Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RSA SecurID Access

Prezentace ze semináře RSA SecurID Bootcamp,
Praha, 28.8.2019

  • Login to see the comments

RSA SecurID Access

  1. 1. 1 Dell Customer Communication - Confidential RSA SECURID® ACCESS Zee Sayi Erich Stasko Systems Engineer Authentication Specialist
  2. 2. 2 Dell Customer Communication - Confidential WHAT IS AUTHENTICATION?
  3. 3. 3 Dell Customer Communication - Confidential 3 Identification “This is Who I Am” Authentication “This is My Claim to an Identity” Authorization “This is What I Can Do” ACCESS CONTROL
  4. 4. 4 Dell Customer Communication - Confidential 4 • Proof of who you are • Done during the on-boarding process IDENTIFICATION
  5. 5. 5 Dell Customer Communication - Confidential AUTHENTICATION 5 • A claim to identity • The most commonly used authentication method in the online world is the Password.
  6. 6. 6 Dell Customer Communication - Confidential AUTHORIZATION 6 • Authorization deals with what you can do once you’ve been authenticated to a system
  7. 7. 7 Dell Customer Communication - Confidential WHAT IS TWO-FACTOR AUTHENTICATION? 7
  8. 8. 8 Dell Customer Communication - Confidential 8 Two-Factor Authentication: “The act of identifying an individual by using any combination of something they know, something they have OR something they are.” “Something you know” = PIN, password, life question “Something you have” = Token, Smartcard, Trusted Device “Something you are/do” = Biometrics (fingerprint, retinal scan, etc)
  9. 9. 9 Dell Customer Communication - Confidential 9 Something you Know Something you Have ATM WITHDRAWAL
  10. 10. 10 Dell Customer Communication - Confidential RSA SECURID COMPONENTS
  11. 11. 11 Dell Customer Communication - Confidential COMPONENTS - AT A GLANCE AUTHENTICATORS AGENTS Authentication Manager
  12. 12. 12 Dell Customer Communication - Confidential RSA SECURID RSA Web Tier Web Server DMZ Internal Network Auth Mgr 8.x (Primary) Identity Source External Network Login: RGasparian Passcode: 2468159759 RBA SSC CT-KIP PASSCODE = PIN + TOKENCODE SSL-VPN VPN
  13. 13. 13 Dell Customer Communication - Confidential SECURID COMPONENTS Authenticator Agent SERVER (Authentication Manager Platforms & Architecture)
  14. 14. 14 Dell Customer Communication - Confidential HARDWARE AUTHENTICATORS OVERVIEW  Hardware Token: a physical device assigned to a specific user and generates a unique number at a specified interval.  Customer choice based on their requirements for: — Function: OTP, hard disk encryption, transaction signing, etc.  All of RSA’s tokens utilise the cryptographically strong AES algorithm for time synchronous authentication
  15. 15. 15 Dell Customer Communication - Confidential HARDWARE AUTHENTICATOR Username: JJONES Passcode: 2468032848 Token code: changes every 60 seconds PASSCODE =PIN + TOKENCODE http://searchsecurity.techtarget.com/definition/RSA
  16. 16. 16 Dell Customer Communication - Confidential 16 WHY IS TIME-SYNCHRONOUS AUTHENTICATION IMPORTANT? • Time-based OTP has precise clock that changes a password every 60 seconds • Very hard to phish as OTP becomes invalid in one minute • More secure than an event-based OTP where password does not expire until another one is entered into the system. • Trojan attacks must be in real-time to be able to compromise system Same Seed Same Algorithm Same Time Algorithm Time Seed Algorithm Time Seed 159759 159759 Authentication Manager
  17. 17. 17 Dell Customer Communication - Confidential HARDWARE TOKEN OPTIONS Quality Authenticators Highest-quality authenticator-manufacturing processes, which means fewer token failures in the field Multi-Use Tokens Multiple uses for these authenticators such as hard-disk encryption, email signing, and more Customisable Brand your organization and demonstrate your commitment to security with custom artwork on your RSA tokens Time-Synchronous An approach that combines time, an algorithm and a unique identifier to strengthen overall cryptographic value Warranty Covers each RSA token for the entire life of the device
  18. 18. 18 Dell Customer Communication - Confidential SID 700 Known as a ‘Key Fob’ token Simply read the changing number on the display Robust design, built to survive harshest conditions ▪ Rigorously tested to be the industry's highest quality token RSA’s most popular hardware token EZ-View Display (SID700)
  19. 19. 19 Dell Customer Communication - Confidential WHAT’S INSIDE OF A HARDWARE TOKEN (SID 700) Coin cell 3V Lithium ion battery Display • Time crystal (clock) • Microprocessor • Microcontroller • Epoxy filling • Case Creates a “tamper-evident” authentication device
  20. 20. 20 Dell Customer Communication - Confidential A PLANNED LIFETIME 1. Hardware tokens are built with an assigned life 2. Range from 24 mths up to 60 mths (depends on token type and system software release) 3. The most commonly purchased token is the 36 month SID 700 4. A pre-expiring shelf life enables customers to budget and plan token rotations 5. In most cases, the expiration date is stamped on the back of the token
  21. 21. 21 Dell Customer Communication - Confidential HOW WE DO IT BETTER – SID 700 Designed to Last − Ultrasonic welded case − Epoxy filled − Beveled LCD display − Anti-shock foam  Rigorously Tested – Over 20 tests performed; including: High / Low Temperature Temperature Cycling High Humidity Mechanical Shock & Vibration Drop Test Electrostatic Discharge (ESD) Radiated Immunity (EMI) Radiated Susceptibility Radiated Emissions X-ray Altitude Testing Accelerated Life Testing Cert Testing: UL / FCC / CE • 40+ million actively in use • 8 yrs in the marketplace • Only 0.05% in field failures
  22. 22. 22 Dell Customer Communication - Confidential SID 800 Known as the ‘Hybrid Token’ SecurID & PKI in a single multi-purpose authenticator Supports one time password (OTP), digital certificate, and password credentials — Auto login to Windows Domain or other applications Maintains traditional anywhere, anytime access — Read token code from display Provides OTP auto-entry for ease of use — No need to type in the OTP, just insert the device into the USB port Provides support for file and full disk encryption — Prevent data breach from stolen laptops
  23. 23. 23 Dell Customer Communication - Confidential Digital Certs SecurID OTP Passwords VPN/Wireless File/Disk Encryption Email Signing Web/App Auth PC/Domain Auth Multiple Credentials… Multiple Applications… One Seamless End User Experience SID 800: MULTI-AUTHENTICATOR IN ONE
  24. 24. 24 Dell Customer Communication - Confidential SID 800: COMPONENTS IN PLAY • Display SID800 OTP • No software seed record provisioning necessary, uses SID 800 • ADA compliance with JAWS screen reader • Desktop API authenticator extends SID800 OTP access (Windows login, VPN login, etc…) Desktop Authenticator (Windows Only) • RSA Authentication Client (RAC) aka “Middleware” • Manage smartcard PIN, certificates and credentials • Display SID 800 OTPRAC • Seed record on device • Display OTP • Smartcard in device • Stores Digital Certificates • Stores Password Credentials SID 800
  25. 25. 25 Dell Customer Communication - Confidential HOW WE DO IT BETTER- SID 800 Insert token and enter PIN to… ▪ Authenticate to the PC/laptop ▪ Unlock an encrypted hard drive ▪ Establish a secure network connection to a VPN or wireless access point ▪ Authenticate to the corporate domain ▪ Access secure applications and web sites ▪ Authenticate to remote PCs or terminal servers ▪ Encrypt sensitive documents and files ▪ Sign and encrypt emails Remove the token to… ▪ Lock down or log off from the PC/laptop
  26. 26. 26 Dell Customer Communication - Confidential SOFTWARE AUTHENTICATORS
  27. 27. 27 Dell Customer Communication - Confidential TODAY: ANY USER, ANY DEVICE, ANYWHERE Server Applications Cloud Applications Remote Managed Device BYOD Inside the Network Network VPN Virtual Desktop Mobile Apps Web Browser External and Temporary Users Unmanaged Devices Uncontrolled Access Points Information in Public Cloud and Hosted Applications Employees Contractors Partners Customers
  28. 28. 28 Dell Customer Communication - Confidential RSA SECURID SOFTWARE AUTHENTICATORS RSA SecurID Mobile SDK Desktop Tokens Mobile Phones and Tablets
  29. 29. 29 Dell Customer Communication - Confidential RSA SOFTWARE AUTHENTICATORS • Transforms devices your users already own and carry into SecurID tokens • Reduces frequency of lost or forgotten tokens • Eliminates the “token necklace” problem • Removes hurdle of end user acceptance of two-factor authentication • Eliminates the need to inventory additional tokens • Simplifies deployment process • Decreases support calls for lost or forgotten tokens • Lower TCO than hardware tokens • Leverages investment in existing hardware • Expand strong auth. to applications accessed by partners and customers • Provides an easy and convenient mass deployment option • Enhances confidence to offer more self-service options to customers and partners. Convenience Value Expansion
  30. 30. 30 Dell Customer Communication - Confidential TWO COMPONENTS OF A SOFTWARE TOKEN OS-specific application downloaded from RSA.com or app stores Must be installed first on a user’s device before provisioning occurs Application/Token Container + Customer Token Record (Seed Record) • Purchased from RSA (SID 820) • Provisioned by admin to the user’s device
  31. 31. 31 Dell Customer Communication - Confidential SOFTWARE TOKEN DEPLOYMENT OPTIONS SDTID • File Based Token Delivery • Devices must support email attachment import • Supported Form Factors • Mobile Tokens • Desktop Tokens CTF String • Text Based Token Delivery • Generated by Token Converter or AM 8.x • Converts SDTID file into compressed token format (CTF) string • Alternative to file attachments • Supports Android, iOS and Windows Phone Mobile Devices CT-KIP • Dynamically Provisioned Tokens • Requires CT-KIP Server • Recommended Provisioning Method • Supported on AM 7.1 & 8.x • Supported Devices include Mobile and Desktop Tokens QR Code •CTF or CT-KIP encoded QR Code •Allows option to provision without needing email •QR Code generated via AM 8.1 SP1 SSC, AM Prime, Token Converter, 3rd party QR Code generator •Supports Android & iOS Devices Basic Use Case Use only as Required Recommended
  32. 32. 32 Dell Customer Communication - Confidential Out-of-Band Activation Code via Secure Email Channel SecurID Admin Mobile Device User • Secure “over-the-wire” provisioning • No Token Record to Intercept • Activation Code is only valid once • Add Device Binding for Additional Security Click CT-KIP URL with Activation Code CT-KIP Server CT-KIP URL to Mobile Device CT-KIP DYNAMIC PROVISIONING
  33. 33. 33 Dell Customer Communication - Confidential QR CODE PROVISIONING  QR Code Provisioning of Software Tokens will reduce provisioning time and costs by 80%  Increase user self-service  Eliminates “email” to End User Mobile Device  Eliminate help desk calls  Streamline the provisioning process with fewer, intuitive steps. Point & click.  QR codes are becoming more accepted by end users  Software tokens are “QR Code Ready” (iOS and Android)
  34. 34. 34 Dell Customer Communication - Confidential RSA SECURID SOFTWARE TOKEN SECURITY • Server Side Attribute • Validates the Mobile Device • Token Record cannot be imported to another device • Augment with OOB password to validate the user Device Binding • Client Side Security feature on import • Device biometrics used to unlock the token database for each use • Token will not function on a device without matching device biometrics Copy Protection •Software Token does not store the PIN in permanent memory •The PIN cannot be brute forced • Something you and your mobile device know is not two-factor • The PIN does not unlock a valid passcode Something you Know
  35. 35. 35 Dell Customer Communication - Confidential RSA DESKTOP TOKENS Authenticator on the Desktop Desktop Authenticator IE Toolbar (Win)
  36. 36. 36 Dell Customer Communication - Confidential Software Development Kit (SDK) for mobile apps ▪ Includes sample application, documentation and library for embedding functionality in mobile apps ▪ Available free of charge for RSA customers and RSA Secured partners Developers can choose from the following functionality ▪ SecurID OTP Module − Import software tokens, generate OTP − User visible or invisible OTP SDK: ENABLING STRONG AUTH FOR MOBILE APPS RSA Mobile Authentication SDKs
  37. 37. 37 Dell Customer Communication - Confidential RISK-BASED AUTHENTICATION
  38. 38. 38 Dell Customer Communication - Confidential So what does RBA actually mean…. Risk-based authentication (RBA) identifies potentially risky or fraudulent authentication attempts by silently analysing user behaviour and the device of origin. RBA strengthens RSA SecurID authentication and traditional password- based authentication. If the assessed risk is unacceptable, the user is challenged to further confirm his or her identity by using one of the following methods: • On-demand authentication (ODA). The user must correctly enter a PIN and a one-time token code that is sent to a preconfigured mobile phone number or e-mail account. • Security questions. The user must correctly answer one or more security questions. Correct answers to questions can be configured on the Self-Service Console or during authentication when silent collection is enabled.
  39. 39. 39 Dell Customer Communication - Confidential How it works RISK-BASED AUTHENTICATION Web Browser Protected Resources Identity Challenge ? On-Demand Tokencode Challenge Questions PASS User Behavior FAIL Access Denied OWA SharePoint SSL VPN Web Portals PASS RISKY Authentication Policy Assurance Level RSA Risk Engine Activity Details Device Fingerprint Network Forensics Device Token Profile Relative Velocity Device Identification
  40. 40. 40 Dell Customer Communication - Confidential Strengthens traditional password authentication by silently applying risk- based analytics − Is the user authenticating from a known device? − Does the user’s behavior match known characteristics? Risky authentication attempts require additional validation − Security Questions − On-Demand Authentication RISK-BASED AUTHENTICATION (RBA) 1 3 2 4 1 2 3 4 1st Factor: Something you KNOW 2nd Factor: Something you HAVE 3rd Factor: Something you DO Step-Up : Something you KNOW or HAVE
  41. 41. 41 Dell Customer Communication - Confidential Proven sophisticated risk engine − Same risk engine as Adaptive Auth − Protects 350+ million online identities Optimized for Enterprise use cases − Optimized for: Network Security vs. Fraud Mitigation − Predictable: Use case vs. challenge rate − Simplified: Assurance levels vs. risk scoring Self tuning risk model adapts to each customer environment − Common device characteristics are de-prioritized in the risk score − Suspicious behavior is based on norms for the overall user population THE RSA RISK ENGINE RSA Risk Engine
  42. 42. 42 Dell Customer Communication - Confidential ON-DEMAND AUTHENTICATION Bundled with RBA License Utilise SMS or Email Customizable Message Configurable Validity Contractors, Vendors, Backup Authenticator
  43. 43. 43 Dell Customer Communication - Confidential AM WEB TIER
  44. 44. 44 Dell Customer Communication - Confidential AM WEB TIER Lightweight application installed in the DMZ that hosts services exposed to the Internet ▪ Enables secure deployment of − RBA − Self-Service − CT-KIP (Cryptographic Key Initialization Protocol) Above services require a web tier for the following reasons − Blocks Internet access to the Security Console − Allows customization of the RBA/Self-Service logon pages − Up to 16 web tiers
  45. 45. 45 Dell Customer Communication - Confidential AUTHENTICATION MANAGER ARCHITECTURE
  46. 46. 46 Dell Customer Communication - Confidential AM ONLY ARCHITECTURE For Critical Infrastructure Resources • SAML • Http-Federation • Trusted Headers • RADIUS • SecurID Protocol • REST API Authentication Methods • Push • Device Biometrics • OTP • Voice/SMS • FIDO • Soft Token • Hard Token • RBA/On-Demand Token • Identity Confidence • SSO Risk Level • User • Resource • Context
  47. 47. 47 Dell Customer Communication - Confidential AGENTS
  48. 48. 48 Dell Customer Communication - Confidential WHAT IS AN AGENT? A SecurID agent is installed or embedded on an access point (VPN, Web Site, Server) that accepts credentials from an end user (Username + Passcode) and directs them to Authentication Manager. 1. Native (RSA Partner Program) 2. Downloadable (RSA Owned) 3. RADIUS 4. SDK (until 8.3, Now Rest API) Agent Options
  49. 49. 49 Dell Customer Communication - Confidential WHAT DOES AN AGENT DO? Trust ▪ Mechanism to allow mutual trust between Agent and Server. Protection from a malicious user impersonating the agent or a Server. Authentication ▪ Intercept access attempts ▪ Collect Credentials ▪ Verify with Server ▪ Provide (or deny) access ▪ Single Sign On ▪ Support for New Pin Mode, Next Token Mode How do I know if a resource can be protected by SecurID? www.rsasecured.com ▪ Search by product or vendor ▪ Ex. Cisco ASA ▪ Displays RSA and 3rd Party owned Agents
  50. 50. 50 Dell Customer Communication - Confidential RSA SECURED® PARTNER PROGRAM (NATIVE) Out-of-the-box interoperability and documentation for 400+ partner applications Reduce integration costs Ensure interoperability through stringent certification program Compatibility maintained through integration updates Fully supported by RSA and its partners
  51. 51. 51 Dell Customer Communication - Confidential Features: • Next Generation SecurID Agents Benefits: • Agent connects to RSA SecurID Access AM Server or Cloud Authentication Service • More Authentication Options: (Push to Approve, Fingerprint, Windows Hello, etc…) • Stronger Security / Cryptographic Algorithms (FIPS compliant is target plan) • Connect via REST (TCP) instead of UDP • IPv6 • Agent Reporting F o o t e r Authentication Manager Cloud Authentication Service 1. PAM v8.1 2. ADFS 3. MFA AGENT (Windows) 4. Web 5. Citrix Storefront NOTE: GEN II agents developed in parallel by the Agent Team with close collaboration with AM Teams GEN II SecurID Agents
  52. 52. 52 Dell Customer Communication - Confidential RSA LINK SOLUTION GALLERY Search all solutions https://community.rsa. com/community/produ cts/rsa-ready
  53. 53. 53 Dell Customer Communication - Confidential DOWNLOADABLE (RSA OWNED) Some agents are owned by RSA Agents to provide tighter integration Assures integration is always up to date Windows/PAM Agent ▪ Protects Windows/Linux logon − Servers, Laptops, RDP, Terminal Services… ▪ Offline Authentication available IIS/Apache Agent ▪ Protects websites served by these 2 web servers ▪ Exchange/Sharepoint protection available (IIS only) ▪ Optional RBA support available!
  54. 54. 54 Dell Customer Communication - Confidential RADIUS
  55. 55. 55 Dell Customer Communication - Confidential WHAT IS RADIUS? • Remote Authentication Dial-In User Service • Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service.
  56. 56. 56 Dell Customer Communication - Confidential RADIUS CLIENT A RADIUS client is any device that supports the RADIUS protocol Are typically network endpoint devices such as ▪ Network Access Server (NAS) ▪ Firewall ▪ 802.1x Access Point ▪ VPN Server ▪ Web Server Serves as the gateway to the network ▪ Provides the interface for user interaction (credential input, etc)
  57. 57. 57 Dell Customer Communication - Confidential WHY IS RADIUS IMPORTANT? • An industry standard for authentication - Numerous network access products are enabled for RADIUS - Supports a wide variety of authenticators • OTP Tokens • Challenge/Response • Passwords • Certificates • Ability to integrate with other authentication services - RADIUS Accounting, Access Control and Authentication can be proxied to other systems (such as AM or Windows AD) • Used in about 2/3 of SecurID deployments
  58. 58. 58 Dell Customer Communication - Confidential • The Authentication Agent SDK enables applications to authenticate via the RSA SecurID protocol. • Supports the Java and C programming languages (the C library can also be utilized in a .NET environment as unmanaged code). • This SDK can perform SecurID authentication with Authentication Manager versions 5.x, 6.x, 7.1, 8.x. SDK – SOFTWARE DEVELOPMENT KIT
  59. 59. 59 Dell Customer Communication - Confidential REST API • A REST API defines a set of functions which developers can perform requests and receive responses via HTTP protocols. • Because REST API’s use HTTP, they can be used by practically any programming language.
  60. 60. 60 Dell Customer Communication - Confidential RSA SecurID Authentication API is a REST API for developers who want to build clients that send authentication requests to RSA SecurID Access, either through the RSA Authentication Manager server, the Cloud Authentication Service, or both. https://community.rsa.com/docs/DOC-75741
  61. 61. 61 Dell Customer Communication - Confidential C O N F I D E N T I A L Benefits of REST API: REST is simple. ➢ other APIs have to follow a lot of rules that make them challenging to use. In practice, this formality, power, and flexibility generally gets in the way of doing what you want to do, costs a lot more to implement and maintain, and is generally more trouble than it's worth. REST is "of the web". ➢ Not only does REST assume HTTP but it adopts all of the well understood mechanisms of HTTP. A web app developer can be very productive very fast -- both creating and consuming these APIs -- because it just like working with a web page. JSON which is the native data format for JavaScript, the language in all of our web browsers... thus it's a more web-centric approach. REST is object centric not message centric. ➢ REST wants you to focus on the THINGS in your application With REST, you can only do four things GET, POST, PUT, and DELETE. In practice that covers about 90% of what you want to do.
  62. 62. 62 Dell Customer Communication - Confidential REVIEW - WHAT DOES AN AGENT DO? Trust − Mechanism to allow mutual trust between Agent and Server. Protection from a malicious user impersonating the agent or a Server. Authentication − Intercept access attempts − Collect Credentials − Verify with Server − Provide (or deny) access How do I know if a resource can be protected by SecurID? www.rsasecured.com − Search by product or vendor − Ex. Cisco ASA − Displays RSA and 3rd Party owned Agents
  63. 63. 63 Dell Customer Communication - Confidential VIRTUAL & PHYSICAL APPLIANCE Virtual Appliance Deployable in 10-20 minutes Hardened Security Profile to meet EMC/RSA compliance Hardened SUSE OS Support for VMWare & Hyper-V Physical Appliance • Model A130 & A250 (Redundancy) • Same or Cross Platform Migration • SNMP Hardware MIB • Deployable in 10-20 minutes • Hardened Security Profile to meet EMC/RSA compliance • Remote Factory Reset Optimised Deployments: Mix & Max Between Virtual / Hardware Appliance Simple, Secure deployment Standards-based Platforms Lower Deployment Costs
  64. 64. 64 Dell Customer Communication - Confidential CONSOLES IN AM
  65. 65. 65 Dell Customer Communication - Confidential SECURITY CONSOLE 65 • Main administrative interface • Manage users, groups, tokens, agents, policies • Generate reports, configure admin roles and system settings
  66. 66. 66 Dell Customer Communication - Confidential OPERATIONS CONSOLE 66
  67. 67. 67 Dell Customer Communication - Confidential SELF-SERVICE CONSOLE 67 • Base License – Basic Self-Service • Enterprise License – Workflow Provisioning
  68. 68. 68 Dell Customer Communication - Confidential PRIMARY AND REPLICA’S
  69. 69. 69 Dell Customer Communication - Confidential A primary is the main “instance” of the RSA Authentication Manager deployment It is the master database hub The primary is where the administration functions are performed – “Read- Write” There is only 1 primary in a deployment PRIMARY AND REPLICAS
  70. 70. 70 Dell Customer Communication - Confidential Used for accepting authentication requests and providing backup capabilities Can be multiple, up to 15 Synchronized database copy Can become the primary in a planned or unplanned scenario in a process called ‘Promotion’ Read-Only REPLICAS
  71. 71. 71 Dell Customer Communication - Confidential JOURNEY TO THE CLOUD
  72. 72. 72 Dell Customer Communication - Confidential SecurID Protocol -OR- RADIUS REST API SAML WS-Fed Etc. AM IDR
  73. 73. 73 Dell Customer Communication - Confidential C ON VEN IEN T & SEC U R E A C C ESS IN A W OR LD W ITH OU T B OU N D A R IES RSA SECURID ACCESS The Gold Standard for Strong Authentication The Next-Generation of Identity Assurance • Trusted by 25,000+ Enterprises • More than 50 million active users • 500+ certified technology partners • Dynamic risk-based Identity Assurance • Mobile MFA: Push, OTP, biometrics & more • Any application: on-premises or in the cloud • SaaS delivery, subscription pricing
  74. 74. 74 Dell Customer Communication - Confidential CONNECT TO ANYTHING Centralised Access Policies SaaS Applications Traditional/on-premise Applications (400+ RSA SecurID integrations) Web Applications Mobile Applications (SAML-Enabled)
  75. 75. 75 Dell Customer Communication - Confidential 75 PROTECT CLOUD APPS AND CONTROL ACCESS WITH SSO Centralized Access Policies SaaS Applications Traditional/on-premise Applications (400+ RSA SecurID integrations) Mobile Applications (SAML-Enabled) SecurID Tokencode Pull down to check for authentication 3905 0001
  76. 76. 76 Dell Customer Communication - Confidential FROM ANYWHERE Optimise Security & Convenience At Work Remote On Mobile
  77. 77. 77 Dell Customer Communication - Confidential THE RSA DIFFERENCE: A HYBRID APPROACH • A secure approach to supporting on-prem applications • Sensitive user & org information remains on- premises • Active Directory passwords are NEVER sent to cloud • Dedicated runtime not shared with other tenants Web Reverse Proxy Active Directory /LDAP Authentication Manager 8.x Identity Router SecurID Access App Portal
  78. 78. 78 Dell Customer Communication - Confidential RSA SECURID ACCESS ARCHITECTURE
  79. 79. 79 Dell Customer Communication - Confidential Next Generation Authentication Resources • SAML • Http-Federation • Trusted Headers • RADIUS • SecurID Protocol • REST API Authentication Methods • Push • Device Biometrics • OTP • Voice/SMS • FIDO • Soft Token • Hard Token • RBA/On-Demand Token • Identity Confidence • SSO Risk Level • User • Resource • Context IDR ONLY ARCHITECTURE
  80. 80. 80 Dell Customer Communication - Confidential FULL HYBRID ARCHITECTURE Maximum Flexibility Resources • SAML • Http-Federation • Trusted Headers • RADIUS • SecurID Protocol • REST API Authentication Methods • Push • Device Biometrics • OTP • Voice/SMS • FIDO • Soft Token • Hard Token • RBA/On-Demand Token • Identity Confidence • SSO Risk Level • User • Resource • Context
  81. 81. 81 Dell Customer Communication - Confidential CLOUD IDP ARCHITECTURE Lightweight Requirements Resources • SAML • Http-Federation • Trusted Headers • RADIUS • SecurID Protocol • REST API Authentication Methods • Push • Device Biometrics • OTP • Voice/SMS • FIDO • Soft Token • Hard Token • RBA/On-Demand Token • Identity Confidence • SSO Risk Level • User • Resource • Context
  82. 82. 82 Dell Customer Communication - Confidential SECURID ACCESS USER CASES
  83. 83. 83 Dell Customer Communication - Confidential 5 ACCESS USE CASES FOR THAT NEED 2FA/MFA C L O U D A P P S D I G I TA L W O R K S PA C E S N E X T- G E N F I R E WA L L P R I V I L E G E D A C C O U N T S V P N
  84. 84. 84 Dell Customer Communication - Confidential VPN
  85. 85. 85 Dell Customer Communication - Confidential    MFA for VPN ▪ Something you have and know ▪ High-level of security ▪ Always on and available ▪ Broadest number of use scenarios VPN Remote Access (VPN) ▪ Remote access is critical for today’s distributed and mobile workforce ▪ Passwords are easily compromised and used in attacks Mobile MFA for VPN ▪ Offer smartphone-based options ▪ Provide users with more choices ▪ Streamline user provisioning ▪ Apply auth method based on risk Machine Learning Risk-based Analytics
  86. 86. 86 Dell Customer Communication - Confidential PRIVILEGED ACCESS MGMT + MFA Password Vault ▪ Automatically rotates and controls access to privileged account passwords ▪ Defaults to password-level security for access ▪ Very attractive target for attackers Multi-factor Authentication ▪ Protect front door access to PAM solutions and other privileged accounts ▪ Offer a broad set of authenticators ▪ Use machine learning risk analytics to increase security and reduce friction ▪ Secure cloud admin tools like AWS and Azure management consoles   Machine Learning Risk-based Analytics
  87. 87. 87 Dell Customer Communication - Confidential CLOUD CREATES NEW CHALLENGES creates gaps between “islands of identity” LIMITED VISIBILITY that’s convenient to any cloud app from any device AN YTIME AC C ESS are easy to compromise and reuse undetected PASSW OR D S 12345678 !
  88. 88. 88 Dell Customer Communication - Confidential SECURING ACCESS TO CLOUD APPLICATIONS MU LTIFAC TOR AU TH EN TIC ATION • Give users choice and convenience with a broad set of MFA options • Bridge islands of identity, and limit multi-vendor costs with one authentication platform • Eliminate user friction and preserve the cloud simple UX with risk based analytics • Provide a consistent experience for on-prem and cloud apps
  89. 89. 89 Dell Customer Communication - Confidential 89 4 Palo Alto requests identity assurance from RSA (SAML, RADIUS or API) 6 ID verified 5 RSA challenges user User 3 Palo Alto prompts user for MFA 1 Access application Palo Alto Networks Next-Gen Firewall 7 Access granted 2 Check policy Multi-factor authentication methods APP SERVER IOT DEVICES ISOLATED NETWORK ENFORCE MFA AT THE FIREWALL Next-Gen Firewall + MFA ▪ Mitigate identity risk with a multi-layer approach to secure access ▪ Save time and money deploying multi- factor authentication by avoiding the need to modify applications ▪ Increase security and reduce user friction with machine learning risk analytics and mobile authentication methods ▪ Bridge islands of identity across custom apps, IoT devices and isolated networks ▪ Provide security and convenience by challenging users according to the level of risk
  90. 90. 90 Dell Customer Communication - Confidential MULTI-FACTOR AUTHENTICATION DIGITAL WORKSPACES + MFA Application Mgmt Endpoint Mgmt User Mgmt Application and Device Management ▪ Delivers cloud-based, on-prem and virtual applications ▪ Supports BYOD and corporate owned device models ▪ Provides consumer-simple SSO Multi-factor Authentication ▪ Protect front door access to digital workspace SSO portal ▪ Offer a broad set of authenticators ▪ Step up authentication to individual apps based on the level of risk. ▪ Use machine learning risk analytics to increase security and reduce friction
  91. 91. 91 Dell Customer Communication - Confidential AUTHENTICATORS C O N F I D E N T I A L
  92. 92. 92 Dell Customer Communication - Confidential Traditional Authenticators RSA SECURID TOKENS Software Token Hardware Token
  93. 93. 93 Dell Customer Communication - Confidential RSA SECURID® AUTHENTICATE Approve Software TokenDevice Biometrics Enhanced Authenticators
  94. 94. 94 Dell Customer Communication - Confidential RSA SECURID AUTHENTICATE
  95. 95. 95 Dell Customer Communication - Confidential RSA SECURID AUTHENTICATE
  96. 96. 96 Dell Customer Communication - Confidential RSA SECURID AUTHENTICATE
  97. 97. 97 Dell Customer Communication - Confidential RSA SECURID SOFTWARE TOKEN
  98. 98. 98 Dell Customer Communication - Confidential • MyPage • RSA Hosted Self-Service • QR Code and Activation code • just like SW Token MFA ENROLMENT
  99. 99. 99 Dell Customer Communication - Confidential SECURID APP – MOBILE MFA R S A A u t h S o l u t i o n s SecurID Tokencode Pull down to check for authentication 3905 0001 Provisionless OTP (Token) Push Notification (1 tap approve) Touch ID (fingerprint) FINGERPRINT SKIP TO TOKEN Face ID (iPhone X)
  100. 100. 100 Dell Customer Communication - Confidential FIDO Tokens – A standard (U2F) for a specific type of hardware token from any supporting vendor. E.g. Yubikey. (* Fully supported but not sold by RSA) SMS / Robocall Option – for non-smartphone users (* extra licence cost) Full Support for Traditional Tokens – keep existing fleet or leverage traditional HW or SW token
  101. 101. 101 Dell Customer Communication - Confidential “CHAINING” AUTH METHODS SecurID Tokencode Pull down to check for authentication 3905 0001 FINGERPR INT SKIP TO TOKEN You can chain almost any combination of 2 methods to provide Higher Assurance of a user’s identity when they access something
  102. 102. 102 Dell Customer Communication - Confidential Device Registration SECURID ACCESS USER EXPERIENCE Approve PIN protection Fingerprint sp45 sp41
  103. 103. 103 Dell Customer Communication - Confidential RSA SECURID ACCESS AUTHENTICATION SYSTEM The Platform
  104. 104. 104 Dell Customer Communication - Confidential RSA SECURID ACCESS User Resource Traditional Identity Assurance
  105. 105. 105 Dell Customer Communication - Confidential RSA SECURID ACCESS Resource Traditional Identity Assurance User
  106. 106. 106 Dell Customer Communication - Confidential RSA SECURID ACCESS Granted Resource Traditional Identity Assurance User
  107. 107. 107 Dell Customer Communication - Confidential RSA SECURID ACCESS Denied Resource Traditional Identity Assurance User
  108. 108. 108 Dell Customer Communication - Confidential RSA SECURID ACCESS Resource Seamless Identity Assurance User Risk Level User ❑ Admin ❑ Executive ❑ Worker Resource ❑ I.P. Data ❑ Classified ❑ Public Context ❑ Network ❑ Location ❑ Behavior ❑ Country ❑ Agent ❑ Browser
  109. 109. 109 Dell Customer Communication - Confidential RSA SECURID ACCESS Granted Resource Seamless Identity Assurance User User ❑ Admin ❑ Executive ✓ Worker Resource ❑ I.P. Data ❑ Classified ✓ Public Context ✓ Network ✓ Location ✓ Behavior ✓ Country ✓ Agent ✓ Browser Risk Level
  110. 110. 110 Dell Customer Communication - Confidential RSA SECURID ACCESS Step-Up ‒ Token ‒ Biometric ‒ Push Resource Seamless Identity Assurance User User ❑ Admin ❑ Executive ✓ Worker Resource ❑ I.P. Data ❑ Classified ✓ Public Context × Network × Location ✓ Behavior ✓ Country ✓ Agent ✓ Browser Risk Level
  111. 111. 111 Dell Customer Communication - Confidential RSA SECURID ACCESS Denied Resource Seamless Identity Assurance User User ❑ Admin ❑ Executive ✓ Worker Resource ❑ I.P. Data × Classified ❑ Public Context × Network × Location × Behavior × Country × Agent × Browser Risk Level
  112. 112. 112 Dell Customer Communication - Confidential RSA SECURID ACCESS Step-Up ‒ Token ‒ Biometric ‒ Push Denied Granted Resource Seamless Identity Assurance User Risk Level User ❑ Admin ❑ Executive ❑ Worker Resource ❑ I.P. Data ❑ Classified ❑ Public Context ❑ Network ❑ Location ❑ Behavior ❑ Country ❑ Agent ❑ Browser
  113. 113. 113 Dell Customer Communication - Confidential Risk-based Authentication Access in context RISK RISKYPASS DENY Device AppRole Location Behavior MACHINE LEARNING Pervasive MFA Certified and supported CRITICAL SECURE ACCESS CAPABILITIES Modern MFA Methods Easy & convenient Push Mobile OTP Biometrics Text Msg Voice Call ProximityHW Token WearablesSW Token FIDO Assurance Levels Challenge according to the level of risk Security Risk
  114. 114. 114 Dell Customer Communication - Confidential Network Session AppDevice Role RISKY PASS Location Static User and Context Rules Deny Behavior-based Confidence INTELLIGENCE DRIVEN IDENTITY ASSURANCE Approve Tokencode RSA SecurID FIDOEyeprint IDFingerprint Location Time App Network Device Access Pattern
  115. 115. 115 Dell Customer Communication - Confidential C O N F I D E N T I A L Time • Is this a normal access time • Is this a weekend HOW WE DETERMINE IDENTITY CONFIDENCE Application • Is this a common or uncommon application for the user Device • Is this a recognized device for this user • A user account is being used simultaneously on more than one device • Device language settings Access patterns • High authentication velocity: user authenticates unsuccessfully many times quickly • Multiple users are authenticating from the same IP Location • Physical location of a user (estimated from HTML5 and IP Geolocation)
  116. 116. 116 Dell Customer Communication - Confidential
  117. 117. 117 Dell Customer Communication - Confidential
  118. 118. 118 Dell Customer Communication - Confidential
  119. 119. 119 Dell Customer Communication - Confidential
  120. 120. 120 Dell Customer Communication - Confidential I N T E R N A L O N L Y MARKET OVERVIEW – SECURID SUITE Customer Profile: • Size: SMB to global enterprise • Industries: All verticals • Protect applications & access from on-premise to cloud with convenient yet secure MFA Customer problems: • Need to protect cloud apps with more than just username & password with convenient yet secure MFA • Next generation authentication required to allow for secure but convenient authentication • Need to meet audit or regulatory controls for user access management Questions to ask: • How do you protect cloud-based apps • Do you have islands of identity (uncontrolled SaaS services) • What would happen if you were breached via a cloud app • Are you failing any security audits or regulatory compliance around access management Things to listen for: • Two-factor authentication or multi-factor authentication • Gain control • Gain visibility to who has access to what
  121. 121. 121 Dell Customer Communication - Confidential 121 Security Sensitive High Touch Low Touch Convenience Driven PROFILE / MATURITY SIZE / COMPLEXITY THE FOUR KEY CUSTOMER CONVERSATIONS Modern Authentication Ensure seamless user access to critical resources with MFA options that are securely managed, aligned to risk, work uniformly from ground-to-cloud and are adaptable to any situation or need Identity Assurance Mitigate risk and ensure the highest levels of identity assurance for sensitive use cases while further reducing sources of friction that can inhibit end user productivity Enterprise Grade Provide best-in-class support for complex environments, diverse user populations and custom tools & workflows with enterprise grade reliability, performance & scale Journey to the Cloud Enable customers to take that “next step” in their journey to the cloud with minimal friction and with options aligned to their individual risk tolerance, timing and phase of maturity R S A C O N F I D E N T I A L . I N T E R N A L U S E O N L Y
  122. 122. 122 Dell Customer Communication - Confidential 122 Compliance I face ongoing compliance regulations and internal policies that I must adhere to for strong auth. Prevent Fraud I am fighting malware such as Trojans and don’t trust my end users (or their PCs). How, I have to trust them due to both business & regulatory reasons! Enable Mobility It is difficult to cost-effectively and accurately manage auth for multiple types of remote workers and multiple apps Enterprise Authentication Secure Access I am planning to shift my auth and IT infrastructure to the cloud to lower costs and ease admin burden. CUSTOMER CHALLENGES: FOUR MAIN DRIVERS
  123. 123. 123 Dell Customer Communication - Confidential RSA SECURID COMPETITIVE INTEL
  124. 124. CONFIDENTIAL • Microsoft • Gemalto • Duo
  125. 125. CONFIDENTIAL • Microsoft offers two options for MFA: Microsoft MFA for Office 365, or MFA capabilities built into Microsoft Azure Active Directory Premium. • Authentication is assigned for all the apps or none of the apps. • One authentication option for when users are offline. • Microsoft offers just one option for user cases where mobile phones are prohibited or mobile service is unreliable Microsoft MFA
  126. 126. CONFIDENTIAL What you should know SecurID vs Microsoft : • The organisation has both on-premise and cloud user cases • The organisation has a security-first mindset and understands the need for Identity Assurance. • The organisation needs at least some hardware or desktop, software tokens
  127. 127. CONFIDENTIAL Gemalto • Safenet Authentication Manager (SAM) with OTP, certificate-based and software authentication options. • Safenet Authentication Service delivered from SafeNet cloud with token options, as well as mobile. • SafeNet Trusted Access provides authentication for SaaS based applications and SSO. • Does not offer Identity Governance and Lifecycle
  128. 128. CONFIDENTIAL Questions customers should ask Gemalto? • How can l be confident your roadmap will align to our future authentication and identity management needs? • Will Thales acquisition of Gemalto change your roadmap, your structure or your position in the access and identity management market (IAM)?
  129. 129. CONFIDENTIAL DUO • Limited capability in supplying rich contextual and user behaviour analysis • DUO uses partners to support Governance and Lifecycle Management • No stand-alone on-premises deployment option • MFA capability • Endpoint visibility
  130. 130. CONFIDENTIAL • What is the largest deployment size that can be supported by DUO Trusted Access? • Can l Deploy DUO without requiring an on-premises component? Questions customers should ask DUO?
  131. 131. RSA SECURID STRENGTH'S
  132. 132. CONFIDENTIAL • Customized Authentication methods based on application assurance levels. • Support for Offline Authentication. • Solution for situations were smartphones cant be used. • Strong Identity Assurance • RSA Ready Program • Optional On-Premises Deployment
  133. 133. 133 Dell Customer Communication - Confidential RSA SECURID ACCESS LICENSING Product Packaging
  134. 134. 134 Dell Customer Communication - Confidential RSA SECURID ACCESS: BASE Future Proofing Platform • Advanced Policies • Authentication Context • Identity Confidence • HA/Failover • AMBA • SSO Portal • Token Based Authentication (Hard/Soft/ODA) • Enhanced Authenticators (Authenticate/FIDO) • RADIUS/SID Protocol Support • SAML/HTTP Fed/Trusted Headers Support • IP Address Contextual Authentication
  135. 135. 135 Dell Customer Communication - Confidential High Availability and Bulk Token Deployment • Advanced Policies • Authentication Context • Identity Confidence • HA/Failover • AMBA • SSO Portal • Token Based Authentication (Hard/Soft/ODA) • Enhanced Authenticators (Authenticate/FIDO) • RADIUS/SID Protocol Support • SAML/HTTP Fed/Trusted Headers Support • IP Address Contextual Authentication RSA SECURID ACCESS: ENTERPRISE
  136. 136. 136 Dell Customer Communication - Confidential RSA SECURID ACCESS: PREMIUM Next Generation Authentication • Advanced Policies • Authentication Context • Identity Confidence • HA/Failover • AMBA • SSO Portal • Token Based Authentication (Hard/Soft/ODA) • Enhanced Authenticators (Authenticate/FIDO) • RADIUS/SID Protocol Support • SAML/HTTP Fed/Trusted Headers Support • IP Address Contextual Authentication
  137. 137. 137 Dell Customer Communication - Confidential Demo Time!
  138. 138. 138 Dell Customer Communication - Confidential AUTHENTICATION MANAGER 8.4 138
  139. 139. 139 Dell Customer Communication - Confidential SOME FACTS • Host RSA Authentication Manager 8.4 in the Microsoft Azure cloud • AM 8.4 Cloud Value • Upgrade Path to AM 8.4 139
  140. 140. 140 Dell Customer Communication - Confidential AUTHENTICATION MANAGER 8.4 P4
  141. 141. 141 Dell Customer Communication - Confidential PATCH 4 UPDATES • AM 8.4 Patch 4 allows you to connect RSA Authentication Manager to the Cloud Authentication Service and quickly roll out modern MFA to your users. • You do not need to replace or update your existing agents • Security Console wizard to configure the connection and invite users to authenticate to the Cloud.
  142. 142. 142 Dell Customer Communication - Confidential CONFIDENTIAL AM 8.4 AM 8.4 P4 Comments IDR deployment and CAS* connection Needed Needed Needed for CAS user sync IDR connection in AM Needed Available/Optional Supports Authenticate Tokencode Connect to CAS* Not Available Available Supports Authenticate Tokencode PIN+Approve Authenticate Tokencode Supported Supported Supported in IDR Connect to CAS PIN + Approve** Not Supported Supported Only for Connect to CAS CONNECT TO CLOUD DEMYSTIFIED *CAS - Cloud Authentication Service **Details discussed in next slides
  143. 143. 143 Dell Customer Communication - Confidential JOURNEY TO CLOUD Authentication Manager 8.4 Patch 4 CONFIDENTIAL
  144. 144. Authentication Agents SecurID Access Authentication Manager User RSA SecurID Software Tokens RSA SecurID Hardware Tokens Authenticate App Token IDR Approve
  145. 145. 145 Dell Customer Communication - Confidential CONFIDENTIAL ✓ Enabling seamless one-time Configure the Cloud Connection ✓ Ability to Invite users to enroll for MFA ✓ Expand Authentication Methods to support Mobile MFA (PIN + Approve) ✓ Support for Unified users dashboard for SecurID Access Users ✓ What happened to my IDR connection? THE HOW
  146. 146. 146 Dell Customer Communication - Confidential CONFIGURE THE CLOUD CONNECTION CONFIDENTIAL
  147. 147. 147 Dell Customer Communication - Confidential
  148. 148. 148 Dell Customer Communication - Confidential
  149. 149. 149 Dell Customer Communication - Confidential
  150. 150. 150 Dell Customer Communication - Confidential
  151. 151. 151 Dell Customer Communication - Confidential CONFIDENTIAL ENABLE/DISABLE CLOUD AUTHENTICATION
  152. 152. 152 Dell Customer Communication - Confidential CONFIDENTIAL CLOUD AUTHENTICATION STATUS: ENABLED
  153. 153. 153 Dell Customer Communication - Confidential INVITE USERS FOR MFA ENROLLMENT CONFIDENTIAL
  154. 154. 154 Dell Customer Communication - Confidential CONFIDENTIAL ✓ Cloud Authentication Service and Authentication Manager has to be connected to the same identity source. ✓ Authentication Manager has to be connected to Cloud Authentication Service. ✓ SMTP service has to be configured in Authentication Manager. PRE REQUISITES
  155. 155. 155 Dell Customer Communication - Confidential ENABLE MFA WITH EXISTING AGENTS (PIN + APPROVE) CONFIDENTIAL
  156. 156. 156 Dell Customer Communication - Confidential CONFIDENTIAL As an existing SecurID customer, my users should be able to use ”existing PIN” + “Mobile MFA method Push to Approve” versus using their Passcode to access existing applications (VPN, etc.). REQUIREMENT
  157. 157. 157 Dell Customer Communication - Confidential CONFIDENTIAL ✓ Authentication Manager has to be connected to Cloud Authentication Service. ✓ Cloud Authentication should be enabled in Authentication Manager ✓ Cloud Authentication Service and Authentication Manager are connected to same identity source ✓ Policy must contain Approve. ✓ User has RSA SecurID Authenticate app registered with Cloud Authentication Service. PRE REQUISITES
  158. 158. 158 Dell Customer Communication - Confidential Thank You!
  159. 159. 159 Dell Customer Communication - Confidential Any Questions?

×