Shashank Rajvanshi

Simplify Identity Access and Assurance Decisions on AWS with RSA SecurID and Session Tags

Blog Post created by Shashank Rajvanshi Employee on Nov 25, 2019

Today RSA announced it has completed an integration on Amazon Web Services (AWS) that will tie Session Tags with identity context through RSA SecurID Access.

 

This integration takes advantage of the benefits of Session Tags (more on this shortly) and the strengths of RSA SecurID Access, an industry-leading and award-winning multifactor authentication and identity assurance solution. RSA customers can now extend the value of key identity context that they already leverage within the product and further enhance the security of their AWS resources. Combined with the RSA SecurID Access flexible deployment (SaaS, cloud, on-premises, or hybrid), choice of authentication methods (mobile push notifications, one-time passwords, fingerprint/facial biometrics, SMS, voice recognition, FIDO and hardware and software tokens), and dynamic, risk-driven access policies – this integration simplifies intelligent identity access and assurance decisions.

 

For the uninitiated, Session Tags enable AWS users to categorize resources and associate them with critical business aspects, such as purpose, environment or owner. In a world of dynamic hybrid cloud environments and workload management, maintaining these connections can be complex or expose users of these systems to risk.

 

As noted, one of the primary parameters for categorization is owner, i.e., who is responsible for maintaining this resource. As our IT boundaries continue to break down, the ability to leverage identity as the basis of ensuring data and resource confidentiality, integrity and availability becomes a critical link in enabling secure cloud strategy.

 

Typically, the only information IAM or security teams have about a user when authenticating to AWS is their username. This piece of information alone is insufficient for an organization to truly understand what that user should have access to. How would a downstream system (in this case, AWS) evaluate the login event and determine whether access to an environment should be allowed? Additional user context added by RSA SecurID Access as Session Tags can help address this gap.

 

Additional context (tags) that RSA SecurID Access could also provide beyond user ID could include: displayName, emailAddress, title, organization, department, manager, and officeLocation.  Given this additional context, appropriate permissions could be applied to session. A customer can create many more of these tags using RSA SecurID Access.

 

All of this additional context could be passed in the form of Session Tags and then appropriate permissions applied based on a user’s department, manager, or some other attributes. This attribute-based access control (ABAC) mechanism enables intelligent decisions to be made downstream by either a human or a machine to support decisions based on business context, i.e. permissions rules in AWS IAM.

 

As part of our growing collaboration with AWS, we’re excited about this integration as another step in advancing customers’ ability to manage new digital risks as they transform IT through opportunities such as cloud computing.

 

Current RSA SecurID customers interested in leveraging this new integration can learn more here.

Outcomes