Skip navigation
All Places > Products > RSA SecurID Access > Blog > Author: Sudarsan Kannan

RSA SecurID Access

8 Posts authored by: Sudarsan Kannan Employee

An organization or lines of business within organizations should consider having an integrated authentication strategy and framework. An authentication solution should aid in advancing that framework in meeting specific identity and security objectives. Such organizations looking at free Microsoft Azure AD MFA or RSA SecurID Access need to use these critical elements when building or supporting such authentication framework. 

 

Protect applications beyond Windows-based and browser-based

Most organizations will continue to manage a hybrid IT model with non-windows applications and infrastructure existing in both cloud and on-premise. These infrastructure systems like switches, routers, VPN’s, server systems (*nix) need privileged access by super-admins. IAM teams need to think about how to securely enable 2FA/MFA for those privileged admins and end-users with a native integration that doesn’t compromise user experience. RSA SecurID Access provides an agent-based approach that can protect remote access infrastructure such as VPN’s, Citrix access gateway Windows Remote desktop sessions, critical server environments including Linux systems.

 

Support non standard protocol applications through a combination of technology ecosystem and an extensible API model

For legacy applications that do not support standard protocols (eg. SAML, RADIUS, OIDC) organizations need to think about extending MFA capabilities using an API approach or pre-built integration with technology vendors.  RSA Ready program helps organizations have an out of the box certified integrations with 500+ applications through 100+ technology vendor partnership. RSA SecurID Access can enable MFA to non-browser or non-SAML based applications through native integration with network vendors such as Palo-Alto Networks or provide out of the box MFA integration with electronic medical records applications such as Epic systems. RSA SecurID Access helps organizations to extend their deployment to meet enterprise grade requirements by exposing API/SDK for any custom integration.

 

Support dynamic workforce with authentication choices and a simplified experience across the entire MFA lifecycle including user onboarding

Supporting a broad range of user types and providing clear paths for those users to self-register any MFA method consistently as part of on-boarding is critical. RSA SecurID Access on-boarding experience through out of the box capability or extensible REST APIs helps organizations to create simplified user experience while on-boarding users all backed by a powerful policy engine. Besides on-boarding, a framework needs to handle what/if scenarios such as credential recovery and emergency access. What if users need a break glass approach to gain access to applications or self-service capabilities when their phones are misplaced or forgotten. What if contractors need 1-time code to access systems without the overhead of distributing tokens or using mobile phones. RSA SecurID Access provides options to help handle emergency situations and variety of user types and scenarios.

 

As discussed above any security sensitive organization looking to advance their authentication framework should consider appropriate critical elements.  IAM practitioners within those organizations need to contemplate whether having a free solution advances or restricts those elements in supporting diverse workforce access applications across their hybrid IT environment. 

As each lines of business (LOB) within an organization procure their own authentication solution the overhead costs of managing such solutions needs to be evaluated.  Does this island of point solutions drive additional process challenges and more disconnected authentication framework for an IAM team? Below are key discussion points to ponder before going down the path of implementing multiple authentication solutions

 

Reproducing & managing integrations & automation with multiple authentication platforms may prove costly

Organizations invest in the automation and integration of an authentication platform with existing security tools such as an SIEM platform, governance tools for collecting, reporting and regularly auditing of access events.  RSA SecurID Access enables those organizations to automate the process or workflow during on-boarding of users, distribution of MFA credentials and sharing of data for auditing needs. Replicating these integrations and automation across security systems using a second authentication platform may add additional cost and resourcing challenges.

 

Reflect on process challenges when considering multiple authentication platforms

Often rolling out or upgrading an MFA infrastructure requires a common buy-in across desktops, mobile, infrastructure, remote access and security teams. This required interaction creates process friction and overhead within some organizations.  Hence using native integration & out of the box capabilities provided by an authentication platform is critical in reducing such friction for IAM team’s success. RSA SecurID Access has such native integration capabilities through agent-based model, out-of-the-box integration with infrastructure vendors (eg. VPN, firewalls, virtualization platforms) and support for both hardware and virtual appliances. IAM teams should reflect on such process challenges and associated friction when adding yet another authentication solution in their toolbox to solve point use-cases.

 

Reduce user education and training costs and improve productivity through a single authentication platform

Educating and training users with two different authentication experiences provided through different solutions is a challenge when those users require the broadest set of authentication options to access applications. IAM teams considering two different authentication solutions as part of their tool set should consider looking at possible overhead of staffing and technical training of help desk team members in supporting those solutions. RSA SecurID Access helps build consistent end-user experience across the broadest set of applications and widest authentication choices that reduces the overhead of training and educating end-users. In addition, the IAM teams can improve overall help desk costs by choosing a single vendor that provides consistent experience in supporting users across a hybrid environment. 

 

Managing multiple authentication platforms doesn't end with technical, people or process challenges for IAM teams. The invisible costs extends to vendor management challenges, security teams managing vulnerabilities and fixing those gaps across multiple point products, and more. As an IAM practitioner one needs to evaluate and reflect on holistic value achieved through using one versus multiple authentication platforms that meets an organization's broadest set of security and identity needs. 

The word free has multiple meanings according to the Merriam-Webster dictionary. Among them are “not restricted”, “not costing”, “relieved from something burdensome”. When a solution is free or bundled with Enterprise License Agreements (ELA) and is used as key decision driver towards purchasing or rolling out Multi-Factor Authentication (MFA) the hidden costs are overlooked leading to return on investment challenges. An Identity and Access Management (IAM) influencer or a decision maker thinking about free Microsoft Azure AD MFA need to consider the following three criteria and associated questions while making such decisions.

 

  1. A consolidated authentication framework to support diverse user population, variety of infrastructure & applications while mitigating identity specific attacks. Do organizations feel restricted or advancing in developing a consolidated authentication framework using a free solution?
  2. Overhead costs related to people & processes from supporting multiple vendors and managing multiple authentication platforms. Does having multiple authentication vendors cost organizations more?
  3. An authentication platform that helps IAM teams meet different regulatory requirements while supporting strong security policies. Do free solutions burden IAM teams more when trying to address MFA requirements as part meeting their regulatory needs (eg. PCI-DSS, DFARS, EPCS) ?

 

If the answer is a resounding yes to the above questions the next series of blogs will provide guide paths and recommendations on how to address those questions effectively. These recommendations should enable organizations & IAM teams make an informed decision when considering RSA SecurID Access or free Microsoft Azure AD MFA for their authentication needs.

 

Organizations have been subjected to more regulations (eg. New PCI standards, CCPA etc.) than before and this creates additional burden for IAM teams to keep up with such regulatory requirements. An authentication platform should be able to help meet such regulations while helping meet security and privacy requirements. As an IAM practitioner one needs to consider the following guide paths when considering a free Microsoft Azure AD MFA or RSA SecurID Access or any authentication solution.

 

  • Regulatory requirements - A single platform that helps address organizations myriad regulatory MFA compliance requirements

Some regulations mandate strongest form of authenticators as per the NIST assurance levels (eg. AAL 2 and 3) for your workforce. An example is EPCS where strong proofing, 2FA and access logging are required for prescribing electronic prescriptions. RSA SecurID Access can enable such organizations with in-person proofing and secure distribution of 2FA tokens out of band. For organizations subjected to DFAR,  RSA SecurID Access can provide FIPS compliant solution to meet 2FA requirements. The PCI-DSS 2.0 regulations call for knowledge of success or failure of a factor is not provided to individuals until all factors have been submitted. RSA SecurID Access can support such requirements through multi-factor and multi-step process for network login into secure cardholder environment.

 

  • Unified visibility across cloud and on-premise (hybrid) infrastructure to help meet auditing needs

Auditors need visibility into which users had access to applications and systems on both cloud and on-premise infrastructure.  Specifically, they need data on users, applications accessed, level of authentication used to gain access to those systems. RSA SecurID Access enables such visibility into an organization’s access infrastructure through out of the box reporting and the ability to export such events to external systems for further reporting or analysis. With a hybrid IT model (on-premise and cloud applications), IAM teams will benefit from a platform that provides comprehensive view of all user access events across multiple applications types and user population.

 

  • Security teams – Reduce identity specific attacks with a powerful policy engine

Security policies need to support different assurance levels based on sensitivity of applications and user level risk. IAM teams need to manage policies centrally that helps in achieving such assurance levels through right level of authentication assurance.  RSA SecurID Access provides different assurance levels so that the right level of access controls are implemented. Organizations can use the behavioral analytics risk engine to determine user level risk against peer population based on application, device or location anomaly that can be used on day one.  

With a combination of powerful assurance level driven policy engine and behavioral risk capabilities security teams can be rest assured to mitigate identity threats and support their broader security goals.

 

  • Privacy requirements - A solution needs to understand and help with an organization’s privacy stature

Users have privacy concerns around security teams  installing apps on their mobile devices.  Some security policies mandate that no phones are allowed inside call-centers or data centers. An authentication solution should be flexible to accommodate such requirements. RSA SecurID Access can help  meet such requirements through a hardware OTP tokens or FIDO keys.  

Some organizations are subject to strict data residency requirements (eg. Europe) due to the countries that they operate in. RSA SecurID Access has data centers in local regions where data never leaves the respective regions borders to support data protection and privacy requirements.  

 

Evaluate whether a free MFA solution from Microsoft will help breeze through such regulations, security and privacy requirements. RSA SecurID Access can help untangle complexity and reduce burden for IAM teams by helping meet such regulatory requirements.

As we all are going through some level of adaptation to the new normal the one thing that hasn’t changed is our continued commitment in rolling out capabilities to our RSA SecurID Access customers. We are excited to provide the following updates as part of the April 2020 release.  

 

Threat Aware Authentication (TAA) v2 - Improved flexibility to support different customer deployments

Our TAA v1 release (last year) supported limited deployment scenarios. The risky users were identified and exchanged based on email addresses. Customers wanted to have more flexibility in identifying and sharing of the user list.  We saw this customer enthusiasm and commitment in making TAA capability better.  

 

We have updated TAA (v2) to provide that flexibility in identifying risky users between RSA NetWitness and RSA SecurID Access. Now the identities within the risky user list can be in any prior agreed upon format between the two products.

 

RSA SecurID Access can identify the users using Primary Username or an Alternate. These attributes can be mapped to any underlying LDAP/AD attribute (e: samAccountName, userPrincipalName, UID etc). RSA NetWitness administrators can now configure which piece of meta-data they want to use to build and exchange the risky user list.

 

Extend the use of conditional access policy attributes to Enterprise Edition licensed customers

Many of our customers are already using the policy engine to make smart access decisions in protecting a variety of applications. We want to enable more customers in using our policy engine – the true power behind implementing security controls based on your organizational policies. The conditional access attributes used in defining policies helps in harnessing the power of that policy engine.

 

We are thrilled to announce that our Enterprise Edition licensed customers can start using those conditional access attributes NOW!  Those customers can enable policies to provide user access based on dynamic context driven attributes such as countries, trusted locations, trusted networks.  

 

Our premium edition customers are already unleashing the power of these conditional access policy attributes in their access decisions. 

 

Our goal is to enable everyone to make access decisions smarter!!

 

Enabling our customers to address their privacy concerns

Ability to turn off location collection

Some customers promote preserving user privacy as part of their organizational policy or to comply with regulations. We understand such policies and would like to support our customers in their privacy initiatives.  One such privacy related topics is around collecting user location.

 

Beginning in April release we are providing our customer administrators ability to fully control data collection for location. Enabling or disabling location collection is now within the power of customer administrators through the administration console. Those administrators can choose to turn off location collection for specific policy attributes such as trusted locations, country and Identity Confidence.

 

Providing visibility into device capabilities used in mobile apps

Some customers would like to have better visibility into how their end-user mobile device capabilities (eg. Camera, Wi-fi connections) are being used by RSA SecurID Software token and RSA SecurID Access Authenticate App. In April release we have enabled our customers with documentation highlighting details on

  1. The type of permissions required from those mobile devices
  2. Why we need those permissions and is it mandatory or optional

 

The primary goal is to educate our customers and their end-users with the right level of information so that any fear, uncertainty and doubt can be addressed when using the mobile apps

 

We continue to churn cool new capabilities every month. The April release notes provides complete details on other miscellaneous updates coming out in the April 2020 release. 

Insight into Identity Confidence

With this latest release of RSA SecurID Access, organizations will be able to view up-to-date identity confidence analytics information through the Cloud Administration Console. The analytics page will provide information on how many users were deemed risky based on the Identity Confidence policies set by the organization and what factors contributed to that risky behavior across their user population.  

 

Enable Auto-Push for RADIUS additional authentication Use Cases

When additional authentication is required for RADIUS clients, end-users can receive automatic push notifications (approve or biometrics) without any additional user interaction, providing a convenient end-user experience.   This capability can be configured under the RADIUS configuration page in the cloud authentication console. 

 

Enhanced security of FIDO token enrollment

Securely enroll FIDO based authenticators using the RSA SecurID Access My Page self-service portal. The My Page self-service enrollment portal allows organizations to protect FIDO registration with an access policy that is aligned with the organizations’ existing policies. Organizations will be able to optionally disable the FIDO token registration for their end-users which automatically occurs during user authentication and instead enable policy-protected enrollment through My Page.

 

Improved deployment options and supportability enhancements for the identity router

  • Flexible deployment options for identity routers. The identity router supports transparent, explicit, and man-in-the-middle proxy configurations. The identity router will inform if a non-RSA SSL proxy certificate is configured, and allow to temporarily accept the certificate and proceed while the administrator works with the network IT to whitelist the URL.
  • Identity router setup has been simplified. The proxy interface, which is not required for non-SSO deployments, is disabled by default in the Identity Router Setup Console. Enable as needed for SSO deployments.
  • Quickly identify potential problems that might occur while setting-up and monitoring identity routers using the improved status indicators in the Cloud Administration Console. The Platform > Identity Routers list page will provide more details on the status of each identity router and its dependent services, including the status of clusters, memory usage, CPU usage, and cloud connectivity

IP Address Changes - Please Plan in Advance!

To align with Microsoft Azure Resource Manager deployment model changes, the Cloud Authentication Service and Cloud Administration Console IP addresses will be changing in September 2019. Organization’s deployments must be able to connect to both new and old IP addresses in September 2019.

 

RSA recommends that you start planning with your organization now to make the necessary changes to connect to these new IP addresses. If the firewall rules are not updated with the new IP addresses, the identity routers will not be able to contact the Cloud Authentication Service.  This will cause disruption in the service. For details, see Notice of Upcoming Cloud Authentication Service IP Address Changes.

RSA continues to strengthen its RSA SecurID Access Cloud Authentication Service with the July product release.  For further details on all the new and updated capabilities of the July release, please refer to the Release Notes.

Every customer who has adopted RSA SecurID Access’s risk engine capability to attain Identity Confidence, love and fully trust the capability.  Based on several discussions with you during the RSA conference and 1-1 sessions we realized that customers were looking for more visibility into the workings of risk engine to better understand how the risk engine can add value to your security policies. Specifically, you wanted to know why a user/group was challenged or what factors contributed to a user’s/group’s higher level of risk and hence lower identity confidence.

 

What did we do?

In May release, we have introduced a simple yet powerful capability through user event monitor to help solve visibility challenges. Below is a screenshot of the user event monitor for a user that sums up the entire feature. 

  • Confidence score  - Overall user identity confidence score. You can look at the aggregate confidence score across the entire user population (confidence Threshold) and benchmark a user’s confidence score against the aggregate score.
  • Category scores define what contributed to the overall confidence score. You can see if the low or high confidence score was driven more by the user’s device or by the location or by the user’s overall behavior or some combination thereof.  Category score consists of Device confidence, Behavior confidence, and Location confidence. 

The category scores (location, device & user behavior scores) are aggregated through a mathematical model to get the overall user level confidence score. 

 

 

 

For example, in the above screenshot user's confidence score is lesser than the aggregate score (confidence threshold) of the entire user population. In other words, the current user access request is riskier than the rest of the population and hence appropriate policy controls have to be in place to challenge the user with additional assurance. The reason for the user's lower confidence is more influenced by the lack of trust in the location from which the access request is coming from than the device from which the user request originates or the user's behavior. 

 

The lower the category (location, behavior or device) score is the lower the confidence is on that category. The system gains more trust by the continuous learning process on each of those categories over multiple access requests. This will eventually lead to higher confidence in each of those categories and hence the overall user confidence. 

 

How can these category scores add more value?

In addition to providing visibility into what contributed to the user's confidence level, these category scores can be used to determine the effectiveness of your security policies fully driven by identity context. For example, if admins see the device confidence is lower across a user set (ex: users within OU=Salesforce) leading to lower assurance across that user set (salesforce) the admin can try improving the device confidence and hence overall user confidence. One way to improve device confidence is to enable users with a managed device (through EMM/UEM).

 

Another great example could be how you can map your user or group level confidence (or risk) with better granularity to an IT application (as an RSA Archer IT asset) and make informed identity context driven risk management decisions. Possibilities are infinite with this enhanced visibility into RSA SID Access Risk Engine!

 

Hope the examples above help you in mapping some of the user level or group level identity risk factors to your organizational policies. As we learn more we plan to add more visibility and better way to control the risk engine so that you can take some meaningful actions impacting your identity risk posture.

During 2018, RSA has made several improvements to better support your ability to protect RADIUS-based resources using RSA SecurID® Access Cloud Authentication Service capabilities.  In this way, RSA SecurID® Access becomes even more pervasive, supporting access across a variety of traditional and cloud use cases.

 

For RADIUS-based applications we delivered the following improvements to customers through our cloud offering:

  • Expanded the choice of authenticators (e.g., SMS, Voice support) to provide more flexibility
  • Helped customers meet the latest PCI 3.2 guidance by supporting multi-method mode for supported VPN clients
  • Enabled Auto-push for mobile MFA to reduce end-user friction during authentication
  • Improved end-user experience for application-specific clientless SSL VPN (e.g., VPN for OWA) when users access VPN through browsers
  • Provided MFA only option to achieve passwordless behavior where primary trust is established through certificates or SSH keys between end-user devices and RADIUS clients

Looking ahead into 2019...you may want to use Active Directory (AD) user attributes in making granular authentication decisions for your RADIUS-based applications, all controlled by RSA SecurID®  Access policies.  We will continue to improve your ability to protect RADIUS based applications and make it more powerful through granular controls and policies.

 

Below is a deep dive into RADIUS specific features that were delivered in 2018.

 

Auto-Push for RADIUS logins 

Auto-push for RADIUS, when configured for a user, can send a push notification on a registered phone, after the user enters User ID and password. The extra step (Fig 1.) of selecting an authentication method at each RADIUS-based login is not required.  (Note:  this Auto-Push capability is available ONLY if passwords are used for primary authentication).  

How and where to configure Auto-Push: Add a RADIUS Client for the Cloud Authentication Service 

RADIUS for the Cloud Authentication Service Overview  

Users always have the flexibility to choose other authentication options if their mobile device is not handy during the time of authentication (e.g., lost, left at home, the RSA Authenticate app not registered).

 

Fig.1 Auto-push for RADIUS (a sample screenshot using Cisco ASA AnyConnect desktop client)

 

Password-less / step-up only RADIUS

If the RADIUS client (e.g., a VPN, a privileged access management solution) is configured to perform primary (e.g., a password) authentication, RSA SecurID Access no longer prompts for the user to enter their password a second (redundant) time thereby improving end-user experience.

 

If certificates or SSH keys are used to establish trust in lieu of passwords (as primary authentication), the step-up only RADIUS becomes more beneficial as the user is only challenged once (for step-up) for proving the user’s identity.  This feature enables customers to have a password-less MFA experience for RADIUS based logins. A classic example could be your Privileged Account Management (PAM) systems where primary trust is established through SSH keys for your admins and RSA SecurID® Access used as secondary authentication.

 

The step-up only feature helps customers comply with the latest PCI DSS 3.2 guidance. Under this configuration (multi-method mode), RSA SecurID®  Access prompts for password and MFA in a single screen and doesn’t act on a second authentication factor sequentially, based on the outcome of the primary authentication. This approach to verification is consistent with the latest Payment Card Industry Data Security Standard (PCI DSS) guidelines. Any VPN application (e.g., Cisco, Palo Alto) that supports the multi-method mode could start using this feature to help be PCI DSS 3.2 compliant. 

 

For more information on these capabilities, refer to:  https://community.rsa.com/docs/DOC-75832#RADIUS5 

 

 

Fig.2 Sample RADIUS Multi-method mode & passwordless end-user screens

 

Improving end-user experience for Cisco Clientless SSL VPN (RADIUS)

This feature enhances the user experience for application-specific VPN access - when logging in through a RADIUS-based clientless SSL VPN portal. RSA SecurID® Access now provides end-users with an improved user experience for Cisco’s clientless SSL-based VPN portals. Administrators can download the new web toolkit from RSA SID Access Cloud authentication console and deploy the toolkit in Cisco ASDM as part of configuring the clientless SSL VPN.

Typically, clientless SSL VPN solutions are used to provide application specific VPN access, create captive portals on a wireless network for secure access. Most customers prefer RADIUS based integration for these type of integrations due to inherent flexibility and power of configuring security policies but at the expense of reduced user experience. With our new web toolkit, customers can continue to use RADIUS based integration all while providing a great user experience for their end users. You can provide better user experience whether a user is trying to access OWA (as an example) or a business partner trying to gain access to a wireless network.

You can also continue to use the Auto-Push notification and provide a passwordless experience to RADIUS-based applications using this new web toolkit and elevate your end-users experience.

 

Fig 3. Cisco ASA Clientless SSL VPN step-up authentication end-user experience

 

Adding Flexibility: SMS and Voice authentication comes to RADIUS

Although hardware tokens (and then software tokens) are the classic protection for RADIUS-based resources, RSA now supports a wide variety of additional modern mobile authentication methods. Mobile Push has been available for some time, as has a mobile application (RSA’s Authenticate app) OTP.  The RSA SecurID® Access Cloud Authentication Service added SMS and Voice authentication options for RADIUS in early 2018, so now even users without a token and without the Authenticate app on their mobiles can authenticate to RADIUS based resources via SMS (or voice) delivered OTP. This can be much more convenient for infrequent and external users.

 

 

Fig 4.  SMS used for RADIUS authentication

 

For more information on these capabilities and others, please see the product documentation here:

https://community.rsa.com/community/products/securid/securid-access

All of these enhancements make RSA SecurID® Access and even more convenient and secure solution for your authentication needs

Filter Blog

By date: By tag: