Skip navigation
All Places > Products > RSA SecurID Access > Blog
1 2 3 Previous Next

RSA SecurID Access

71 posts

If you’ll be connecting to your Identity Source securely, using LDAPS, you’ll need the SSL certificate from your LDAP directory server when configuring the connection in the Cloud Administration Console. Not sure how to get it? We’ve seen our customers use a few different ways to get this certificate. Here are just a couple:

 

  1. Ask your directory server administrator for the certificate chain. Really, it can be that easy. When you add your connection to the LDAP directory (following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.
  2. Can’t ask your directory server admin or don’t want to? OpenSSL can be an easy way to do it. Here’s how:
    1. After you add your identity router (following the steps in your Quick Setup Guide), access SSH on your identity router using these instructions: https://community.rsa.com/docs/DOC-75833 
    2. From the identity router command line, query the directory server to obtain the certificate chain using the following command:

       

      openssl s_client -showcerts -connect LDAP.SERVER:636

       

      where LDAP.SERVER is the LDAP directory server that has the full certificate chain loaded on it. (You might have to ask your directory server admin to know which directory server to query.)

    3. From the output, copy the sections starting from and including the BEGIN CERTIFICATE line to (and including) the last END CERTIFICATE line. Paste these lines into a local file on your desktop and call it something like ldaps.pem.
    4. When you add your Identity Source connection to the LDAP directory (again following the steps in your Quick Setup Guide), upload this file in the SSL Certificates section.

Do you have other easy ways to get your LDAPS certificate?  If so, please share your tips and tricks in the comments!

For part two of our multi-part training video series Jay Guillette returns to present the sequel to his video guide on how to install patches on an RSA Authentication Manager 8.1 server via web browser

 

Our new topic is . . . Super Administrator Password Reset (see article 000017467 - Unable to login to RSA Authentication Manager Security Console as super admin for the text base version).

 

We've all had that experience when you try to login to the Security Console with the password you know worked earlier in the day and it. is.just. not. working.  You try again and again.  You try your Gmail login password or your bank PIN, your network login password, your mom's maiden name, the name of your favorite pet . . . anything you think it might be but still your login fails.

 

Fear not, intrepid SecurID admin!  We can help!  Jay's video is a great overview of how to access the Security Console by creating a temporary user who can gain access to the Security Console.  Once in, your temp admin can reset your super admin user's password.  Easy peazy lemon squeezy!

 

Watch 000017467 - Unable to login to RSA Authentication Manager Security Console as super admin  the video and let us know what you think!

PLEASE  NOTE:  An RSA Authentication Manager 8.x  Web Tier server installed on CentOS is NOT supported by RSA.

 

This UNOFFICIAL GUIDE is intended only for non-production lab testing for partners, customers and RSA employees.

 

For more information on RSA's position on using CentOS with RSA Authentication Manager and RSA Authentication Agents, please see 000016848 - RSA support for Authentication Manager and/or RSA Authentication Agents installed on CentOS.

      

Introduction

An RSA Authentication Manager Web Tier server has three functions:

  • Secure CT-KIP RSA SecurID software token provisioning across untrusted networks (usually the internet).
  • Allowing Self-Service Console (SSC) access to untrusted networks or the internet.
  • Legacy Risk-Based Authentication (RBA) feature in Authentication Manager 8.x. This function has been superseded by SecurID Access Cloud Authentication Service Risk-Based Identity Confidence in the Premium edition.

Of these functions, the first is most important for a secure Authentication Manager 8.3 deployment. The  Web Tier is currently provided as Microsoft Windows or Linux software packages that install on a customer-provided server typically deployed in a DMZ. Lab deployments usually operate inside a secured network zone.

It is strongly recommended that customers and partners maintain a non-production lab testing environment to test new versions and configuration changes.

        

Please see the RSA Authentication Manager 8.3 Setup and Configuration Guide, Chapter 5: Installing Web Tiers, Web-Tier Hardware and Operating System Requirements for more details on supported versions of Windows and Red Hat Enterprise Linux (RHEL).  Here are the requirements:

Description
Requirements
HardwareHard Drive: 2 GB for Web Tier installation
Hard Drive: 4 GB, with 20 GB free space for logs and updated component downloads
RAM: 2 GB
CPU: A CPU with a dual-core processor or better, or 2 or more CPUs.
Ports

External Firewall: 443 HTTPS (TCP)

DMZ: 443 HTTPS (TCP)
Internal Firewall: 7022 T3S (TCP)

Operating SystemsRed Hat Enterprise Linux 5 Server (64-bit)
Red Hat Enterprise Linux 6 Server (64-bit)
Red Hat Enterprise Linux 7.4 Server (64-bit)
Windows Server 2008 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows Server 2012 R2 (64-bit)

 

While these are the officially supported servers, it's often difficult for lab/demo usage to get a licensed copy of Microsoft Windows Server or Red Hat Enterprise Linux. CentOS is the free and open source version of RHEL which is nearly 100% compatible. In my testing I have found it's possible to deploy the RSA Web Tier package on a CentOS host after a very trivial modification of the OS. 

This guide is intended to allow a SecurID administrator to configure a CentOS 7 Web Tier in a non-production lab or demo environment based on VMware workstation or ESXi virtualization infrastructure.

 

Task 1: Configuring the CentOS 7 Operating System

Since CentOS is highly configurable with several different distributions, this section will provide step-by-step guidance.

  1. Download the DVD ISO from CentOS. The Everything ISO is too bloated and the Minimal ISO leaves out important tools, so the DVD release is the right one which allows you to configure your server at install.
  2. Build your virtual machine in VMware Workstation or ESXi, or your hypervisor platform of choice. Note that the Web Tier can even be installed on a physical server which may make sense for some environments, as it typically sits in the DMZ on a network. The VMware step-by-step instructions are beyond the scope of this article. Create the VM with 20 GB of disk, 2 GB of RAM and a single network adapter. (See Web Tier hardware requirements in the RSA Authentication Manager 8.3 Setup and Configuration Guide) I did customize the virtual hardware and remove the printer and sound card defaults since we don't need that for a server. Change the CD/DVD virtual drive to use the CentOS 7 ISO image you downloaded above and increase the memory to 2 GB. I find 2 vCPUs to be overkill for a lab so I kept the single CPU default. Once everything looks good, power on the VM and enter the virtual console.
    VMware create VM customized hardware and ISO image
  3. At this point I find it easiest to get the DNS for the server configured. In my lab network router interface, here I have entered an A DNS record and will fill in the static IP address in my lab router admin interface, which also is my local DNS resolver:
    Adding of Web Tier DNS entry
  4. Now we're ready to proceed with the VMware console install of the CentOS 7 Web Tier. The following screen shots are based on the ESXi web client but it should be similar for workstation. On boot you should see the CentOS Linux 7 installer boot screen, select the first option Install CentOS Linux 7. Follow the screen prompts from there including typing Enter.
    CentOS 7 boot install first option
  5. A bunch of booting events happen and then you'll get to a language selection screen, defaulted to US English. Select the default and then move to the main installation GUI screen. Note anything that's red needs to be selected before the installation can proceed. You have to be careful because it's a lot easier to configure some optional items here rather than later after installation is complete.
    1. First complete the mandatory Installation Destination. Don't forget to also fix the Date & Time time zone to match the Web Tier location. Then highlight the Software Selection option and select it:
      CentOS 7 main installer mandatory selections
    2. Choose the server type. I've found Minimal too bare bones, so Compute Node has more useful utilities. You may be wondering why I didn't select Basic Web Server. I don't want that because the RSA Authentication Manager 8.3 Web Tier package has it's own web app server and web server so we don't want an unneeded web server in the OS.
      CentOS 7 software selection
    3. The last step, which is an important one, is configuring the Web Tier server network connection. Select the Network & Host Name option and configure the network. Note the Ethernet connection is defaulted to off. Before you switch it on, click the lower left Configure button:
      Network and Host Name configuration main screen
      Go through the various tabs.  Most settings are left as the default but I turned off IPv6 by choosing Ignore and configured IPv4 as Manual with my static IP configuration that I already set up on my DNS server. Set the IP address, subnet mask and gateway as well as Host name and Search domains. Note all the fields are not shown completed below:
      IPv4 detailed configuration
      Finally turn the network on with the top right graphical switch. You should see the connection details and then be able to ping the Web Tier from another host on the network by hostname. Note that the Web Tier installer process requires the Web Tier to be resolvable by host name.
      Network and Host Name configuration completed
      Successful DNS resolution and ping from another host on the LAN
    4. You're finally ready to begin the installation, so select that option on the main installer screen. You'll see the installer starts installing packages from the DVD ISO. In the meantime, you can set the root password and create the Web Tier user. Set a strong root password and note you should really create the Web Tier user now and set it up as non-root with another strong password. This will be required for the Web Tier installer later.
      Web Tier passwords set
      Finally, the install will complete and you'll be prompted to reboot. You will come to the login bash prompt. Login as root, then logout again. You can proceed to get the Web Tier software install going. This is a lab environment so all security procedures and Security Enhanced Linux (SELinux) were not selected, but certainly follow best practices for your environment as they apply.

 

Task 2: Install and Configure RSA Authentication Manager 8.3 Web Tier Package

  1. We now have a CentOS 7 server with network connectivity that is ready for the RSA Web Tier install. Use your favorite SSH client from your chosen OS and log into the Web Tier. If you haven't already by this point, download the Authentication Manager 8.3 Web Tier package from the /Webtier directory in the Extras .zip file, available from Version Upgrades on RSA Link.  See 000034558 - How to download RSA Authentication Manager 8.x full kits and service packs from RSA Link for information on how to  download the file.
    Note you must have entitlements to download this file, so contact Customer Support if you get a login or authorization error.
    Handy Tip: You only need the /common and /linux-x86_64 sub directories extracted and copied over to your local VM or PC jump host with LAN access to the Web Tier CentOS 7 server. This way you are not copying over the unneeded /windows directory to a Linux Web Tier server.
  2. Use your favorite SCP tool to copy the /common and /linux-86_64 subdirectories to a new directory named /tmp/webtier on your CentOS 7 Web Tier server. The screen shots here are based on WinSCP. It's pretty important to have GbE or faster local LAN connectivity to your Web Tier box. For 8.3 it's about 1.7 GB of install files to copy over.
    WinSCP file copy to CentOS 7 Linux server
  3. From here we will follow the steps on how to install a Web Tier on Linux using the command line from chapter 5 of the RSA Authentication Manager 8.3 Setup and Configuration Guide. The documentation for Linux Web Tier installs has been greatly improved over older 8.x versions. Make sure you look at the Web Tier Installation Checklist before you start the installer script and follow the chmod permissions instructions carefully. You'll also need the Web Tier package from the Authentication Manager 8.3 Operations Console before you start the installer script as shown here. The typical service options are selected:
    Web Tier OC configuration and package generation

Task 3: Fix Installer Script Version Check to Allow Install on CentOS 7

STOP HERE. If you just try to continue with the default Web Tier installer script, you'll run into this error:

        


Installer script prerequisites error

  1. There's an easy fix to fool the installer script OS version check, which isn't that sophisticated. At the command prompt, type cat /etc/redhat-release and you'll see this file contents refers to CentOS:
    Release file view
    If you search this subject online, you'll get links regarding Red Hat Enterprise Linux Release Dates, which will give you the contents of this file specific to RHEL 7.4; which is Red Hat Enterprise Linux Server release 7.4 (Maipo).
  2. Use a nano /etc/redhat-release command, edit the file accordingly, and save it:Editing /etc/redhat-release file
  3. Now the installer script can proceed after you answer all the questions, as it will pass the RHEL 7.4 version check:
    WT installer script proceeding successfully
    Depending on how fast your storage system is on your server the install should take 20 to 30 minutes. After this time you should see the installer script finish with this message. It does take some time.
    Your installation is complete.
    Next Step
    After you exit the Web-Tier Installer, the Web-Tier Update Service connects to the preferred server to install the necessary services. Use the RSA Operations Console to check the status of this process.
    Go to Operations Console > Deployment Configurations > Web-Tier Deployments > Manage Existing.
    The update may take up to 20 minutes to complete.

    Press Enter to exit.
  4. The other key tip I've found is to go ahead and reboot the Web Tier server with a reboot command. It seems the Web Tier bootstrapper doesn't start after the installer finishes, but will kick off on a reboot. You will know it is working because if you run a top command on the console, Java will be taking up a bunch of CPU cycles:
    Web Tier Java processes
    You also may need to open the HTTPS service using the
    firewalld command if it's not already open. Search online for the many helpful guides on this.  RSA knowledge article 000033006 - Troubleshooting an Update Issue with an RSA Authentication Manager 8.1 Web Tier Deployment is very helpful in troubleshooting Web Tier connectivity issues on Linux. Eventually you will see this happy message on your Operations Console Web Tier configuration screen:
    Web Tier online successful

  5. Finally, go ahead and browse from your lab network to the FQDN of your Web Tier. It's recommended you use Microsoft Edge or Internet Explorer, as you should get a invalid security warning that you can click past. Firefox and Chrome are much stricter (rightfully so) on security, so you probably can't open the Web Tier Self-Service Console on current versions of those browsers. This can be fixed by getting a proper SSL certificate on the Web Tier through the documented procedure. For now, we have the Web Tier up and running.  Success!
    Web Tier SSC success!

With the availability of RSA Authentication Manager (AM) v8.3, you now have the option to transition your RSA SecurID® Access deployment to the cloud and take advantage of the business agility, and economies of scale that Amazon Web Services (AWS) cloud computing offers. Create a hybrid or full Virtual Private Cloud (VPC) solution that best meet your business needs.

Create Hybrid or Full AWS Virtual Private Cloud solutions

In a Hybrid VPC model, the AM Primary instance and a Replica instance (for disaster recovery) are typically maintained in on-premise data centers for administration. Replica instances can be deployed in selected AWS regions to ensure 7x24 authentication services availability. In a full VPC deployment, all components: AM Primary, AM Replicas, Web Tiers, as well as devices protected with RSA SecurID Agents or RADIUS Clients can be moved to the cloud.

A major strength of RSA SecurID Access is the RSA Ready Partner Program where hundreds of products (VPNs, Load Balancers, Web Servers, Applications, etc.) have out-of-the-box interoperability with RSA SecurID Access. This will result in a smoother transition to the cloud. RSA strongly recommends that RSA Best Practices be maintained such as configuring Security Groups for secure connections to RSA SecurID Standard Agents or RADIUS Clients.

How to Obtain the AWS AMI

RSA has made it easy to obtain the RSA Authentication Manager AWS Machine Image (AMI). Existing RSA SecurID Access customers can simply contact RSA Customer Support. An RSA Customer Relations Desk representative will validate your RSA Support agreement and obtain your AWS Account Number (AWS Commercial or GovCloud) on your behalf. You will receive an email confirmation from RSA SaaS Operations indicating that the RSA Authentication Manager AMI located in the RSA Private AWS Community has been shared with your AWS account number. New customers can simply order the AMI at no charge. Contact your RSA account representative for more information.    

Configuring the AWS AMI

Configuring the AMI is easy. Simply login to your AWS Account EC2 console; choose AMI Private Image; search for the RSA Authentication Manager v8.3 AMI ID provided in the email notification and follow the instructions to Choose & Configure Instance Type, Add Storage, Add Tags, Review, and Launch the AMI. Be sure to keep all necessary information provided, including the RSA AM Quick Setup URL and the Quick Setup Access Code. Go to your browser, enter the URL and access code, and you’re ready to configure an AM primary or replica instance.

 

More than Just an AMI

RSA Authentication Manager v8.3 also includes a number of new features that make it easier to manage your RSA SecurID Access solution - improved agent visibility & reporting, efficient auto-assignment of tokens by expiration date and added search by token serial number capabilities in the User Dashboard.  

RSA Authentication Manager 8.3 Amazon Web Services (AWS) Virtual Appliance Getting Started

Need to know what to do to patch your RSA Authentication Manager 8.servers?  We can help!

 

RSA is excited to announce a new multi-part training video series for the RSA SecurID Access product.  Chapter 1 is a companion video to our popular knowledge article 000029877 - How to install patches on an RSA Authentication Manager 8.1 via web browser

 

In a brief training video, Jay Guillette of our Advanced Technical Support team walks you step-by-step through the things you need to know before patching your Authentication Manager primary and replica servers, such as what prerequisites must be met before installing (patch order, minimum free disk space, required ports, etc.); how to download patches and finally, how to successfully complete the install process.

 

Watch the video:   000029877 - How to install patches on an RSA Authentication Manager 8.1 via web browser.

 

We love your feedback so let us know what you think and what videos you'd like to see next.

Join us for the webinar series that answers the question plaguing every identity professional today: You know the credentials are right, but how do you know the person that’s using them is really who they say they are? With cloud and mobility making it easier for users to access resources, but harder for you to authenticate those users, you need to know how to transform secure access to deliver both convenience and security. Learn all about it in three webinars led by top RSA identity experts, Wednesdays from 11:00 a.m. to 12:00 p.m., starting February 7.

February 7 – Transforming Secure Access

With 81 percent of cyber attacks today being credentials-based – up almost 20 percent over just a year – it’s time to rethink how to protect against these types of attacks. If you’re ready for a more effective approach to reducing your identity risk, join Ayelet Biger-Levin, RSA senior consultant, identity product marketing, to kick off the webinar series. You’ll find out why the old tried-and-true approaches to secure access don’t work so well in a mobile, cloud-connected world – and you’ll learn how to build a strong new foundation for convenient, secure access, using identity intelligence, business context and threat intelligence.

February 13 – Modernizing Authentication in and for the Cloud

Everybody’s moving applications and data to the cloud, but nobody’s happy about the risk of sacrificing security in the process. The good news is a modern approach to authentication – one that’s pervasive, continuous and risk-aware – can make access in the cloud just as secure as it is on-premises. In this webinar, you’ll learn from Tony Karam, RSA senior consultant, identity product marketing, about the latest resources for secure access and how to extend them seamlessly into cloud environments. It all comes down to having the assurance that people seeking access in the cloud are who they say they are, that the devices they’re using are secure and that their access isn’t putting your organization at risk.

February 21 – Delivering Authentication Your Way: Why One Size No Longer Fits all in the Access Game

Different users pose different levels of access risk, depending on who they are, what they want access to, where their requests originate and more – so you need more than one means of authenticating them. But they also all have one thing in common: They don’t need authentication to slow them down or stop their progress. So you need to offer a variety of methods that will enable them to access the resources they need, wherever they are and whatever the circumstances, without missing a beat. Join Murtaza Hafizji for this webinar on how to use modern multi-factor authentication to provide the secure access your organization needs without sacrificing users’ productivity or convenience.

Register today for any or all of the webinars in our February series, Identity Assurance for a Connected World.

We sometimes get questions regarding the scalability of the RSA SecurID Access Cloud Authentication Service.  Customers who are used to managing on-premises solutions want to know how many machines they need to set up to support their end user population during peak periods. But since the Cloud Authentication Service is a hybrid solution, the scaling considerations are a bit different.  

If you use the Cloud Authentication Service to provide primary and/or additional authentication to relying parties, scalability is simple because the cloud components are designed to scale to meet your needs.  The hybrid architecture still involves an on-premises identity router, which provides a secure connection to your identity source(s), but its role is minimal at runtime. Just make sure you deploy more than one identity router for redundancy, in case one goes down.

If you use the identity router for RADIUS-based access control, all you need to do is make sure you have redundant identity routers with RADIUS enabled. The Cloud Authentication Service handles the heavy lifting.

If you want information about scalability and you use the SSO Agent capabilities, you can read more about that in the RSA SecurID Access SSO Agent Performance and Scalability Guide.

 

In case you missed this announcement from the Gartner IAM Summit:

 

RSA Expands Its Technology Ecosystem to Transform Authentication 

RSA® SecurID® Access software will interoperate with CyberArk Privileged Account Security Solution, Microsoft Windows Hello, Palo Alto Networks Next-Generation Firewall and VMware Workspace ONE™

 

Integration Guides for each of these partnerships can be found in our RSA Ready program page. 

 

Nathan

It was amazing to me to see so many Compliance, Risk and Security professionals in one place, learning from subject matter experts and from each other through technical deep dives and business-driven use cases focused on delivering best practice and lessons learned. I had the opportunity to speak with so many RSA customers and was inspired by the great work they are doing.    

 

One of the highlights of the event was that over 100 RSA customers got up on stage during Charge to present their unique use case and the challenges and opportunities they have addressed with the help of RSA solutions. Thank you for sending us your feedback; it is great to see that overall you felt that the sessions were impactful and of value. 

 

During Charge you completed evaluations for the sessions that you attended. These provide us great information, including what sessions you enjoyed the most – you confirmed that one presentation from each RSA Suite clearly stood out as being the BEST! 

 

Out of 92 outstanding Breakout sessions that took place on Wednesday, October 17 and Thursday, October 18 winners, were selected by RSA Charge 2017 attendees for being best overall in:

 

  • Overall Value
  • Presentation Skills
  • Credibility/Knowledge
  • Engaging/Interactive
  • Avoided Commercialization
  • Relevance

 

We would like to announce, recognize and sincerely thank the recipients of the RSA CHARGE 2017 Best in Show Award:

 

            RSA Archer Suite Best in Show Award:

Deanne Dinslage, Sr. Archer Systems Administrator, Assistant Vice President, Bank of the West & Andrea Dollen, Manager, True8 Solutions            

Beyond the Customer - Making RSA Archer Suite Work for YOU! - Tired of hours of documentation for minutes of build?  Let me show you how to use RSA Archer Suite to do this in a few clicks with better results!

 

RSA Fraud & Risk Intelligence Suite Best in Show Award:

Damon Marracini, Vice President, Citi; Michael O’Connor, eCommerce Principal Product Marketing Manager, RSA; Greg Zaharchuk, Fraud Investigator, Vanguard; Qasim Zaidi, Cyber Process Manager, Capital One; Alma Zohar, Web Threat Detection Product Manager, RSA

Tales from the Trenches: Using Web Threat Detection to Fight Fraud - Explained how RSA Web Threat Detection is helping customers fight real-world cyber fraud.

 

RSA NetWitness Suite Best in Show Award:

Sean Catlett, SVP, Emerging Services, Optiv

Building a Modern Security Program:  Or… “If I Had to Start Over, What Would I Do?” – Discussed keys to building your SOC and defending your enterprise using orchestration and automation.

 

RSA SecurID Suite Best in Show Award:

Michael Duncan, Program/Process Manager, Ameritas Life Insurance Corp; Lisa Ferraro, Developer, Ameritas Life Insurance Corp; Ravi Makam, Principal Consultant, Optiv

Insights and Lessons Learned from Upgrading RSA Identity Governance and Lifecycle and Going Virtual - Ameritas Life Insurance Corporation and Optiv discussed upgrading to RSA Identity Governance and Lifecycle Version 7.0.1 and going from a hard appliance to VM's to take advantage of new product capabilities.

  

Congratulations to all the Best in Show Award winners – RSA Charge 2017 attendees selected these from over 92 sessions!  Great job and thank you!

 

 

Anya Kricsfeld

Launching RSA Ideas

Posted by Anya Kricsfeld Employee Oct 31, 2017

For years RSA has been in business of providing best-in-class security products and services to you, our customers.  I am proud to be surrounded by extremely intelligent and creative coworkers who amaze me with their knowledge, imagination, and ability to make abstract a reality on daily basis.  However, I am even more astounded by the unending well of new ideas I see coming from our customer community every time I interact with or observe an interaction between us and you.  You are the true inspiration and driving force of our innovation.  We build products that solve your problems, we offer services that help you, and everything we do - we do with you and your success in mind.

 

This is why I am happy to officially introduce you to a new way to harvest and crowdsource our collective ideas together.  This month, we have launched new idea pages on our RSA Link Community:

 

 

These destination pages are places for you to show off your creativity and need, to suggest ways that would improve our offerings to help you be more successful.  It is also the place where you can collaborate on your ideas with other like-minded individuals and vote on ideas suggested by others.

 

We have a great customer community, let’s harness its creative power to see what we can come up with together.

 

For more information, please check out the following FAQs:

Identity is a critical risk component in all organizations. With recent breaches blanketing the news impacting almost all adults in the U.S., organizations are taking another look at their security programs to minimize the risk. It’s time for organizations to take charge of securing access to their sensitive data, systems and applications.

So why not take advantage of RSA Charge this October 17-20 to hear how your peers across banking, healthcare, insurance, technology and manufacturing industries are effectively managing identity to minimize risk? Each with a unique perspective of how they are implementing RSA SecurID® Suite technology in their environments to improve their security posture. Plus you can see how RSA is innovating our identity and access management solutions to address today’s identity and access challenges.

Here’s a handful of sessions you’ll be able to participate in at RSA Charge this year:

The Evolution from Authentication to Identity Assurance

While two-factor authentication is the standard for securing external access, the world has evolved and with it, so have users’ expectations. Learn how leveraging powerful risk analytics combined with dynamic access policies provides better Identity Assurance and creates a better user experience—all while maintaining the security posture in today's changing ecosystem.

Rethinking IAM: How Risk-based Approach Makes IAM More Effective and Strategic

Identity governance and lifecycle management is the cornerstone of an identity management program, but there is much more. Learn how taking a risk-based approach can make your program more effective at governing who has access to what while elevating the strategic importance and visibility to the C-suite.

An Epic Tale – How to Leverage IAM to Get a Handle on Your Electronic Medical Records System

In the session, you’ll learn how you can avoid an epic fail with your Electronic Medical Records (EMR) by integrating Epic EMR system into your identity management program with RSA.

This is just a taste of the exciting content we’ll feature in the Identity and Access Management track. Take a look at the full agenda at RSA Charge and check out the other awesome keynotes and networking events taking place. You won’t want to miss this!

Now is the time to take Charge of your identity program and there’s no better place to get started than by joining other RSA SecurID Suite customers at RSA Charge.

Register for RSA Charge by October 16 and save $100.

Take Advantage of Several Registration Discounts That Expire EOD Friday, September 15

 

This year’s RSA Charge event is definitely one not to miss. If you have not yet registered please do so today to secure the Discount Rate of $745, saving you $200 through September 15. Registration on the RSA Charge 2017 website couldn’t be easier.

 

Still on the fence? Check out the Full Agenda with over 90 sessions, 35 hands-on labs, and 140+ thought leader industry experts you’ll agree this is the premier event on RSA Business-Driven Security™ solutions. You can also take this opportunity to build your own personal business-driven security experience for Charge.

  

Another way to save: Friends with Benefits! They say sharing is caring, so ‘already registered’ RSA Charge attendees can now share the love by forwarding this code to a peer or colleague and he/she will receive $100 off the current $745 registration fee by using this code from you: FRIENDS17. This code too expires on Sept. 15, so share the love today!

 

And, finally, in case there are still some doubters amongst you, watch these two RSA Charge videos – you’ll be convinced that RSA Charge 2017 is the place to be seen and heard, Oct. 17-19 @ Hilton Hotel Anatole, Dallas. See you soon!

                                                                           

RSA President Rohit Ghai

RSA SecurID/Identity Tim Norris

 

RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17 – 19 at the Hilton Anatole in Dallas, Texas.

If you’re looking for the latest news, trends and innovations in identity, you’ll find it all at RSA Charge 2017 October 17-19 in Dallas. I hope you will join me this year along with the RSA identity team for three action-packed days of content and connections, with hands-on labs, RSA product previews, plenty of networking opportunities and more. It’s all part of RSA’s can’t-miss annual user conference, Charge, the premier event on RSA® Business-Driven Security™ solutions, where an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management unite.

 

Top 3 Reasons to Attend

By joining us for RSA Charge 2017, you’ll be able to:

  • Learn how you can reimagine your identity strategy with identity and access assurance, next-gen authentication solutions (including mobile push authentication, biometrics, FIDO tokens, smart phone authentication methods and more), and the latest in identity governance and lifecycle management technology
  • Go hands-on in labs learning recommended practices for RSA® Identity Governance and Lifecycle and preview the latest RSA SecurID® Access product features
  • Gain insights from your peers at top companies sharing how they solved real-life identity challenges and what they learned in the process

The Future of Identity Starts Here

RSA Charge 2017 is your opportunity to gather with RSA’s identity experts and executives to hear about RSA’s vision and strategy around identity. Keynotes by cybersecurity visionary and TED speaker Marc Goodman, RSA President Rohit Guy, and other RSA execs set the tone each day, followed by morning-to-night sessions exploring the shift from identity management to identity assurance, the move to multi-factor authentication and the evolution of identity-related risks and risk management. You’ll also hear first-hand from customers sharing stories of how they’re reinventing their identity strategies to address emerging challenges in authentication and identity governance.

Getting Down to Brass Tacks

Come to share your input into the overall identity customer experience, and leave with plenty of practical knowledge for improving your identity practice. We’ll guide you through detailed roadmaps of RSA Identity Governance & Lifecycle and RSA SecurID Access, and give you a sneak peek at the latest releases. We’ll also share some practical tips for specific identity projects like upgrades and quick starts. And we’ll show you how RSA Identity Governance & Lifecycle integrates with RSA Archer, RSA Authentication Manager and other key business applications to give you new ways to manage identity risk and to help you lower your risk of an audit failure (or worse, a data breach) while improving your overall compliance efforts, including those for GDPR.

Register Today for Special Pricing on Your Attendee Pass

Don’t miss your chance for an up-close look at what’s happening in identity today from RSA experts and customers, and other security industry leaders, at RSA Charge 2017. Register by September 15 for serious discount pricing. I look forward to seeing you there!

About RSA Charge 2017

RSA Charge 2017, the premier event on RSA® Business-Driven Security™ solutions, unites an elite community of customers, partners and industry experts dedicated to tackling the most pressing issues across cybersecurity and business risk management. Through a powerful combination of keynote speeches, break-out sessions and hands-on demos, you’ll discover how to implement a Business-Driven Security strategy to help your organization thrive in an increasingly uncertain, high-risk world. Join us October 17 – 19 at the Hilton Anatole in Dallas, Texas. Register now!

This RSA SecurID Suite Navigator Tool is part of an ongoing campaign by the RSA SecurID Customer Enablement group to make it easier for RSA SecurID Suite customers like you to find relevant product training and documentation. The RSA SecurID Suite Navigator Tool allows you to filter content based on your role within your organization: Administrator, System Administrator, and Business User. You can also filter content by your knowledge level of the RSA SecurID Suite, from Basic to Intermediate to Advanced.

 

The RSA SecurID Suite Navigator includes content from the entire RSA SecurId Suite: RSA Authentication Manager, RSA Identity Governance and Lifecycle, and RSA SecurID Access. This navigator tool pulls content from different RSA business units and includes RSA University training content, Knowledge-based articles, as well as a vast collection of user documentation. The RSA SecurID Suite Navigator will be updated frequently to ensure you are receiving the most up-to-date content available. There is a dedicated team of RSA professionals across different business units to help you take charge and power your way to success with the RSA SecurID Suite.

 

In our continued efforts to provide the best content available, we rely on your feedback. If you cannot find what you are looking for in the Navigator, please complete the form we have provided on the main Navigator page.

 

You can find the SecurID Suite Navigator Tool on the main RSA SecurID product page or by navigating to the following URL:

 

https://community.rsa.com/community/products/securid/navigator

We work with many customers who struggle to figure out the best way to provision credentials. Credentials are the “keys to the kingdom” and it is critical that customers find an adequately secure provisioning process. When provisioning credentials, extreme vigilance must be maintained. None of us want to consider some unauthorized party getting access to the resources the credentials are intended to protect.

 

Provisioning Challenges

There are a number of challenges to securely provisioning tokens.

  • How can I communicate with the end user in a secure manner?
  • How can I vet the identity of the recipient?
  • How can I be sure that only the intended recipient was able to access the credentials?
  • How can I provision what may be a large number of credentials efficiently?

This comes down to a common thread throughout all security-related procedures: finding the right balance between convenience and security.

 

When credential provisioning is involved, it is also important to consider the frequency. Provisioning is not something that should occur on a regular basis, so I find that most customers lean more toward security than convenience. Focus on convenience for the day-to-day authentication mechanisms, not the provisioning process.

 

I used to work for a company that had what I considered to be a very secure password (or password reset) provisioning process. If you forgot your password and called the help desk, they asked you your location and then directed you to walk to the nearest guard station. At the guard station, the help desk called the guard and asked them to check your photo identification badge to verify your identity. After the guard had verified your identity, they handed you the phone and the IT help desk provided a temporary password that had to be changed at your next logon.

 

This was clearly a very secure process involving a “trusted third party” (i.e. the guard) and a previously issued credential (the user’s security badge), but it was not what I would consider to be very convenient. Passwords could not be reset if you were off-site, and outside of normal working hours you might have a long walk to the nearest manned guard station. On the other hand, forgetting your password or needing a new password was something that should not occur on a regular basis.

 

Securely provisioning credentials requires customers to avail themselves of every protection available. This follows another core security tenant: leverage defense-in-depth wherever possible. Unlike a physical credential (i.e. a key), electronic credentials offer the administrator a number of additional defenses. Electronic credentials can be enabled only once we have verified they’ve been received by the intended recipient. Some credentials may also involve a personal identification number (PIN) as an additional defense. If possible, administrators should provide a temporary PIN (changed at first use) along with the credential. Others may have a password that can be used as an additional level of protection for the credential while in transit. All of these mechanisms improve the security of the credential while in transit.

 

Case in point: RSA SecurID Software Tokens and Compressed Token Format

RSA SecurID software tokens can be provisioned using a Compressed Token Format (CTF) code. This is a credential provisioning format that contains the token initialization values (i.e., seed, serial number, start date) in a convenient code that can be emailed to the end user and is easily imported into a device. These values are typically encrypted with a password and another value called the binding ID. While extremely convenient, care must be taken to leverage all available CTF protection mechanisms depending on the potential exposure of the data during the provisioning process.

 

The binding ID is a value generated during the installation of the software token and is provided to the administrator by the end user. The software token attempts to make this as convenient as possible by providing a link that generates an email containing the binding ID. The administrator uses this value to generate a CTF code that, in conjunction with a password, can be used to initialize a software token. Note that this creates a “two-factor authentication” mechanism for the CTF (which we all know is better than a single factor).

 

Software tokens may also be provisioned through mechanisms that greatly limit the exposure of the CTF value. For example, the CTF can be provided to the software token as a graphical “QR Code” displayed from a secure self-service web portal. Since accessing this portal would have already required the end user to have performed some form of authentication, adding an additional password may be unnecessary and inconvenient. On the other hand, if the administrator was sending the CTF code via unencrypted email, an additional password (provided to the end user through some other, secure mechanism) would be critical to the security of the provisioning process.

 

Since the binding ID also contributes to security, it would also be important to have procedures that keep this value and the CTF code separate. An administrator that received a binding ID via email should use care to not simply reply to the same email (as this leaves the binding ID in the email response). During this sensitive process, we want to make it as inconvenient as possible for any bad actors that may be attempting to steal credentials. Replying to a “Binding ID” email with a CTF code would create a neat package of data that, if obtained by a malicious party, would provide them with many pieces of the puzzle. Intercepting just a CTF code without the corresponding binding ID would leave the bad actor looking for this and other data. Optimally, the binding ID would have been provided to the administrator through some other channel, such as a phone call.

 

This begs the question: “How does the binding ID contribute to the security of the solution?” While it is a factor that is used to protect the CTF code, the binding ID also helps the administrator prevent a legitimate user from installing the software token on more than one device (which poses a separate security risk). If we assume the bad guy has somehow gained access to the user’s binding ID, it provides little protection from someone, using a rooted or jail-broken device who attempts to use an ill-gotten CTF code to clone the token. In this scenario, the CTF password is critical and would help prevent the bad actor from creating a copy of the token. Thank goodness for defense-in-depth! Since the administrator was very security-conscious, the token was also left disabled until the administrator could confirm it was received by the recipient, and a temporary PIN was set (which was separately provided to the end user through a secure channel). These additional steps add significantly to the security of the provisioning process. Even if a bad actor was able to obtain and use the CTF code, they would not know the temporary PIN associated with the credential and the intrusion would be quickly discovered.

 

Threat Modeling for Provisioning

Security administrators should be creating and maintaining an internal threat model specific to their credential provisioning practices and procedures. I like to start by focusing on the most valuable assets and look at how those might be compromised. The other critical activity is to identify a number of threat model assumptions. These are very helpful to simplify and create a “boundary” for the model. The goal of threat modeling will be to develop a level of confidence that the procedures in place will be sufficient to stop a simple and undetectable attack. This exercise will also identify points at which provisioning data may leave your control, which could lead you to consider additional layers of security that could be added to further complicate and prevent unauthorized access. In the CTF example above, data being sent by unencrypted email was a clear point at which some control of the provisioning information was lost.

 

In general, this process leads to a long sequence of “what if?” questions, which in turn lead to security mechanisms that are rooted in the model’s assumptions. Some examples:

  • How do end users prove their identities to the administrator?
  • Who is authorized to provision credentials and how is that process controlled?
  • How will the credential be transmitted to the end user and what protects it during this process?
  • If this is a software-based authenticator:
    • How to I control devices (i.e. phone, laptop, tablet) the end user can use as an authenticator?
    • How can I be sure the end user has the correct software?
  • If a credential is compromised during the provisioning process, what could the adversary do with the credential and what could they access?

And perhaps one of the most important questions: are the assumptions on which I am basing my threat model correct?

 

Once the model is complete, it should help you make any necessary changes to the provisioning process to close any identified security gaps. Every threat model should result in a plan-of-action with changes to enhance your security posture.

Keys to the Kingdom

Bottom line, when provisioning credentials, you are intending to provide the keys to your kingdom (or a small part of it) to a trusted associate. Make sure that they are the only person who can actually get those keys by following these steps:

  • Develop a credential provisioning threat model while carefully examining your security assumptions. This model should form the basis of your credential provisioning procedures.
  • Consider additional steps to add “defense-in-depth” to the provisioning process. I recommend that our customers make use of every available protection, especially in the sensitive credential provision process.
  • Review and audit the actual procedures for adherence to the security plan. Security procedures are only effective if they are being followed.
  • As the security landscape is constantly changing, revise and update the threat model and procedures on a regular basis.

Following these steps should help you find a credential provisioning process that is reasonably convenient but maintains adequate security for your enterprise.

 

_______________________________________________________________________________________________

 

For more information, please take a look at the RSA Authentication Manager Software Tokens Best Practices Guide (DOC-35128).