Skip navigation
All Places > Products > RSA SecurID Access > Blog > 2019 > March
2019

 

This is not an April Fools’ Day joke – RSA Charge registration fees go up from $595 to $995 on April 2. Trust us, you will not want to miss this year’s Charge event. REGISTER TODAY!

 

RSA Charge 2019 will provide you a place to discover game-changing business-driven security solutions to meet today’s greatest business challenges. Attendees will explore best practices and have opportunities to problem-solve and discuss ideas for product and service innovation to increase productivity. From customer case studies to training as well as one-on-one consultations and motivating keynotes, this year’s conference has something for everyone!

 

RSA Charge 2019 will deliver a host of new content and exciting opportunities through:

Customer-led case studies and hands-on workshops to share trends and issues specific to your industry

Thought-provoking keynote presentations that provides insights on RSA’s products, solutions and customer successes

Partner Expo highlights solutions that are driving high-impact business benefits using RSA’s solutions

Unparalleled Networking invites you to exchange ideas with your peers and RSA experts and save – early bird rates are $595 and available through April 1, 2019, then the regular registration price kicks in at $995. The RSA Charge 2019 website should be your go-to destination for all ‘Charge’ information - Call for Speakers, Agendas at a Glance, Full Agendas and speakers, Keynotes, and so much more.

 

RSA Charge 2019 will be in Orlando from September 16-19, 2019 @ Walt Disney World Dolphin & Swan Hotel, Orlando. 

 

REGISTER before April 2, save $400 and check out the RSA Charge 2019 website for continual updates like the one below:

 

Just Added: Looking for pre-conference training? Due to RSA Charge starting on a Monday and being on the Disney grounds, RSA has decided not to offer any pre-conference training this year but instead offer a whole RSA University track dedicated to your favorite training topics at no extra cost. That’s right, no additional cost!

 

There will also be RSAU representatives, onsite to talk shop and answer any and all of your questions, just another reason to attend RSA Charge 2019. We look forward to seeing you all in Orlando.

Advanced Mobile Authentication for Citrix Storefront

We are happy to announce the release of the RSA Authentication Agent v2.0 for Citrix StoreFront. The Citrix Storefront agent is authentication software that provides Citrix StoreFront with a seamless authentication experience and additional mobile authentication methods for users inside and outside of the corporate firewall. For more details please refer to the Release Notes.

The March release for the RSA SecurID® Access Cloud Authentication Service is now available.

This month’s release contains the following features:

Reduce Digital Risk with Threat-Aware Authentication

Threat-aware authentication allows you to control whether high risk users are allowed to access protected resources or if these users must authenticate at a higher assurance level than other users. Users might be identified as high risk because their accounts have been compromised, or because a third-party security information and event management (SIEM) solution, such as RSA NetWitness, has found suspicious activity. Additional details can be found here - Drive Intelligent Access Decisions with Identity Insights and Threat Context to Reduce Digital Risk  

Enhanced Policy Support for Multiple RADIUS Profiles

To accomodate the varied levels of privilege and policy across RADIUS clients, such as firewalls, VPN and others, RSA SecurID Access now supports multiple RADIUS profile configurations.  You will be able to create custom RADIUS profiles that specify an access policy rule set to identify which users can authenticate through the clients associated with the profile. You will be able to associate multiple profiles with a single client, or the same profiles with multiple clients. More details on how to leverage multiple RADIUS profiles can be found here - Multiple RADIUS Profiles Provide Policy-Driven Granular Control 

Improved Visualization of the Identity Router for Simplified Management

This release introduces improved visualization of the identity router status in the administrators cloud console to more quickly understand the root cause of any issues.  Additional details can be found here - Troubleshooting Identity Router issues made easier  

Improved Identity Router Troubleshooting

We have added capabilities to enabled debug logging on the identity router before it has connected to the clouds service. Previously you had to connect the identity router to the cloud service before you could enabled debugging. Additional details can be found here - Enhanced Troubleshooting Before You Connect to the Cloud 

Add Users to the Cloud When You Need Them

Just-in-time user provisioning will sync the user to the cloud, at the time of first authentication, if they are in scope for the service. This allows new users to use the service even if they have not previously been synchronized to the cloud We have enabled “just-in-time provisioning” by default for all new RSA SecurID Access customers. Existing customers will need to navigate to turn on just-in-time synchronization before they can leverage the feature. Additional details can be found here - Add Users to the Cloud Only When you Need Them 

Updated Support for FIDO2

We are adding support for FIDO2 hardware tokens which use public/private key cryptography.  FIDO2 can be used for step-up authentication as part of conditional Policy to get access to web applications using Chrome, FireFox and Edge browsers. We continues to allow in-line registration and management for this authenticator. RSA continues to evaluate FIDO as a convenient and secure way to authenticate. FIDO2 hardware tokens are now supported on more browsers (including mobile browsers). A full list of supported browsers can be found here - Cloud Authentication Service User Requirements

Role permissions for select administrator API commands

To ensure correct API role permissions – when you generate an administrator API key you will have to select either the helpdesk or super administrator role for that key. Some REST APIs will be limited only to the super administrator role. A full list of REST APIs can be found here - Manage the Cloud Administration API Keys 

For further details on all the new and updated capabilities of the March release, please refer to the Release Notes here:

RSA SecurID® Access Release Notes: Cloud Authentication Service and RSA SecurID Authenticate App 

 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

Threat Aware Authentication

In the March 2019 release of the RSA SecurID Access cloud authentication service we are happy to announce the release of Threat Aware Authentication with RSA SecurID Access (RSA® Extends Evolved SIEM Capabilities to Reduce Digital Risk with Expanded Analytics and Enables Threat Aware Authentic… ).  Threat Aware Authentication takes an innovative approach by detecting anomalous activity with RSA NetWitness Platform, leveraging advanced machine learning, and then feeding actionable insights into RSA SecurID Access. RSA SecurID Access leverages this threat intelligence, along with business context and identity insights, in real time to trigger additional authentication when the risk is high. This empowers security teams with continuous authentication as an automated out-of-the-box workflow to reduce the number of alerts that might block genuine user activity and to elevate critical alerts with higher probability of being malicious.

 

Managing Digital Risk

When RSA SecurID Access is informed of high-risk activity, whether the user was in an active session that was disconnected or is about to log into an application, it will take the threat intelligence into account in the policy assessment to determine the action. For example, if the information indicates that the risk is high, this will impact the current identity assurance, which is the confidence that the user is who they claim to be. Additional authentication will be triggered. When users need to authenticate, they can use a broad variety of modern, mobile optimized authentication options such as push to approve, biometric authentication (fingerprint and face), one-time passcodes (OTPs) and SMS, as well as software and hardware tokens, leveraging strong authentication to power identity assurance. If RSA NetWitness determines that the suspicious activity is persistent and more sophisticated remediation is required, the RSA SecurID Access policy will block the user from accessing the application.

 

Trust Elevated

This release includes new APIs to add, remove and view users on the high-risk user list as well as a new policy attribute - Determining Access Requirements for High-Risk Users in the Cloud Authentication Service .  The high-risk user attribute is a binary attribute that can be included in policies to raise the level of authentication or block access to applications.  The power of the policy attribute allows you to either apply a one-size fits all implementation or differentiate the policy action based contextual factors.  Is the application too sensitive to allow any authentication from someone on the high-risk user list?  Is the risk mitigated if the user provides additional authentication factors? Threat-Aware Authentication empowers the Identity team to automate incident-response procedures, leveraging strong, multi-factor authentication, elevating trust instead of blocking users, and reduces digital risk with RSA SecurID Access.

In the March 2019 RSA SecurID Access cloud authentication service release we have enabled “just-in-time provisioning” by default for all new RSA SecurID Access customers.  Just-in-time user provisioning will sync the user to the cloud, at the time of first authentication, if they are in scope for the service.  This allows new users to use the service even if they have not previously been synchronized to the cloud.  This also allows organizations to add identities to the cloud only when they are needed rather than syncing your entire user population to the cloud.  Existing customers will need to navigate to ‘My Account > Customer Settings > Company Information ‘ and turn on just-in-time synchronization before they can leverage the feature.   Additional details can be found here - Configure Company Information and Certificates 

 

 

The Cloud Authentication Service now supports multiple RADIUS profiles. Previously, you had to use the same Default RADIUS Profile for all the RADIUS clients. This new, policy-drive capability gives you the flexibility to assign a custom RADIUS profile to a target user population.  You can also provide custom return list attributes, such as VLAN assignments or IP address assignments, to RADIUS client devices, which are used to connect the target user population. The RADIUS server also sends the RADIUS client the Access-Accept message to set session parameters for that user. You can set static attribute values or use dynamic values for LDAP or Active Directory attributes to provide granular control.

 

Multiple RADIUS profiles follow these basic rules

 

 

  1. The RADIUS client can uses only one access policy. This access policy is associated with one or more identity sources and can be used by multiple RADIUS clients.
  2. Each RADIUS client can have multiple custom RADIUS profiles and a list of checklist attributes.
  3. Each access policy has one or more rule sets. These rule sets can be configured to target a smaller user population based on user attributes. For example, a rule set can target only users who have the “manager” title and can control access to specific applications.  
  4. One RADIUS profile can be associated with only one rule set and vice a versa. The rule set must be in an access policy used by the RADIUS client. You can configure return list attributes for the target population tied to this rule set to provide granular control by the RADIUS client device.
  5. You can create multiple custom RADIUS profiles associated with different RADIUS clients which use the same policy.
  6. When RADIUS profile is not created for few rule sets or RADIUS Profile for few rule sets is not associated to this RADIUS client, then for those rule sets (set of users) in this RADIUS Client default RADIUS profile will be used. Default profile can have only static attribute values as part of their return list attributes, if configured.

 

  

 

 

You can create RADIUS profiles as part of the RADIUS client workflow. You can now add checklist attributes when you configure the RADIUS client, whereas in earlier versions, checklist attributes were part of the Default RADIUS Profile. After you configure the RADIUS client, click the RADIUS Profiles on the left Window pan, as shown below, to go to the RADIUS Profile configuration.

 

 

 

 

   On the RADIUS Profile configuration page, you can choose to create a new custom profile. If you do not create one,       Default RADIUS Profile will be associated with this RADIUS client. You can configure return list attributes for this             Default RADIUS Profile, but remember that Default RADIUS Profile is same across all the RADIUS clients. You cannot    delete a Default RADIUS Profile, but this profile will not apply to RADIUS clients that are associated with at least one    custom RADIUS profile. To see the Default RADIUS Profile, select Show default profile. By default this option is       unselected.

 

 

 

Click New Profile to see the custom RADIUS Profile page. This page allows you to add static and dynamic return list attributes from the identity source. After you specify the attributes and rule set, you can associate this RADIUS profile to the client or just save it to make it available to other RADIUS clients. Remember that one rule set can be assigned to only one RADIUS profile. If no rule sets are available, you must create one in the access policy associated with the RADIUS client that this profile is associated with.  

 

You can also choose to disassociate or delete an associated RADIUS profile. If you want to remove a profile from the RADIUS client, click  Disassociate. You can always re-associate this profile with the RADIUS client by clicking Associate. If you delete a profile, the profile will be removed from all RADIUS clients that use it.

 

You can create multiple RADIUS profiles for each RADIUS client and leverage stronger, policy-based, granular control for end-users/privileged users who access RADIUS-protected applications. We will continue to bring additional features and enhancements in future releases of the Cloud Authentication Service. Please feel free to reach out to us with any additional comments and feature requests.

 

Multiple RADIUS Profiles Demo Link

During the second half of 2018 the product team wanted to hear from our listening posts viz. customers, partners, and our field team around improving overall customer experience when it comes to RSA SecurID Access product installation and configuration. Your valuable feedback helped us refine that into Top 10 areas where we should focus our efforts. One such area was to improve troubleshooting and managing of Identity Routers (IDR) during POCs, production deployments and post-production upgrades.

 

We heard and acted upon your feedback!  The upcoming March 2019 full stack release we have introduced 13 new indicators that will help streamline your troubleshooting efforts around identity router. The Status Indicators feature also enables more simplicity in managing some IDR functions through the Cloud administration console.

 

Some of the key challenges that these status indicators will help you narrow down are

  1. Clock drift issues between the cloud and the Identity router that creates SAML assertion challenges
  2. Identity source serves are unreachable or down due to various reasons
  3. Your users are not able to authenticate using SecurID HW or SW tokens due to connectivity issues between on-premise RSA Authentication Manager and the identity router
  4. Your publish operations are failing
  5. Handle issues when IDR is stuck or takes longer than usual while upgrading. The new status indicators help you identify if the potential issue is due to errors while downloading RPM’s and libraries from the cloud repository OR while downloading adapters from the cloud repository

 

As always, we are open to hearing from you on innovative ways of making your day to day work easier related to managing and troubleshooting Identity Router.  To find out more about this feature, check out the product documentation here - View Identity Router Status in the Cloud Administration Console

We are happy to announce, in the March 2019 Cloud Authentication Service, that you can now use the Identity Router Setup Console to enable SSH and debug logging for in-depth troubleshooting of the identity router when it is unable to connect to the Cloud Authentication Service.  Enabling SSH in the Identity Router Setup Console provides the same functionality as enabling SSH in the Cloud Administration Console with one exception. In the Cloud Administration Console, you can limit connectivity to the identity router by specifying source networks in the SSH firewall rule. In the Identity Router Setup Console, any network component can access the identity router when you enable SSH. Because of this, enable emergency SSH only for a specified period of time and then disable it. 

   The published SSH firewall setting in the Cloud Administration Console overrides the SSH setting in the Identity Router Setup Console. For example, suppose an administrator enables emergency SSH in the Identity Router Setup Console. Then another administrator removes the SSH firewall setting on the identity router in the Cloud Administration Console and publishes the changes. The Identity Router Setup Console disables emergency SSH.  Additionally If you change and save the Log Level setting in the Cloud Administration Console, the change overwrites this setting in the Identity Router Setup Console.  For more details on this feature - check out the product documentation here - Troubleshooting Identity Router Issues 

Filter Blog