a new feature enhancing the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, creating captive portals on the wireless network for secure access. Most customers prefer RADIUS-based integration for these types of integrations due to the inherent flexibility and power of configuring security policies. But this can come at the expense of diminished user experience. With RSA’s new web toolkit, you can continue to use RADIUS-based integration while still providing a great end user experience. You can provide a better user experience whether an end user is trying to access Microsoft OWA (as an example) or a business partner is trying to gain access to a wireless network.

You can also continue to use the recently introduced RADIUS Auto-Push notification and provide a passwordless experience to users of RADIUS-based applications using this new web toolkit and elevate your end users’ experience.

 

Figure 3.  Cisco Clientless SSL VPN step-up authentication end-user experience

 

Expanding MFA reach: monthly connector updates

RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

 

Later this week, these new connectors are planned: Barracuda Web Application Firewall, GoAnywhere, ProxyClick, Salsify, Scale FT, Shuffler, SignalFX, Workato.

Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

 

For further details on all the new and updated capabilities of the November release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

Hackers are eyeing your privileged accounts, so you better be using more than “admin123” to secure them. Multi-factor authentication from RSA SecurID Access provides the strongest security for your most sensitive access points. It uses risk and behavior analytics to ensure the users logging into your privileged accounts are legit, and not malicious insiders or external attackers exploiting weak passwords. Use it to protect privileged access management solutions like CyberArk.

CyberArk Enterprise Password Vault, a component of the CyberArk Privileged Account Security Solution, is designed to automatically secure, rotate and control access to privileged account passwords, based on flexible organizational policies reducing access-based security risks and supporting compliance requirements. RSA SecurID Access secures the CyberArk Enterprise Password Vault with MFA to ensure that only appropriate users access these highly sensitive resources.

Sign up for the webinar on securing privileged access >

Watch a quick demo   

RSA SecurID Access - CyberArk Password Vault Web Access RADIUS Integration

RSA Ready: RSA SecurID Access - CyberArk Password Vault Web Access SAML integration

 For more information visit:  Securing Privileged Access with Multi-Factor Authentication  

 RSA Ready Technical Videos:

Filter Blog