Skip navigation
All Places > Products > RSA SecurID Access > Blog > Author: Robin Cohan

RSA SecurID Access

7 Posts authored by: Robin Cohan Employee

The January release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. These updates help enterprises provide secure and convenient authentication choices for their users.

Updated Android Push technology - update your app!

Google Android has migrated to new push notification technology - Firebase Cloud Messaging (FCM).  The RSA SecurID Authenticate mobile app for Android now supports the newer, more secure push technology.  As a result, all users of the Android app must update their phones with this latest app version (v2.2.1) by March 31, 2019 to continue using push authentications. Please be sure to notify all your Android users of this important update requirement.

Help Desk your way: Administration APIs to integrate CAS into your application

In November, we announced the release of a series of administration APIs, to support the integration of RSA SecurID® Access with your service desk applications.

 

Using these REST APIs, integrated into your service desk application, allows your Help Desk staff to use familiar user interfaces to perform various user management tasks for RSA SecurID® Access users. 

 

This month, we extend the range of these APIs to include user management functions (enable, disable, sync, delete), and expanded user search capabilities.

 

Using our APIs to integrate SecurID Access administrative functions into your existing service desk application can help accelerate administrators’ learning curve for adopting RSA SecurID® Access and reduce training requirements for your help desk administrators.

 

Related to this, the RSA Professional Services help desk solution “RSA SecurID Access Prime” (formerly known as “AM Prime”) has been updated, using these APIs to provide insight into cloud users. It’s really exciting to see how this great help desk solution, used by many of our largest customers, can now expose a single unified interface for management of both token and mobile (cloud) users.

Updated documentation on high availability configurations

RSA SecurID Access is so critical to the operation of our customers’ applications, that high availability configurations of the identity router are routine.  As such, we have updated our product documentation to better explain how to configure IDR connections for high availability deployment. We hope this will make your SecurID Access set up more straightforward.

Additional Identity Source option

RSA has qualified Microsoft Active Directory 2019 for use as an identity source with the Cloud Authentication Service, expanding your configuration options.  Note that this applies only the the cloud service - Authentication Manager will target the updated support in a future release.

 

Expanding MFA reach: monthly connector updates

RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

 

Later this week, these new connectors are planned for release: Pacific Timesheet, Illumio, Float, Teem, Keeper Password Vault.

 

Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

 

For further details on all the new and updated capabilities of the January release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

The November release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. This month, we expand deployment flexibility in a number of different ways to provide even more business agility and operational efficiency, empowering your admins and users to have the flexibility they need to support business needs.

Identity Router in the cloud - Amazon Web Services Deployment

It is now possible to install the Identity Router (IDR) in your private Amazon Web Services (AWS) space, saving time and effort to deploy the IDR in your on-premises environment.

 

No longer does RSA require an on-premises footprint for the IDR.

 

From AWS EC2, the Identity Router connects back to your on premise Active Directory/LDAP identity source to support a hybrid cloud deployment. Using this hybrid cloud deployment model, you can continue to host your Authentication Manager on-premises and use RSA SecurID hardware/software tokens to protect critical cloud applications. The Identity Router in AWS will connect to your on-premises Authentication Manager via VPN connection or AWS Direct connect. Having said that, watch for further cloud deployment developments next month on the Authentication Manager side!

The Identity Source can also be hosted in AWS or other cloud environments (ex: Azure) to support a full multi-cloud deployment.

The download and distribution of IDR AMI image is fully automated. Administrators can launch an AMI image in EC2 by entering your relevant AWS account credentials in RSA’s Cloud Authentication Service console. The AMI image will be shared securely to your private EC2 space based on explicit permissions for those specific AWS accounts.

This now gives you 3 flexible deployment options for the IDR:  VMWare, Hyper-V and AWS.

Help Desk your way: Administration APIs to integrate CAS into your application

This month, we are announcing the release of a series of administration APIs, to support the integration of RSA SecurID® Access with your service desk applications.

Using these REST APIs, integrated into your service desk application, allows your Help Desk staff to use familiar user interfaces to search for RSA SecurID® Access users, unlock their devices, delete unused devices and update SMS and Voice option telephone numbers. 

This integration can help reduce the learning curve for adopting RSA SecurID® Access and reduce additional training requirements for your help desk administrators.

Stay tuned here! More APIs to support additional use cases are planned for subsequent releases.

Expanded device self-service to reduce Help Desk calls

This month, the new MyPage self-registration portal, adds a capability for a user to delete their device. Using this in conjunction with the previous registration capability means a user can add, delete or change (via delete of old and add of new) a device.  A major step forward to empowering end user self-service and thereby reducing Help Desk traffic!

Expanded RADIUS support - Clientless SSL VPN support

This month, we add a new feature enhancing the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, creating captive portals on the wireless network for secure access. Most customers prefer RADIUS-based integration for these types of integrations due to the inherent flexibility and power of configuring security policies. But this can come at the expense of diminished user experience. With RSA’s new web toolkit, you can continue to use RADIUS-based integration while still providing a great end user experience. You can provide a better user experience whether an end user is trying to access Microsoft OWA (as an example) or a business partner is trying to gain access to a wireless network.

You can also continue to use the recently introduced RADIUS Auto-Push notification and provide a passwordless experience to users of RADIUS-based applications using this new web toolkit and elevate your end users’ experience.

 

Figure 3.  Cisco Clientless SSL VPN step-up authentication end-user experience

 

Expanding MFA reach: monthly connector updates

RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

 

Later this week, these new connectors are planned: Barracuda Web Application Firewall, GoAnywhere, ProxyClick, Salsify, Scale FT, Shuffler, SignalFX, Workato.

Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

 

For further details on all the new and updated capabilities of the November release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

The October release for the RSA SecurID® Access Cloud Authentication Service (CAS) is now available. This release focuses on expanding the integration options for protecting SAML-based cloud applications for RSA customers.

SAML application protection - expanding integration options

   You can integrate RSA SecurID® Access into your environment to protect cloud-based applications using the Security Assertion Markup Language (SAML).  RSA supports multiple ways to achieve this, but often the simplest approach is “direct to cloud” using the Cloud Authentication Service Identity Provider (IdP).  Using this approach, these applications can be configured without setting up the Single Sign-on (SSO) Agent on the Identity Router (IDR).

   This month, we are releasing enhancements to the Cloud Authentication Service that will enable some of the most popular Software as a Service (SaaS) applications to support the above simplified configuration.These applications are:  Microsoft Office365, ServiceNow and Workday. These additional applications join VMWare and Salesforce in the ability to configure this direct cloud protection. For customers who want to use RSA’s SSO portal for these applications, they can continue to do so. This new capability is aimed at customers who do not use RSA’s SSO portal and prefer to configure a direct CAS-to-application connection for using RSA SecurID® Access multi-factor authentication.

   Note that although the new SAML cloud IdP integration option removes the necessity of configuring the SSO Agent, the IDR’s Enterprise Connector component is still required for accessing your on-premises identity source(s).

Partner Integration Guides for these updated capabilities are now available. Read on for more on our application connectors and reference locations.

 

 

                Fig.1  Configuring cloud IdP SAML applications

 

Expanding MFA reach: monthly connector updates

   RSA Partner Engineering continually releases new and updated RSA SecurID® Access connectors.  Connectors are the bridge between RSA SecurID® Access and the resources it’s protecting.  RSA has hundreds of RSA SecurID® Access connectors available, including those for the leading applications you may be looking for. (see link below for complete list).

   We recently released these new and updated connectors: Bitglass, Dell (Boomi) , Domo, Netmotion Mobility, One Identity, Third Light, Watchguard Fireware XTM and Yardi (Voyager 7S). Additionally, later this week, these new connectors are planned: Cisco ISE Portal, Igloo, Inspired eLearning iLMS. We will also be releasing the updates for Workday, Service Now and Microsoft Office 365 as mentioned previously.

   Our extensive catalog of connectors helps customers extend their use of RSA SecurID® Access - helping protect the resources that matter most to you.  See the catalog at:
https://community.rsa.com/community/products/securid/securid-access/integrations

   For further details on all the new and updated capabilities of the October release, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414 

 

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

 

All of these enhancements make RSA SecurID® Access and even more convenient, pervasive and intelligent solution for your authentication needs.

   As a well-informed security professional today, you’ve recognized the need for continuous combat against the increasingly perilous threat landscape, populated by highly skilled and persistent intruders. You’ve known that simple password protection is insufficient to protect “crown jewel” data and want to incorporate multifactor authentication (MFA) for your critical digital assets into your defenses.

So now that you recognize the need to implement multifactor authentication for your organization, where to start?

   Choosing an appropriate set of access policies to fit all your target resources, across all your user populations, can be challenging given all the possible choices available.  Today, there is a wide variety of password alternatives to help deter infiltration, and more are emerging. RSA SecurID Access supports many such methods across hundreds of digital resources from “ground to cloud” - basic VPN protection to latest SaaS cloud applications such as Microsoft Office365.

   To help you navigate the process of selecting the most appropriate authentication methods and policies for your organization, RSA has developed a white paper which discusses RSA Security’s recommended approach for developing multifactor authentication policies for your organization. The key considerations include:

  • Setting clear business goals, to guide tradeoffs between cost, convenience (usability), protection strength and implementation complexity
  • Taking a phased approach to deployment - think big but start small with a limited pilot
  • Assessing your user population, understanding both the risk profile of their resource access and their tolerance for authentication complexity
  • Evaluating the target resources you need to protect, understanding the risk exposure of your business should they be breached
  • Investigate the array of authentication methods available to you, and consider the tradeoffs between security strength, convenience, cost and administrative complexity
  • Taking into account all the above, formulate your access policies, adding in context-based risk analysis to both security and convenience
  • Remembering to include end user education as part of your rollout plan.
  • Formulating your MFA implementation as part of a larger Identity and Access Management (IAM) strategy within your overall Enterprise Security foundation.

   Please see: https://community.rsa.com/docs/DOC-97431

 

   Furthermore, to supplement this guidance, expert assistance is available.  RSA’s highly experienced Professional Services team and certified partners can help you navigate the myriad of access security choices available, following these best practices.

 

   For more on RSA Security’s solutions and services, please visit:  www.rsasecurity.com or consult with your RSA Security representative.

September 2018 Cloud Authentication Service Release Highlights

The September release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to raise the bar to help customers improve their security posture while still supporting convenient access for end users and administrators.

Providing End Users with Device Registration Self-Service

To provide end users with more autonomy during the device registration process and reduce Help Desk call volume, we are introducing this month a new self-service portal, called “My Page”.  RSA understands, however, that while user self-service can dramatically improve the efficiency of your multi-factor authentication program, it cannot become the weak link in your security chain. As such, “My Page” not only provides convenient self-service for your end users, but also provides the security you need to safeguard your digital assets.

 

Using this portal, an end user can begin the registration process by following the step-by-step instructions displayed on screen that guide them to download the RSA SecurID Authenticate App (from the Apple App Store, Google Play or Microsoft Store). Then, using the installed app, the user can capture a displayed single use QR code containing information for easy app registration. Finally, the user can perform a test authentication to make sure that everything is working as expected. Device Registration in My Page also includes this easy-to-follow video guiding users through this process: https://www.youtube.com/watch?v=mx2c_4p7qo4&feature=youtu.be

 

Administrators can further increase the security of device registration by requiring multi-factor authentication for access to My Page. Check out this short My Page RSA SecurID Authenticate Device Registration Using RSA SecurID Access My Page, for tips and tricks on how to configure this and other features. 

 

Figure 1.  My Page

 

Supporting Broader User Activity Tracking and Governance

In July, we introduced the Log Events API, a REST-based web services interface allowing customers to retrieve administrator activity log events from the Cloud Authentication Service. This month we’ve added the ability to retrieve end user authentication logs.

 

For greater security visibility across your organization, you can leverage these REST APIs to share this authentication information with your security information and event management (SIEM) solution, such as RSA NetWitness.

In this way, RSA provides you with improved visibility into the activities of both privileged, administrative users and end users for forensic security, governance auditing and troubleshooting purposes.

For more information on these capabilities, refer to  Improved Logging for Security and Audit Compliance

 

Improved Protection of Windows Login:  RSA SecurID® Authentication Agent for Windows v7.4

This month, RSA released a new version of the Windows Agent designed to secure Windows machines when  with our award winning RSA SecurID® tokens, and when offline, with our industry leading unique solution that is trusted by many Fortune 500 companies globally. All this to ensure security from the start - allow users and administrators to securely and conveniently access their workstations and servers no matter what the situation calls for.

This new agent framework (architecture)  provides a path so customers can adopt future releases supporting the use of MFA and updated Authentication Manager capabilities for secure and convenient Windows protection.

Specific to this release are new capabilities which:

  • Expose customers to the updated authentication user interface supported by the latest Microsoft Credential Provider framework as seen natively in the latest versions of Windows and Windows Server, that is more intuitive and friendlier for users trying to authenticate to their machines
  • Provide customizable user authentication prompts and help texts so end users can securely authenticate to desktop with minimal friction
  • Provide administrators with several high value agent improvements aimed at boosting overall user productivity during machine login.

 

Faster Time to Value: Expanded Preconfigured Policies

Last month, RSA SecurID® Access introduced predefined access policy templates in all new cloud accounts to help new customers protect their resources faster. Using these policies, new customers need not create custom access policies before configuring their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  This month, we add an additional preconfigured access policy to the initial three delivered in August. The fourth policy applies a context-driven criterion that uses the Identity Confidence attribute to determine if additional authentication is required. This fourth preconfigured access policy is only available to Premium licensed customers.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96414  

 and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

August 2018 Cloud Authentication Service Release

The August release for the RSA SecurID®  Access Cloud Authentication Service is now available. In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting global access across a variety of traditional and cloud use cases.

Facilitating Privileged User Authentication for the Cloud Administration Console

RSA SecurID® Access administrators in your organization have extensive access privileges. Therefore, access attempts of these privileged users need to be appropriately authenticated. In this release of RSA SecurID® Access validation of the multifactor authentication policies that govern console access is improved to prevent accidental user lockout, which would require a support call to RSA to resolve.

 

The graphic below  shows how the console prevents you from selecting a policy that locks you out of the console.

 

 

      Fig.1  Warning message to clarify the problems with selected policy

 

Improved Visibility of Cloud Authentication Service User Status

Over the last few months, we have significantly improved the ability of administrators to manage the status of Cloud Authentication Service users.

Past releases delivered capabilities to:

  • Manually enable and disable Cloud Authentication Service users, independent of identity source status for improved local control over user status
  • Automatically disable Cloud Authentication Service users when they become disabled or missing (due to deletion or transfer out of relevant groups) in the identity source directory.
  • Help administrators reverse deletion errors via a two-step delete process. With two-step deletion, deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives administrators the opportunity to “Un-delete” before the users are permanently purged in case of error.
  • Streamline user maintenance with automated deletion of long-disabled users. Busy administrators who prefer more automated user maintenance, can select an option to delete long-disabled users. On by default and set to select users disabled 90 days, this option can be configured for different number of days or turned off completely. In this way, all the automated cleanup processes can work together to remove users from the cloud who no longer need access.

In the August release, we’ve improved reporting of user status.  The previously available users report now provides better visibility into user status information to help organizations better manage user populations.  By exporting the user report file and importing into a spreadsheet, administrators can quickly identify disabled or deleted (awaiting purge) users for status confirmation and follow-up where needed. In addition enabled users can be counted for license management purposes.

Below is a sample of the report in spreadsheet format, highlighting the new column.

 

 

      Fig.2  User report

 

For more information on these capabilities, refer to: https://community.rsa.com/docs/DOC-75846

Faster Time to Value: Preconfigured Policies

RSA SecurID® Access now provides predefined access policy templates with all new cloud accounts. Using these policies, new customers need not create custom access policies before they can configure their first application.  Instead, they can choose from one of the simple preconfigured policies to associate with their applications.  If further customization is desired, these policies can be cloned and modified as desired, while maintaining the original copies to use as templates for future policy definition.

The new policies are shown below.

 

 

      Figure 3.  Preconfigured Policies

Serving a Global Customer Community

The RSA SecurID® Access Cloud Authentication Service is now available in Australia!

Hosted in Microsoft Azure Australia (Canberra), RSA SecurID® Access’s new hosting location enables compliance with Australian and New Zealand Privacy Legislation.  Furthermore, local hosting means faster network performance across the wider Asia-Pacific region.

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-96078

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs.

July 2018 Cloud Authentication Service and Identity Router (IDR) Release

 

The July release for RSA SecurID Access is now available and contains updates for both the Cloud Authentication Service (CAS) and the Identity Router (IDR). In this release RSA continues to add capabilities to further enhance RSA SecurID Access to be convenient for end users and admin, intelligent to provide powerful authentication and analysis and pervasive, supporting access across a variety of traditional and cloud use cases.

Simplifying the Multi Factor Authentication (MFA) Experience for users of RADIUS-based applications

The July release contains multiple improvements to RADIUS support:

  • Eliminating double password prompts:  If the RADIUS client (e.g., a VPN) is configured to perform primary (password) authentication, RSA SecurID Access no longer requires the user to enter their password a second (redundant) time.  Note that this can also help customers align with the latest PCI guidance for VPN logins. That’s because, under this configuration, RSA SecurID Access prompts for password and MFA in a single screen as PCI DSS 3.2 recommends, and doesn’t act on a second authentication factor sequentially, based on outcome of the primary authentication.
    You can find a video highlighting how this works on RSA Link at: https://community.rsa.com/videos/33333
  • Eliminating extra steps for push-based MFA:  When configured, the extra step of selecting an authentication method at each login is no longer required. After entering User ID and password, a push notification is sent automatically.  Note:  this Auto-Push capability is not enabled when other forms of authentication are enabled for RADIUS access instead of passwords, for primary authentication .

 

                Fig.1  Auto-push eliminates extra authentication steps

 

Improved Control and Security of Cloud Authentication Service user status

Over the last few months, we have significantly improved the ability of customer administrators to manage the status of the cloud authentication service users.

Past releases have included the ability to manually enable and disable Cloud Authentication Service users, independent of identity source status, and disable Cloud Authentication Service users when they become disabled in the identity source directory.  We have also added a two-step delete process, to help administrators reverse deletion errors. Using the two-step deletion, manually deleted users are marked as Pending Deletion, and an automated purge process permanently removes them after seven days. This gives the administrator the ability to “Un-delete” before the users are permanently purged.

This month, we’ve added a couple key new capabilities to help organizations address the risks associated with orphaned accounts:

  • Disable missing users: if the sync process cannot find a user in the Identity Source (out of scope or deleted), that user will be disabled in the Cloud Authentication Service.  This improves security: no one can use the Cloud Authentication Service unless they are enabled in the directory. It also supports license management by ensuring that only active Cloud Authentication Service users are enabled for license counting purposes.
  • Delete long-disabled users: for improved efficiency, Cloud Authentication Service users who have been disabled for over 90 days, will be marked for deletion automatically. This feature is configurable – it can be turned off, or set to a different time threshold (30 to 180 days). In this way, users who are unlikely to use the Cloud Authentication Service in the near future, will not appear in lists or searches, making it easier to manage the Cloud Authentication Service tenant. It also improves the efficiency of synchronizations.

 

 

Fig.2  Configurable auto-delete

 

Improving visibility: Administrator activity logs

RSA is providing a new log which records the activity of RSA SecurID Access administrators.  Examples of this type of activity are (list not exhaustive): unlocking a user, changing an authentication policy, adding a new Identity Source.

Customers can leverage the Log Events API which is a REST-based web services interface that allows audit log events to be retrieved from the Cloud Authentication Service. You can use this REST API to import the audit log events into your security information and event management (SIEM) solution, such as RSA NetWitness.

 

In this way, RSA provides customers with improved visibility into the activities of these privileged users for forensic security, governance auditing and troubleshooting purposes.

 

Additional Improvements

A number of miscellaneous security and troubleshooting enhancements were added:

  • Support of HTTPS Strict Transport Security (HSTS) forces use of HTTPS secure protocol as server-browser interface for SSO web portal and the Cloud Administration Console. This helps protect transactions and login requests against threats such as protocol downgrade attacks and cookie hijacking.
  • Improved visibility of NTP status to aid in troubleshooting
  • Improved support for proxy server configurations when downloading adapter updates and IDR package updates.
  • Enhanced diagnostics for IDR registration errors

 

For further details on these improvements, please refer to the Release Notes here:

https://community.rsa.com/docs/DOC-60102

and product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID Access an even more convenient and secure solution for your authentication needs.

 

Filter Blog