Skip navigation
All Places > Products > RSA SecurID Access > Blog > Author: Nandini V

RSA SecurID Access

3 Posts authored by: Nandini V Employee

We understand the challenges of our customers in the federal and public sector space who are making strategic investments to securely manage their IT infrastructure and planning to migrate to the cloud. While the scope of various regulatory frameworks (FedRAMP, FISMA, DISA STIGs) may or may not  be relevant to your organization, the benefit of “Do once, apply many times” goes beyond any specific compliance. Commercial customers gain a lot from the IT vendors who comply with the security standards and best practices, as this also increases the trust of your customers. With the additional insights and transparency, enterprises can improve the information security strategy of their overall IT programs.

RSA continues to reduce your compliance burden by always staying on top of the security best practices. Our continuous platform upgrades and improvements ensure customers are kept safe from security holes and vulnerabilities. With the latest release of Cloud, Mobile and Identity Router, we are excited to bring these updates that are layered across RSA SecurID Access to provide outstanding protection for your data and information.

 

FIPS 140-2 Update - Why Is It Important?

We are living in the era of zettabytes, where the data is growing at a mind-boggling rate. Given the proliferation of digital data, protecting data from being exposed to potential attacks is crucial. This requires the continuous update of cryptographic modules. Federal Information Processing Standard (FIPS) 140-2 standardizes the cryptographic requirements to manage data at rest (storage), as well as data in motion (transmission).

FIPS 140-2 plays an important role outside government as well. For example, healthcare organizations have a mandatory requirement of using FIPS-validated MFA for EPCS (Electronic Prescription of Controlled Substances) systems. The military uses it to be compliant with DFARS (Defense Federal Acquisition Regulation Supplement) to protect data at rest. It is also critical for fintech organizations to leverage reliable and standard cryptographic-based tools and systems.

RSA SecurID Access continues to leverage FIPS 140-2 validated cryptography modules to constantly align our various components - Cloud Authentication Service, Identity Router and RSA SecurID Authenticate app (Android, iOS and Windows) to achieve compliance on any given day. So you can march confidently towards meeting your compliance needs where FIPS 140-2 compliance is a non-negotiable item.

 

Identity Router Release - What’s Special About It?

We continue to make investments in building the most secure identity infrastructure so that we have your complete trust in enabling your business. Be it getting rid of outdated operating systems, upgrading the crypto libraries (as part our comprehensive security regimes) or making configuration changes to be compliant with the latest guidelines that created buzz yesterday, we want to have it all covered. To achieve this goal, regular upgrade cycles are necessary. With the release of Identity Router, we are excited that our customers will benefit from these additional security enhancements including those with the compliance mandates.

  •  A layer of defense: By adhering to Security Technical Implementation Guide (STIG), November release of Identity Router image adds yet another layer to meet the compliance requirements elicited by DISAthe Defense Information System Agency, part of the US Department of Defense (DoD). This ensures the operating system, network infrastructure and other computing systems are hardened to operate in the federal infrastructure.
  • Beyond Compliance: Following security benchmarks, whether you are in federal government or not, helps in maintaining the overall security posture of your IT infrastructure. STIGs play a critical role in ensuring the systems are configured as securely as possible (rather than going by the “default settings”) to prevent them from being an easy target for cyber attacks. Security vulnerabilities can be costly and frustrating for commercial organizations as well.
  • Keeping CurrentRunning an outdated operating system or application software in production is like a ticking time bomb. These could put your network infrastructure and business at risk even before the auditors raise them as red flags. With the SLES 12 SP5 upgrade, we want to ensure our customers are always on the latest and greatest of the software and keep your IT teams and auditors happy.

 

Other Updates

Admin Console - Security Beyond MFA

To further tighten the security, the administrator console of RSA SecurID Access Cloud Authentication Service now has additional access control measures baked in as part of the account and access management. These additional controls enforce stricter policies such as - session lockout interval, unsuccessful login attempts and password complexity as part of authentication. With the risk of cyber attacks, any such additional measures to prevent hackers gaining access to critical resources and accounts goes a long way.

 

Usage Reporting - The More Data The Merrier

Usage reporting of Cloud Authentication Service is enhanced to include additional usage metric data Active Users. If you are an administrator, you probably know the existing usage metrics that are made available through our Cloud Administration Retrieve License Usage API.  The existing usage reports already show MFA licenses count, users with FIDO authenticator and SMS/Voice data; the new report metric shows the number of unique users successfully authenticated by Cloud Authentication Service for MFA. Besides addressing compliance needs, this report will also come in handy for planning for the future.  You can use this data for effective budgeting and capacity planning as part of your MFA deployment strategy.  

 

To learn about additional November 2020 updates, see November Release Notes. 

 

Flexible Access Policy Assignment to Reduce Administrative Overhead

Some applications, such as SSO applications, may need to invoke a specific authentication policy in RSA SecurID Access based on a condition (for example, the user group and/or resource being accessed). SAML-based applications can use the AuthnContext SAML attribute to do just this. But some SSO platforms do not have this support and pose a challenge in complex customer environments. To overcome this limitation, we provide the flexibility to invoke a specific authentication policy based on specific conditions. As part of the SAML connector configuration, administrators can customize the Entity ID of an identity provider by adding a discriminator unique to a SAML-based service provider (SP). This enables you to use different access policies for different SAML-based applications to improve security and flexibility. To learn about additional features in September 2020, see September Release Notes. 

 

Authenticate to the Cloud Administration Console through a Third-Party Identity Provider

You can now securely sign into the Cloud Administration Console through federation by extending  your identity provider (IdP). This is useful in general but specifically becomes very handy for federal administrators who use  a common access card (CAC) and personal identity verification (PIV) and can continue to use their third-party IdP infrastructure to perform a federated sign-in to the Cloud Administration Console. We encourage you to test this feature in a development environment to make sure everything works before moving into production. To learn about additional features in September 2020, see September Release Notes. 

In today’s ever-changing world, enterprises are striving to deploy the right identity management strategy that fits their current environment and future needs. Businesses with the traditional physical-office-only setup, have had to adapt and flex new muscles to enable remote access for their employees.

 

As the businesses shift the operations from office to home, remote working does come with its risks. Unprotected endpoints through which the workforce accesses the corporate network become easy targets. These laptops contain the organization’s sensitive data. Protecting these corporate endpoints and workstations with stronger multi-factor authentication is no longer a choice, it’s a necessity.

 

The timing couldn’t have been better for launching the latest RSA SecurID Access innovations, including RSA MFA Agent 2.0.1 or Microsoft Windows, considering the need to rapidly enable remote access to dynamic workforce leveraging the RSA Cloud Authentication Service. MFA Agent 2.0.1, built on a modern and secure interface, provides a seamless and consistent Windows sign-in experience from ground-to-cloud.

 

The traditional RSA Authentication Agent 7.4 connects to RSA Authentication Manager to provide strong and highly reliable authentication services. MFA Agent 1.2 built on REST interface, enables modern authentication such as push to approve and device biometrics leveraging RSA Cloud Authentication Service.

MFA Agent 2.0.1 merges the best of two worlds. It is a universal Agent leveraging RSA Authentication Manager 8.5 and the RSA Cloud Authentication Service to provide strong multi-factor authentication to users signing into Windows, both online and offline.

 

Boost Remote Productivity and Experience – With No Fail-Open

Enabling secure remote access is the top concern for organizations. Seamless and consistent authentication experience is no longer a second priority. When users are challenged for multi-factor authentication, they do not care if they are connected to an on-premises data center or cloud. They want convenience and consistency whether they are online or offline. With “no fail-open” offline authentication mechanisms, RSA ensures users are fully authenticated with strong multi-factor authentication even if they are offline. In addition to providing various options for online and offline authentication, MFA Agent 2.0.1 takes care of emergencies too. Users with lost or stolen authenticators or no network connectivity can now log on to Windows machines using Emergency Access codes without causing any disruptions.

 

More Power to Administrators - Dynamic workforce just got even more dynamic

The year 2020 saw a sharp increase in remote workers - comprising permanent employees, temporary workers, and third-party partners. In addition to provisioning remote access, you need to ensure the right authentication methods are enforced to the right people with the right assurance levels. Through the admin console, you can manage every user’s authentication requirements – from traditional hardware tokens to device biometrics. MFA 2.0.1 also offers administrators a slew of controls to tailor the authentication experience to meet their business needs. Policies are at your disposal to customize the settings such as - load balancing and failover mechanisms, user access with challenge groups, and password order changes. These additional controls not only empower the administrators but also provide greater flexibility.

 

Accelerate the journey to the cloud – Change doesn’t always have to be scary

Organizations are looking to modernize the authentication experience and migrate to the cloud. But are apprehensive about the possible disruptions it could cause to their current set-up. In that light, here are some key features to help you with this preparation. 

Connecting on-premises to the cloud: The proxy and high availability features of Authentication Manager 8.5 ensures the dynamic workforce is secured 24x7. If the cloud service becomes unavailable the RSA Authentication Manager takes over authentication requests. This hybrid approach ensures users are “always-on” and work as securely, reliably, and productively as those on the network.

Co-existence of Agents: Co-existence of traditional and MFA Agents allows you to take a phased approach. Break down the large deployment into smaller launch plans targeting the sub-population to leverage Cloud Authentication Service.

Migration & Upgrade Paths: For a smooth migration from the Authentication Agent 7.4 or later versions,  you can use the migration utility packaged with the installer. This ensures the policy settings are migrated automatically to the new policy templates.  Customers who are on MFA Agent 1.1 or later version can directly upgrade to MFA 2.0.1.

 

To learn more about the features see release notes.

As we all are transitioning to embrace the new normal and support the remote workforce, there is an unprecedented need to keep the endpoints secure without compromising convenience. It is critical that we take steps to enable the dynamic workforce to access resources by providing a frictionless and seamless experience. We are excited to provide updates as part of June, 2020 Release that perfectly align with this objective.

 

 

RSA® MFA Agent for macOS® 

 

Endpoint security is a major concern for CSO and IT managers. Given the pandemic situation, there is a significant increase in the number of end-user devices (especially through laptops and desktops) trying to access the corporate network remotely, along with a corresponding increase in the number of hackers trying to compromise. With RSA® MFA Agent for macOS®, organizations can protect and ensure secure logins to the macOS® laptops and workstations. RSA® MFA Agent for macOS® works with RSA SecurID Access Cloud Authentication Service to require users to provide additional authentication to sign into macOS® consoles, whether they are online or offline. 

 

Today’s enterprises understand and acknowledge the need to manage identities in a dynamic fashion given their dynamic environment and dynamic workforce. Although strong authentication is top of mind, convenience and user experience are no longer a secondary priority. Defying the “more-is-more" approach, customers and users want to manage minimum set of authenticators for an efficient and seamless experience across use cases.  

 

Above statement being our preamble of the RSA® MFA Agent for macOS®,  authentication options available to end-users are  Push to Approve, RSA SecurID Authenticate Tokencode and RSA SecurID Tokens when things are all fine.
The Agent falls back to Authenticate Tokencode when users are offline and offers Emergency Tokencode option when they have no access to authenticators. With RSA SecurID Access, users are always connected securely. 
 

 

By protecting the macOS machines not just during user logins but also during screen unlocks and with the no-fail-open design, RSA ensures there is no “slip through the cracks” situation even when the Agent is unreachable to the Cloud Authentication Service.

 

To know more and watch the the MFA Agent in action, 

Cake for All! Secure & Convenient Login for The New Enterprise for macOS®  

Watch RSA® MFA Agent for macOS® In Action

 

View and Track License Usage Information  

 

Understanding the product usage is an important factor for planning and forecasting future license upgrades. Customers can view their current usage of MFA on RSA SecurID Access and Authenticators registered for the service. Administrators can access the following information to determine:

  • Number of users with Multi-factor authentication (MFA) licenses 
  • Number of users with third-party FIDO authenticators
  • Number of SMS/Voice Tokencodes consumed 

 

This data is refreshed automatically every hour to ensure that administrators have visibility to the most recent information.

 

Get More Out of Enterprise and Premium Editions of RSA SecurID Access with the Third Party FIDO Authenticators 

 

We all know how effective FIDO is when it comes to thwarting phishing and man-in-the-middle attacks. FIDO Alliance promotes and supports the stronger authentication standards that help reduce the over-reliance on the passwords. So is RSA!  

 

In December 2019, RSA partnered with Yubico® to address the needs of a dynamic workforce and provide modern and frictionless authentication experience with the FIDO authentication solution. With FIDO2 and RSA SecurID Access Authentication services, RSA customers enjoy the passwordless experience while accessing SaaS and web applications.  

 

Until recently, the customers had to purchase RSA SecurID MFA licenses to use FIDO/FIDO2 authenticators. With this change, we are removing the frictions for the enterprises to adopt and build stronger and more modern authentication strategies.  

 

FIDO Authentication Support  

 

While we are talking about extending the support for FIDO, why not talk about RSA SecurID Authentication API. RSA SecurID Authentication API, a REST-based programming interface that allows RSA customers and partners to leverage MFA capabilities for the custom-built applications.

 

In the June release, RSA SecurID Authentication API supports FIDO/FIDO2 as authentication method along with the existing MFA methods. To supplement FIDO as part of authentication, RSA SecurID Access supports managing the entire lifecycle too. RSA understands, for the organizations to begin using FIDO at scale, it requires more than just the authentication support for the protocol. At the initial login authentication attempt, users can enroll their FIDO authenticators or keys before using them as part of multi-factor authentication methods. By providing users with the ability to manage

the keys with self-service and in-line registration, RSA removes barriers for organizations and technology partners to adopt RSA SecurID Authentication support for FIDO.  

 

 

To learn about additional updates coming out in June 2020, see June Release Notes. 

 

Filter Blog

By date: By tag: