The RSA Professional Services Team has made a number of enhancements and feature additions to the RSA SecurID Access Prime (formerly AM Prime) software package, continuing to expand the ecosystem to provide additional efficiencies and value to RSA customers that result in greater ROI on their new or existing RSA SecurID Access deployment. Below we outline significant updates thus far in 2020, highlighting the business value that these updates afford.
Prime Self-Service Portal UI Refresh
The default Prime SSP login screen (Figure 1) and dashboard home page (Figure 2) have been updated with new icons and buttons to provide for a cleaner, more modern UI look-and-feel. Under the hood, numerous changes have been implemented to re-organize and streamline SSP UI elements allowing for organizations to more easily apply their own branding and desired look-and-feel through CSS.
Figure 1. Comparison of Old and New SSP Login Screen
Figure 2. Comparison of Old and New SSP Dashboard Home Screen
A new "Prime Style & Customization Guide" now available on RSA Link provides details on how to implement changes to the Prime SSP interface as well as a number of assets that can be utilized "as-is" or leveraged by your organization as input for generating your own images, icons, and notices. View the guide [here].
Prime Quick Setup Tool
Starting in 2018 timeframe, RSA Professional Services developed the PrimeKit installation framework to improve consistency and supportability of Prime deployments. To complement PrimeKit, a new tool has been created, Prime Quick Setup (PQS), that vastly simplifies initial Prime set up configuration as well as operational configuration updates (e.g., AMIS service account password changes, RSA Cloud integration). PQS accelerates initial PrimeKit deployment, reducing set up time from hours to minutes, for quicker rollouts and customer Time-to-Value with Prime and RSA SecurID Access. It also simplifies ongoing Prime core config changes to minimize administrative tasks.
Guided Enrollment for RSA SecurID Software Tokens
A discrete "guided enrollment" workflow endpoint has been added for RSA SecurID software tokens, similar to existing Prime functionality for RSA Authenticate guided enrollment. This allows users that are being onboarded with RSA SecurID software tokens to be placed directly into a step-by-step closed loop process that provisions the token, allows the user to set their PIN, and activate the token.
Prime invitations, triggered via HDAP or programmatically, can be leveraged to enable direct user access into the specific workflow. The Windows 10 Prime Credential Provider can be used as an additional option to further streamline end-user access into the workflow.
See the demo video to the right for an example of the guided enrollment process, as initiated by an HDAP invitation to the user.
Figure 3. Guided Software Token Enrollment Demo
Expiry Notification Service Support for Token Auto Extend
The Expiry Notification Service (ENS) utility within Prime allows for automated notification and alerting on certain token lifecycle events, and in some cases initiation of operational shutdown of an authenticator or account (for example, due to inactivity). The ENS utility has been enhanced to support auto-extension of RSA SecurID software tokens based on the capabilities introduced in AM 8.2 SP1. Use of the ENS utility can automate the token renewal/extension process, lessening the associated administrative burden which can often be significant and time consuming for organizations with large-scale token deployments. Note that the software tokens must have been issued previously under AM 8.2 SP1 or later in order to leverage this feature.
Unified Authentication Activity Monitoring in Help Desk Admin Portal
The Prime Help Desk Admin Portal provides a "single-pane of glass" for End-User Support personnel to look up, view, and troubleshoot end-users across all assigned RSA authenticators, whether originating from Authentication Manager or the RSA Cloud Authentication Service. HDAP now offers a unified view into user authentication activity for real-time troubleshooting as well as historical events, whether a SecurID authentication via AM or an MFA authentication via RSA Cloud Authentication Service. Easier and more efficient End-User Support servicing reduces issue resolution times thereby allowing End-Users to get on their way quicker.
HDAP Feature Adds for RSA Cloud Authentication Service Support
New features have been added to HDAP to further extend support for RSA Cloud Authentication Service option in the areas of user enrollment and emergency access.
To provide additional assistance during device enrollment scenarios, help desk personnel can now manually generate a device registration code for an end-user. This device registration code can be used to securely enroll a new/replacement device when users may not have access to the Prime Self-Service Portal.
To support users who have misplaced or damaged a registered device, help desk personnel can now generate a cloud-native emergency access tokencode that can be used to authenticate to resources protected by the Cloud Authentication Service. This emergency access tokencode can be configured to expire within 1 to 7 days based on the desired configuration. Additionally, a help desk user can manually disable an emergency access tokencode for a given user should the original device be located or replaced.
PrimeKit Performance Improvements
The Prime AMIS software has been further optimized, resulting in performance improvements that can significantly enhance AMIS transaction throughput, particularly under high-load conditions. This leads to more consistent transaction times and better overall system stability. Because AMIS is foundational to the Prime portal applications, better response times can be realized within Prime SSP workflows thus providing for an improved end-user experience.
Other Items of Note
A number of other general improvements, updates and fixes are contained in the latest PrimeKit release. These include refresh of the underlying technology stack (e.g., AdoptOpenJDK, HTTP/2, Tomcat, OpenSSL, Apache Portable Runtime (APR)). Customers on versions of Prime software deployed prior to 2018 are highly encouraged to have RSA Professional Services evaluate their existing Prime deployment for upgrade to PrimeKit and optimization of their configuration.
Contact your RSA Sales Representative if you are interested to learn more about the RSA SecurID Access Prime package and recent updates.