Support Authentication Manager 8.4
recently RSA Authentication Manager 8.5 was released.
Will this be the preferred release and onwards in the future or will release 8.4 also be supported and maintained.
If we do not deploy RSA Authentication Manager in the cloud then is it still a good advise to upgrade to 8.5
for future patches and functionality ?
Thanks for your replay,
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
All RSA products have a support lifetime and an End of Primary Support, EOPS expiration date, https://community.rsa.com/docs/DOC-40387
including the Authentication Manager and the SID Access family, https://community.rsa.com/docs/DOC-73369
Basically from today you have a full year of primary support for AM 8.4, followed by up to two more years of extended support, if for whatever reason you felt you needed to stay at AM 8.4, latest patch being P14.
What typically happens is as Oracle releases their quarterly Critical Patch Updates, CPUs for WebLogic (the web server component of Authentication Manager) vulnerabilities are reported and fixed by Oracle, then RSA has to assess and implement those fixes into Authentication Manager and SID Access. Right now Oracle's latest CPU, October 2020, reports a few 9.8 score CVEs that are fixed, so RSA has assessed - https://community.rsa.com/message/961895?commentID=961895#comment-961895
and will provide a hot fix for both AM 8.4 P14 and AM 8.5 P1. The risk going forward is that when Oracle releases their Jan. 2021 CPU, something big might be fixed by Oracle, so RSA will make a decision on which patches to provide, and may only provide a patch for AM 8.5. with a recommendation to update to 8.5.
So in general is is better to stay updated and current, and RSA always recommends that you update to the latest version. However you have some flexibility as to when to update based on your own risk assessment. In practical terms I'd say this allows you to not be the first or early adopter of a patch or update, but take a wait and see approach for some reasonable amount of time so as to be a secondary adopter.
This is pretty much the nature of software updates in the age of global vulnerabilities. Updates can be planned in the bigger scheme based on your firewall and other protections, plus your assessments of reported vulnerabilities in light of RSA Engineering responses - which often include the response "The flaw exists but cannot be exploited" or "The flaw exists but presents no additional risk."
Another point, AM 8.5 is good even if you do not need or want Cloud Authentication Service, CAS.
This is a mature product, so there are many features, possibly too many for a single customer to use or implement. It can get confusing, with CAS being a way to protect cloud based applications with Multi-Factor Authentication, which is separate from actually deploying your AM into either the Amazon or Azure Cloud (as opposed to deploying in your own VMWare infrastructure or deploying a hardware Appliance).
Even with all the features, we see a lot of customization through the AM Prime / AMIS suite, as well as custom Admin application that meet specific needs.