Advanced Mobile Authentication for Citrix Storefront
We are happy to announce the release of the RSA Authentication Agent v2.0 for Citrix StoreFront. The Citrix Storefront agent is authentication software that provides Citrix StoreFront with a seamless authentication experience and additional mobile authentication methods for users inside and outside of the corporate firewall. For more details please refer to the Release Notes.
The March release for the RSA SecurID® Access Cloud Authentication Service is now available.
This month’s release contains the following features:
Reduce Digital Risk with Threat-Aware Authentication
Threat-aware authentication allows you to control whether high risk users are allowed to access protected resources or if these users must authenticate at a higher assurance level than other users. Users might be identified as high risk because their accounts have been compromised, or because a third-party security information and event management (SIEM) solution, such as RSA NetWitness, has found suspicious activity. Additional details can be found here - Drive Intelligent Access Decisions with Identity Insights and Threat Context to Reduce Digital Risk
Enhanced Policy Support for Multiple RADIUS Profiles
To accomodate the varied levels of privilege and policy across RADIUS clients, such as firewalls, VPN and others, RSA SecurID Access now supports multiple RADIUS profile configurations. You will be able to create custom RADIUS profiles that specify an access policy rule set to identify which users can authenticate through the clients associated with the profile. You will be able to associate multiple profiles with a single client, or the same profiles with multiple clients. More details on how to leverage multiple RADIUS profiles can be found here - Multiple RADIUS Profiles Provide Policy-Driven Granular Control
Improved Visualization of the Identity Router for Simplified Management
This release introduces improved visualization of the identity router status in the administrators cloud console to more quickly understand the root cause of any issues. Additional details can be found here - Troubleshooting Identity Router issues made easier
Improved Identity Router Troubleshooting
We have added capabilities to enabled debug logging on the identity router before it has connected to the clouds service. Previously you had to connect the identity router to the cloud service before you could enabled debugging. Additional details can be found here - Enhanced Troubleshooting Before You Connect to the Cloud
Add Users to the Cloud When You Need Them
Just-in-time user provisioning will sync the user to the cloud, at the time of first authentication, if they are in scope for the service. This allows new users to use the service even if they have not previously been synchronized to the cloud. We have enabled “just-in-time provisioning” by default for all new RSA SecurID Access customers. Existing customers will need to navigate to turn on just-in-time synchronization before they can leverage the feature. Additional details can be found here - Add Users to the Cloud Only When you Need Them
We are adding support for FIDO2 hardware tokens which use public/private key cryptography. FIDO2 can be used for step-up authentication as part of conditional Policy to get access to web applications using Chrome, FireFox and Edge browsers. We continues to allow in-line registration and management for this authenticator. RSA continues to evaluate FIDO as a convenient and secure way to authenticate. FIDO2 hardware tokens are now supported on more browsers (including mobile browsers). A full list of supported browsers can be found here - Cloud Authentication Service User Requirements
Role permissions for select administrator API commands
To ensure correct API role permissions – when you generate an administrator API key you will have to select either the helpdesk or super administrator role for that key. Some REST APIs will be limited only to the super administrator role. A full list of REST APIs can be found here - Manage the Cloud Administration API Keys
For further details on all the new and updated capabilities of the March release, please refer to the Release Notes here:
and product documentation here:
All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.
Threat Aware Authentication
In the March 2019 release of the RSA SecurID Access cloud authentication service we are happy to announce the release of Threat Aware Authentication with RSA SecurID Access (RSA® Extends Evolved SIEM Capabilities to Reduce Digital Risk with Expanded Analytics and Enables Threat Aware Authentic… ). Threat Aware Authentication takes an innovative approach by detecting anomalous activity with RSA NetWitness Platform, leveraging advanced machine learning, and then feeding actionable insights into RSA SecurID Access. RSA SecurID Access leverages this threat intelligence, along with business context and identity insights, in real time to trigger additional authentication when the risk is high. This empowers security teams with continuous authentication as an automated out-of-the-box workflow to reduce the number of alerts that might block genuine user activity and to elevate critical alerts with higher probability of being malicious.
Managing Digital Risk
When RSA SecurID Access is informed of high-risk activity, whether the user was in an active session that was disconnected or is about to log into an application, it will take the threat intelligence into account in the policy assessment to determine the action. For example, if the information indicates that the risk is high, this will impact the current identity assurance, which is the confidence that the user is who they claim to be. Additional authentication will be triggered. When users need to authenticate, they can use a broad variety of modern, mobile optimized authentication options such as push to approve, biometric authentication (fingerprint and face), one-time passcodes (OTPs) and SMS, as well as software and hardware tokens, leveraging strong authentication to power identity assurance. If RSA NetWitness determines that the suspicious activity is persistent and more sophisticated remediation is required, the RSA SecurID Access policy will block the user from accessing the application.
This release includes new APIs to add, remove and view users on the high-risk user list as well as a new policy attribute - Determining Access Requirements for High-Risk Users in the Cloud Authentication Service . The high-risk user attribute is a binary attribute that can be included in policies to raise the level of authentication or block access to applications. The power of the policy attribute allows you to either apply a one-size fits all implementation or differentiate the policy action based contextual factors. Is the application too sensitive to allow any authentication from someone on the high-risk user list? Is the risk mitigated if the user provides additional authentication factors? Threat-Aware Authentication empowers the Identity team to automate incident-response procedures, leveraging strong, multi-factor authentication, elevating trust instead of blocking users, and reduces digital risk with RSA SecurID Access.
In the March 2019 RSA SecurID Access cloud authentication service release we have enabled “just-in-time provisioning” by default for all new RSA SecurID Access customers. Just-in-time user provisioning will sync the user to the cloud, at the time of first authentication, if they are in scope for the service. This allows new users to use the service even if they have not previously been synchronized to the cloud. This also allows organizations to add identities to the cloud only when they are needed rather than syncing your entire user population to the cloud. Existing customers will need to navigate to ‘My Account > Customer Settings > Company Information ‘ and turn on just-in-time synchronization before they can leverage the feature. Additional details can be found here - Configure Company Information and Certificates
To see the Default RADIUS Profile, select Show default profile. By default this option is unselected.
You can create multiple RADIUS profiles for each RADIUS client and leverage stronger, policy-based, granular control for end-users/privileged users who access RADIUS-protected applications.
We are happy to announce, in the March 2019 Cloud Authentication Service, that you can now use the Identity Router Setup Console to enable SSH and debug logging for in-depth troubleshooting of the identity router when it is unable to connect to the Cloud Authentication Service. Enabling SSH in the Identity Router Setup Console provides the same functionality as enabling SSH in the Cloud Administration Console with one exception. In the Cloud Administration Console, you can limit connectivity to the identity router by specifying source networks in the SSH firewall rule. In the Identity Router Setup Console, any network component can access the identity router when you enable SSH. Because of this, enable emergency SSH only for a specified period of time and then disable it.
The published SSH firewall setting in the Cloud Administration Console overrides the SSH setting in the Identity Router Setup Console. For example, suppose an administrator enables emergency SSH in the Identity Router Setup Console. Then another administrator removes the SSH firewall setting on the identity router in the Cloud Administration Console and publishes the changes. The Identity Router Setup Console disables emergency SSH. Additionally If you change and save the Log Level setting in the Cloud Administration Console, the change overwrites this setting in the Identity Router Setup Console. For more details on this feature - check out the product documentation here - Troubleshooting Identity Router Issues