3. 3
Dell Customer Communication - Confidential
3
Identification “This is Who I Am”
Authentication “This is My Claim to an Identity”
Authorization “This is What I Can Do”
ACCESS CONTROL
4. 4
Dell Customer Communication - Confidential
4
• Proof of who you are
• Done during the on-boarding process
IDENTIFICATION
5. 5
Dell Customer Communication - Confidential
AUTHENTICATION
5
• A claim to identity
• The most commonly used authentication method in the online world is the
Password.
6. 6
Dell Customer Communication - Confidential
AUTHORIZATION
6
• Authorization deals with what you can do once you’ve been authenticated to a system
8. 8
Dell Customer Communication - Confidential
8
Two-Factor Authentication:
“The act of identifying an individual by using any combination of something they know,
something they have OR something they are.”
“Something you know” = PIN, password,
life question
“Something you have” = Token, Smartcard,
Trusted Device
“Something you are/do” = Biometrics
(fingerprint, retinal scan, etc)
12. 12
Dell Customer Communication - Confidential
RSA SECURID
RSA
Web Tier
Web
Server
DMZ Internal Network
Auth Mgr 8.x
(Primary)
Identity Source
External Network
Login: RGasparian
Passcode: 2468159759
RBA
SSC
CT-KIP
PASSCODE = PIN + TOKENCODE
SSL-VPN
VPN
13. 13
Dell Customer Communication - Confidential
SECURID COMPONENTS
Authenticator Agent SERVER
(Authentication Manager
Platforms & Architecture)
14. 14
Dell Customer Communication - Confidential
HARDWARE AUTHENTICATORS OVERVIEW
Hardware Token: a physical device assigned to a specific user and generates a unique number at a specified
interval.
Customer choice based on their requirements for:
— Function: OTP, hard disk encryption, transaction signing, etc.
All of RSA’s tokens utilise the cryptographically strong AES algorithm for time synchronous authentication
16. 16
Dell Customer Communication - Confidential
16
WHY IS TIME-SYNCHRONOUS AUTHENTICATION
IMPORTANT?
• Time-based OTP has precise clock that changes a password every 60 seconds
• Very hard to phish as OTP becomes invalid in one minute
• More secure than an event-based OTP where password does not expire until another
one is entered into the system.
• Trojan attacks must be in real-time to be able to compromise system
Same Seed
Same Algorithm
Same Time
Algorithm
Time
Seed
Algorithm
Time
Seed
159759 159759
Authentication
Manager
17. 17
Dell Customer Communication - Confidential
HARDWARE TOKEN OPTIONS
Quality Authenticators
Highest-quality authenticator-manufacturing processes,
which means fewer token failures in the field
Multi-Use Tokens
Multiple uses for these authenticators such
as hard-disk encryption, email signing, and
more
Customisable
Brand your organization and demonstrate your commitment
to security with custom artwork on your RSA tokens
Time-Synchronous
An approach that combines time,
an algorithm and a unique
identifier to strengthen overall
cryptographic value
Warranty
Covers each RSA token for
the entire life of the device
18. 18
Dell Customer Communication - Confidential
SID 700
Known as a ‘Key Fob’ token
Simply read the changing number on the display
Robust design, built to survive harshest conditions
▪ Rigorously tested to be the industry's highest quality token
RSA’s most popular hardware token
EZ-View Display (SID700)
19. 19
Dell Customer Communication - Confidential
WHAT’S INSIDE OF A HARDWARE TOKEN (SID 700)
Coin cell 3V
Lithium ion
battery
Display
• Time crystal (clock)
• Microprocessor
• Microcontroller
• Epoxy filling
• Case
Creates a “tamper-evident” authentication device
20. 20
Dell Customer Communication - Confidential
A PLANNED LIFETIME
1. Hardware tokens are built with an assigned life
2. Range from 24 mths up to 60 mths
(depends on token type and system software release)
3. The most commonly purchased token is the 36 month SID 700
4. A pre-expiring shelf life enables customers to budget and plan token rotations
5. In most cases, the expiration date is stamped on the back of the token
21. 21
Dell Customer Communication - Confidential
HOW WE DO IT BETTER – SID 700
Designed to Last
− Ultrasonic welded case
− Epoxy filled
− Beveled LCD display
− Anti-shock foam
Rigorously Tested
– Over 20 tests performed; including:
High / Low Temperature
Temperature Cycling
High Humidity
Mechanical Shock & Vibration
Drop Test
Electrostatic Discharge (ESD)
Radiated Immunity (EMI)
Radiated Susceptibility
Radiated Emissions
X-ray
Altitude Testing
Accelerated Life Testing
Cert Testing: UL / FCC / CE
• 40+ million actively in use
• 8 yrs in the marketplace
• Only 0.05% in field failures
22. 22
Dell Customer Communication - Confidential
SID 800
Known as the ‘Hybrid Token’
SecurID & PKI in a single multi-purpose authenticator
Supports one time password (OTP), digital certificate, and password credentials
— Auto login to Windows Domain or other applications
Maintains traditional anywhere, anytime access
— Read token code from display
Provides OTP auto-entry for ease of use
— No need to type in the OTP, just insert the device into the USB port
Provides support for file and full disk encryption
— Prevent data breach from stolen laptops
23. 23
Dell Customer Communication - Confidential
Digital Certs
SecurID OTP
Passwords
VPN/Wireless
File/Disk
Encryption
Email
Signing
Web/App
Auth
PC/Domain
Auth
Multiple Credentials…
Multiple Applications…
One Seamless End User Experience
SID 800: MULTI-AUTHENTICATOR IN ONE
24. 24
Dell Customer Communication - Confidential
SID 800: COMPONENTS IN PLAY
• Display SID800 OTP
• No software seed record provisioning necessary, uses SID 800
• ADA compliance with JAWS screen reader
• Desktop API authenticator extends SID800 OTP access (Windows login, VPN login,
etc…)
Desktop
Authenticator
(Windows Only)
• RSA Authentication Client (RAC) aka “Middleware”
• Manage smartcard PIN, certificates and credentials
• Display SID 800 OTPRAC
• Seed record on device
• Display OTP
• Smartcard in device
• Stores Digital Certificates
• Stores Password Credentials
SID 800
25. 25
Dell Customer Communication - Confidential
HOW WE DO IT BETTER- SID 800
Insert token and enter PIN to…
▪ Authenticate to the PC/laptop
▪ Unlock an encrypted hard drive
▪ Establish a secure network connection to a VPN or
wireless access point
▪ Authenticate to the corporate domain
▪ Access secure applications and web sites
▪ Authenticate to remote PCs or terminal servers
▪ Encrypt sensitive documents and files
▪ Sign and encrypt emails
Remove the token to…
▪ Lock down or log off from the PC/laptop
27. 27
Dell Customer Communication - Confidential
TODAY: ANY USER, ANY DEVICE, ANYWHERE
Server
Applications
Cloud
Applications
Remote Managed
Device
BYOD
Inside the
Network
Network
VPN
Virtual Desktop
Mobile Apps
Web Browser
External and Temporary
Users
Unmanaged
Devices
Uncontrolled
Access Points
Information in Public Cloud and
Hosted Applications
Employees
Contractors
Partners
Customers
28. 28
Dell Customer Communication - Confidential
RSA SECURID SOFTWARE AUTHENTICATORS
RSA SecurID Mobile SDK
Desktop Tokens
Mobile Phones and Tablets
29. 29
Dell Customer Communication - Confidential
RSA SOFTWARE AUTHENTICATORS
• Transforms devices your users
already own and carry into
SecurID tokens
• Reduces frequency of lost or
forgotten tokens
• Eliminates the “token necklace”
problem
• Removes hurdle of end user
acceptance of two-factor
authentication
• Eliminates the need to inventory
additional tokens
• Simplifies deployment process
• Decreases support calls for lost
or forgotten tokens
• Lower TCO than hardware tokens
• Leverages investment in existing
hardware
• Expand strong auth. to
applications accessed by
partners and customers
• Provides an easy and convenient
mass deployment option
• Enhances confidence to offer
more self-service options to
customers and partners.
Convenience Value Expansion
30. 30
Dell Customer Communication - Confidential
TWO COMPONENTS OF A SOFTWARE TOKEN
OS-specific application downloaded from
RSA.com or app stores
Must be installed first on a user’s device
before provisioning occurs
Application/Token Container
+
Customer Token Record
(Seed Record)
• Purchased from RSA (SID 820)
• Provisioned by admin to the user’s
device
31. 31
Dell Customer Communication - Confidential
SOFTWARE TOKEN DEPLOYMENT OPTIONS
SDTID
• File Based Token Delivery
• Devices must support email
attachment import
• Supported Form Factors
• Mobile Tokens
• Desktop Tokens
CTF String
• Text Based Token Delivery
• Generated by Token
Converter or AM 8.x
• Converts SDTID file into
compressed token format
(CTF) string
• Alternative to file
attachments
• Supports Android, iOS and
Windows Phone Mobile
Devices
CT-KIP
• Dynamically Provisioned
Tokens
• Requires CT-KIP Server
• Recommended Provisioning
Method
• Supported on AM 7.1 & 8.x
• Supported Devices include
Mobile and Desktop Tokens
QR Code
•CTF or CT-KIP encoded QR
Code
•Allows option to provision
without needing email
•QR Code generated via AM
8.1 SP1 SSC, AM Prime,
Token Converter, 3rd party
QR Code generator
•Supports Android & iOS
Devices
Basic Use Case Use only as
Required
Recommended
32. 32
Dell Customer Communication - Confidential
Out-of-Band Activation Code
via Secure Email Channel
SecurID Admin
Mobile Device User
• Secure “over-the-wire” provisioning
• No Token Record to Intercept
• Activation Code is only valid once
• Add Device Binding for Additional Security
Click CT-KIP URL with
Activation Code
CT-KIP Server CT-KIP URL to Mobile
Device
CT-KIP DYNAMIC PROVISIONING
33. 33
Dell Customer Communication - Confidential
QR CODE PROVISIONING
QR Code Provisioning of Software Tokens will
reduce provisioning time and costs by 80%
Increase user self-service
Eliminates “email” to End User Mobile Device
Eliminate help desk calls
Streamline the provisioning process with
fewer, intuitive steps. Point & click.
QR codes are becoming more accepted by end
users
Software tokens are “QR Code Ready” (iOS and
Android)
34. 34
Dell Customer Communication - Confidential
RSA SECURID SOFTWARE TOKEN SECURITY
• Server Side Attribute
• Validates the Mobile Device
• Token Record cannot be imported to another device
• Augment with OOB password to validate the user
Device Binding
• Client Side Security feature on import
• Device biometrics used to unlock the token database for each use
• Token will not function on a device without matching device biometrics
Copy Protection
•Software Token does not store the PIN in permanent memory
•The PIN cannot be brute forced
• Something you and your mobile device know is not two-factor
• The PIN does not unlock a valid passcode
Something you Know
35. 35
Dell Customer Communication - Confidential
RSA DESKTOP TOKENS
Authenticator on the Desktop
Desktop Authenticator
IE Toolbar (Win)
36. 36
Dell Customer Communication - Confidential
Software Development Kit (SDK) for mobile apps
▪ Includes sample application, documentation and library for embedding
functionality in mobile apps
▪ Available free of charge for RSA customers and RSA Secured
partners
Developers can choose from the following functionality
▪ SecurID OTP Module
− Import software tokens, generate OTP
− User visible or invisible OTP
SDK: ENABLING STRONG AUTH FOR MOBILE APPS
RSA Mobile Authentication SDKs
38. 38
Dell Customer Communication - Confidential
So what does RBA actually mean….
Risk-based authentication (RBA) identifies potentially risky or fraudulent authentication attempts by silently analysing
user behaviour and the device of origin. RBA strengthens RSA SecurID authentication and traditional password-
based authentication. If the assessed risk is unacceptable, the user is challenged to further confirm his or her identity
by using one of the following methods:
• On-demand authentication (ODA). The user must correctly enter a PIN and a one-time token code that is
sent to a preconfigured mobile phone number or e-mail account.
• Security questions. The user must correctly answer one or more security questions. Correct answers to
questions can be configured on the Self-Service Console or during authentication when silent collection is
enabled.
39. 39
Dell Customer Communication - Confidential
How it works
RISK-BASED AUTHENTICATION
Web Browser
Protected
Resources
Identity
Challenge
?
On-Demand
Tokencode
Challenge
Questions
PASS
User
Behavior
FAIL
Access Denied
OWA
SharePoint
SSL VPN
Web Portals
PASS
RISKY
Authentication
Policy
Assurance
Level
RSA
Risk Engine
Activity Details
Device
Fingerprint
Network
Forensics
Device Token
Profile Relative Velocity
Device
Identification
40. 40
Dell Customer Communication - Confidential
Strengthens traditional password
authentication by silently applying risk-
based analytics
− Is the user authenticating from a
known device?
− Does the user’s behavior match
known characteristics?
Risky authentication attempts require
additional validation
− Security Questions
− On-Demand Authentication
RISK-BASED AUTHENTICATION (RBA)
1
3
2
4
1
2
3
4
1st Factor: Something you KNOW
2nd Factor: Something you HAVE
3rd Factor: Something you DO
Step-Up : Something you KNOW or HAVE
41. 41
Dell Customer Communication - Confidential
Proven sophisticated risk engine
− Same risk engine as Adaptive Auth
− Protects 350+ million online identities
Optimized for Enterprise use cases
− Optimized for: Network Security vs. Fraud
Mitigation
− Predictable: Use case vs. challenge rate
− Simplified: Assurance levels vs. risk scoring
Self tuning risk model adapts to each customer
environment
− Common device characteristics are de-prioritized
in the risk score
− Suspicious behavior is based on norms for the
overall user population
THE RSA RISK ENGINE
RSA Risk Engine
42. 42
Dell Customer Communication - Confidential
ON-DEMAND AUTHENTICATION
Bundled with RBA License
Utilise SMS or Email
Customizable Message
Configurable Validity
Contractors, Vendors, Backup Authenticator
44. 44
Dell Customer Communication - Confidential
AM WEB TIER
Lightweight application installed in the DMZ that hosts services exposed to the Internet
▪ Enables secure deployment of
− RBA
− Self-Service
− CT-KIP (Cryptographic Key Initialization Protocol)
Above services require a web tier for the following reasons
− Blocks Internet access to the Security Console
− Allows customization of the RBA/Self-Service logon pages
− Up to 16 web tiers
48. 48
Dell Customer Communication - Confidential
WHAT IS AN AGENT?
A SecurID agent is installed or embedded on an access point (VPN, Web Site, Server)
that accepts credentials from an end user (Username + Passcode) and directs them to
Authentication Manager.
1. Native (RSA Partner Program)
2. Downloadable (RSA Owned)
3. RADIUS
4. SDK (until 8.3, Now Rest API)
Agent Options
49. 49
Dell Customer Communication - Confidential
WHAT DOES AN AGENT DO?
Trust
▪ Mechanism to allow mutual trust between Agent and Server. Protection from a malicious user
impersonating the agent or a Server.
Authentication
▪ Intercept access attempts
▪ Collect Credentials
▪ Verify with Server
▪ Provide (or deny) access
▪ Single Sign On
▪ Support for New Pin Mode, Next Token Mode
How do I know if a resource can be protected by SecurID? www.rsasecured.com
▪ Search by product or vendor
▪ Ex. Cisco ASA
▪ Displays RSA and 3rd Party owned Agents
50. 50
Dell Customer Communication - Confidential
RSA SECURED® PARTNER PROGRAM (NATIVE)
Out-of-the-box interoperability and
documentation for 400+ partner
applications
Reduce integration costs
Ensure interoperability through stringent
certification program
Compatibility maintained through
integration updates
Fully supported by RSA and its partners
51. 51
Dell Customer Communication - Confidential
Features:
• Next Generation SecurID Agents
Benefits:
• Agent connects to RSA SecurID Access AM Server
or Cloud Authentication Service
• More Authentication Options: (Push to Approve,
Fingerprint, Windows Hello, etc…)
• Stronger Security / Cryptographic Algorithms (FIPS
compliant is target plan)
• Connect via REST (TCP) instead of UDP
• IPv6
• Agent Reporting
F o o t e r
Authentication
Manager
Cloud Authentication
Service
1. PAM v8.1
2. ADFS
3. MFA AGENT (Windows)
4. Web
5. Citrix Storefront
NOTE: GEN II agents developed in parallel by the Agent
Team with close collaboration with AM Teams
GEN II SecurID Agents
52. 52
Dell Customer Communication - Confidential
RSA LINK SOLUTION GALLERY
Search all
solutions
https://community.rsa.
com/community/produ
cts/rsa-ready
53. 53
Dell Customer Communication - Confidential
DOWNLOADABLE (RSA OWNED)
Some agents are owned by RSA Agents to provide tighter integration
Assures integration is always up to date
Windows/PAM Agent
▪ Protects Windows/Linux logon
− Servers, Laptops, RDP, Terminal Services…
▪ Offline Authentication available
IIS/Apache Agent
▪ Protects websites served by these 2 web servers
▪ Exchange/Sharepoint protection available (IIS only)
▪ Optional RBA support available!
55. 55
Dell Customer Communication - Confidential
WHAT IS RADIUS?
• Remote Authentication Dial-In User Service
• Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables
remote access servers to communicate with a central server to authenticate dial-in users and authorize their
access to the requested system or service.
56. 56
Dell Customer Communication - Confidential
RADIUS CLIENT
A RADIUS client is any device that supports the RADIUS protocol
Are typically network endpoint devices such as
▪ Network Access Server (NAS)
▪ Firewall
▪ 802.1x Access Point
▪ VPN Server
▪ Web Server
Serves as the gateway to the network
▪ Provides the interface for user interaction (credential input, etc)
57. 57
Dell Customer Communication - Confidential
WHY IS RADIUS IMPORTANT?
• An industry standard for authentication
- Numerous network access products are enabled for RADIUS
- Supports a wide variety of authenticators
• OTP Tokens
• Challenge/Response
• Passwords
• Certificates
• Ability to integrate with other authentication services
- RADIUS Accounting, Access Control and Authentication can be proxied to other systems (such as
AM or Windows AD)
• Used in about 2/3 of SecurID deployments
58. 58
Dell Customer Communication - Confidential
• The Authentication Agent SDK enables applications to authenticate via the RSA SecurID protocol.
• Supports the Java and C programming languages (the C library can also be utilized in a .NET
environment as unmanaged code).
• This SDK can perform SecurID authentication with Authentication Manager versions 5.x, 6.x, 7.1, 8.x.
SDK – SOFTWARE DEVELOPMENT KIT
59. 59
Dell Customer Communication - Confidential
REST API
• A REST API defines a set of functions which developers can perform requests and receive
responses via HTTP protocols.
• Because REST API’s use HTTP, they can be used by practically any programming language.
60. 60
Dell Customer Communication - Confidential
RSA SecurID Authentication API is a REST API for developers who want to build clients that send
authentication requests to RSA SecurID Access, either through the RSA Authentication Manager server,
the Cloud Authentication Service, or both.
https://community.rsa.com/docs/DOC-75741
61. 61
Dell Customer Communication - Confidential
C O N F I D E N T I A L
Benefits of REST API:
REST is simple.
➢ other APIs have to follow a lot of rules that make them challenging to use. In practice, this
formality, power, and flexibility generally gets in the way of doing what you want to do,
costs a lot more to implement and maintain, and is generally more trouble than it's worth.
REST is "of the web".
➢ Not only does REST assume HTTP but it adopts all of the well understood mechanisms
of HTTP. A web app developer can be very productive very fast -- both creating and
consuming these APIs -- because it just like working with a web page.
JSON which is the native data format for JavaScript, the language in all of our web
browsers... thus it's a more web-centric approach.
REST is object centric not message centric.
➢ REST wants you to focus on the THINGS in your application With REST, you can only do
four things GET, POST, PUT, and DELETE. In practice that covers about 90% of what
you want to do.
62. 62
Dell Customer Communication - Confidential
REVIEW - WHAT DOES AN AGENT DO?
Trust
− Mechanism to allow mutual trust between Agent and Server. Protection from a malicious user
impersonating the agent or a Server.
Authentication
− Intercept access attempts
− Collect Credentials
− Verify with Server
− Provide (or deny) access
How do I know if a resource can be protected by SecurID? www.rsasecured.com
− Search by product or vendor
− Ex. Cisco ASA
− Displays RSA and 3rd Party owned Agents
63. 63
Dell Customer Communication - Confidential
VIRTUAL & PHYSICAL APPLIANCE
Virtual Appliance
Deployable in 10-20 minutes
Hardened Security Profile to meet EMC/RSA
compliance
Hardened SUSE OS
Support for VMWare & Hyper-V
Physical Appliance
• Model A130 & A250 (Redundancy)
• Same or Cross Platform Migration
• SNMP Hardware MIB
• Deployable in 10-20 minutes
• Hardened Security Profile to meet EMC/RSA
compliance
• Remote Factory Reset
Optimised Deployments: Mix & Max Between Virtual / Hardware Appliance
Simple, Secure
deployment
Standards-based
Platforms
Lower Deployment
Costs
69. 69
Dell Customer Communication - Confidential
A primary is the main “instance” of the
RSA Authentication Manager
deployment
It is the master database hub
The primary is where the administration
functions are performed – “Read-
Write”
There is only 1 primary in a deployment
PRIMARY AND REPLICAS
70. 70
Dell Customer Communication - Confidential
Used for accepting authentication
requests and providing backup
capabilities
Can be multiple, up to 15
Synchronized database copy
Can become the primary in a planned
or unplanned scenario in a process
called ‘Promotion’
Read-Only
REPLICAS
73. 73
Dell Customer Communication - Confidential
C ON VEN IEN T & SEC U R E A C C ESS IN A W OR LD W ITH OU T B OU N D A R IES
RSA SECURID ACCESS
The Gold Standard
for Strong Authentication
The Next-Generation
of Identity Assurance
• Trusted by 25,000+ Enterprises
• More than 50 million active users
• 500+ certified technology partners
• Dynamic risk-based Identity Assurance
• Mobile MFA: Push, OTP, biometrics & more
• Any application: on-premises or in the cloud
• SaaS delivery, subscription pricing
74. 74
Dell Customer Communication - Confidential
CONNECT TO ANYTHING
Centralised
Access
Policies
SaaS
Applications
Traditional/on-premise
Applications (400+ RSA
SecurID integrations)
Web
Applications
Mobile
Applications
(SAML-Enabled)
75. 75
Dell Customer Communication - Confidential
75
PROTECT CLOUD APPS AND CONTROL ACCESS WITH SSO
Centralized
Access
Policies
SaaS
Applications
Traditional/on-premise
Applications (400+ RSA SecurID
integrations)
Mobile Applications
(SAML-Enabled)
SecurID Tokencode
Pull down to check for
authentication
3905 0001
77. 77
Dell Customer Communication - Confidential
THE RSA DIFFERENCE: A HYBRID APPROACH
• A secure approach to
supporting on-prem
applications
• Sensitive user & org
information remains on-
premises
• Active Directory passwords
are NEVER sent to cloud
• Dedicated runtime not shared
with other tenants
Web
Reverse Proxy
Active Directory
/LDAP
Authentication
Manager 8.x
Identity Router
SecurID Access
App Portal
83. 83
Dell Customer Communication - Confidential
5 ACCESS USE CASES FOR THAT NEED 2FA/MFA
C L O U D A P P S D I G I TA L
W O R K S PA C E S
N E X T- G E N
F I R E WA L L
P R I V I L E G E D
A C C O U N T S
V P N
85. 85
Dell Customer Communication - Confidential
MFA for VPN
▪ Something you have and know
▪ High-level of security
▪ Always on and available
▪ Broadest number of use scenarios
VPN
Remote Access (VPN)
▪ Remote access is critical for today’s
distributed and mobile workforce
▪ Passwords are easily compromised
and used in attacks
Mobile MFA for VPN
▪ Offer smartphone-based options
▪ Provide users with more choices
▪ Streamline user provisioning
▪ Apply auth method based on risk
Machine Learning
Risk-based Analytics
86. 86
Dell Customer Communication - Confidential
PRIVILEGED
ACCESS MGMT
+ MFA
Password Vault
▪ Automatically rotates and controls
access to privileged account
passwords
▪ Defaults to password-level security for
access
▪ Very attractive target for attackers
Multi-factor Authentication
▪ Protect front door access to PAM
solutions and other privileged accounts
▪ Offer a broad set of authenticators
▪ Use machine learning risk analytics to
increase security and reduce friction
▪ Secure cloud admin tools like AWS and
Azure management consoles
Machine Learning
Risk-based Analytics
87. 87
Dell Customer Communication - Confidential
CLOUD CREATES NEW CHALLENGES
creates gaps between
“islands of identity”
LIMITED VISIBILITY
that’s convenient to any
cloud app from any device
AN YTIME AC C ESS
are easy to compromise
and reuse undetected
PASSW OR D S
12345678
!
88. 88
Dell Customer Communication - Confidential
SECURING ACCESS TO CLOUD APPLICATIONS
MU LTIFAC TOR
AU TH EN TIC ATION
• Give users choice and convenience
with a broad set of MFA options
• Bridge islands of identity, and limit
multi-vendor costs with one
authentication platform
• Eliminate user friction and preserve
the cloud simple UX with risk based
analytics
• Provide a consistent experience for
on-prem and cloud apps
89. 89
Dell Customer Communication - Confidential
89
4
Palo Alto requests
identity assurance from
RSA (SAML, RADIUS
or API)
6
ID verified
5
RSA challenges user
User
3
Palo Alto prompts user
for MFA
1
Access application
Palo Alto Networks
Next-Gen Firewall
7
Access granted
2
Check policy
Multi-factor
authentication methods
APP SERVER
IOT DEVICES
ISOLATED NETWORK
ENFORCE MFA
AT THE
FIREWALL
Next-Gen Firewall + MFA
▪ Mitigate identity risk with a multi-layer
approach to secure access
▪ Save time and money deploying multi-
factor authentication by avoiding the
need to modify applications
▪ Increase security and reduce user
friction with machine learning risk
analytics and mobile authentication
methods
▪ Bridge islands of identity across
custom apps, IoT devices and isolated
networks
▪ Provide security and convenience by
challenging users according to the
level of risk
90. 90
Dell Customer Communication - Confidential
MULTI-FACTOR
AUTHENTICATION
DIGITAL
WORKSPACES
+ MFA
Application
Mgmt
Endpoint
Mgmt
User
Mgmt
Application and Device Management
▪ Delivers cloud-based, on-prem and
virtual applications
▪ Supports BYOD and corporate owned
device models
▪ Provides consumer-simple SSO
Multi-factor Authentication
▪ Protect front door access to digital
workspace SSO portal
▪ Offer a broad set of authenticators
▪ Step up authentication to individual
apps based on the level of risk.
▪ Use machine learning risk analytics to
increase security and reduce friction
98. 98
Dell Customer Communication - Confidential
• MyPage
• RSA Hosted Self-Service
• QR Code and Activation code
• just like SW Token
MFA ENROLMENT
99. 99
Dell Customer Communication - Confidential
SECURID APP – MOBILE MFA
R S A A u t h S o l u t i o n s
SecurID Tokencode
Pull down to check for authentication
3905 0001
Provisionless
OTP (Token)
Push Notification
(1 tap approve)
Touch ID
(fingerprint)
FINGERPRINT
SKIP TO TOKEN
Face ID
(iPhone X)
100. 100
Dell Customer Communication - Confidential
FIDO Tokens – A standard (U2F) for a specific type of hardware token from any supporting vendor.
E.g. Yubikey. (* Fully supported but not sold by RSA)
SMS / Robocall Option – for non-smartphone users (* extra licence cost)
Full Support for Traditional Tokens – keep existing fleet or leverage traditional HW or SW token
101. 101
Dell Customer Communication - Confidential
“CHAINING” AUTH METHODS
SecurID Tokencode
Pull down to check for
authentication
3905 0001
FINGERPR
INT
SKIP
TO
TOKEN
You can chain almost any combination of 2 methods to provide
Higher Assurance
of a user’s identity when they access something
102. 102
Dell Customer Communication - Confidential
Device Registration
SECURID ACCESS USER EXPERIENCE
Approve PIN protection Fingerprint
sp45
sp41
108. 108
Dell Customer Communication - Confidential
RSA SECURID ACCESS
Resource
Seamless Identity Assurance
User
Risk Level
User
❑ Admin
❑ Executive
❑ Worker
Resource
❑ I.P. Data
❑ Classified
❑ Public
Context
❑ Network
❑ Location
❑ Behavior
❑ Country
❑ Agent
❑ Browser
109. 109
Dell Customer Communication - Confidential
RSA SECURID ACCESS
Granted
Resource
Seamless Identity Assurance
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P. Data
❑ Classified
✓ Public
Context
✓ Network
✓ Location
✓ Behavior
✓ Country
✓ Agent
✓ Browser
Risk Level
110. 110
Dell Customer Communication - Confidential
RSA SECURID ACCESS
Step-Up
‒ Token
‒ Biometric
‒ Push
Resource
Seamless Identity Assurance
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P. Data
❑ Classified
✓ Public
Context
× Network
× Location
✓ Behavior
✓ Country
✓ Agent
✓ Browser
Risk Level
111. 111
Dell Customer Communication - Confidential
RSA SECURID ACCESS Denied
Resource
Seamless Identity Assurance
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P. Data
× Classified
❑ Public
Context
× Network
× Location
× Behavior
× Country
× Agent
× Browser
Risk Level
112. 112
Dell Customer Communication - Confidential
RSA SECURID ACCESS
Step-Up
‒ Token
‒ Biometric
‒ Push
Denied
Granted
Resource
Seamless Identity Assurance
User
Risk Level
User
❑ Admin
❑ Executive
❑ Worker
Resource
❑ I.P. Data
❑ Classified
❑ Public
Context
❑ Network
❑ Location
❑ Behavior
❑ Country
❑ Agent
❑ Browser
113. 113
Dell Customer Communication - Confidential
Risk-based Authentication
Access in context
RISK RISKYPASS DENY
Device AppRole Location Behavior
MACHINE
LEARNING
Pervasive MFA
Certified and supported
CRITICAL SECURE ACCESS CAPABILITIES
Modern MFA Methods
Easy & convenient
Push Mobile OTP Biometrics Text Msg Voice Call
ProximityHW Token WearablesSW Token FIDO
Assurance Levels
Challenge according to the level of risk
Security
Risk
114. 114
Dell Customer Communication - Confidential
Network
Session AppDevice
Role
RISKY
PASS
Location
Static User and
Context Rules
Deny
Behavior-based
Confidence
INTELLIGENCE DRIVEN IDENTITY ASSURANCE
Approve Tokencode RSA SecurID
FIDOEyeprint IDFingerprint
Location
Time
App
Network
Device
Access
Pattern
115. 115
Dell Customer Communication - Confidential
C O N F I D E N T I A L
Time
• Is this a normal access time
• Is this a weekend
HOW WE DETERMINE IDENTITY CONFIDENCE
Application
• Is this a common or uncommon application for the user
Device
• Is this a recognized device for this user
• A user account is being used simultaneously on more than one device
• Device language settings
Access patterns
• High authentication velocity: user authenticates unsuccessfully many times quickly
• Multiple users are authenticating from the same IP
Location
• Physical location of a user (estimated from HTML5 and IP Geolocation)
120. 120
Dell Customer Communication - Confidential
I N T E R N A L O N L Y
MARKET OVERVIEW – SECURID SUITE
Customer Profile:
• Size: SMB to global enterprise
• Industries: All verticals
• Protect applications & access from on-premise to cloud with convenient yet secure MFA
Customer problems:
• Need to protect cloud apps with more than just username & password with convenient yet secure MFA
• Next generation authentication required to allow for secure but convenient authentication
• Need to meet audit or regulatory controls for user access management
Questions to ask:
• How do you protect cloud-based apps
• Do you have islands of identity (uncontrolled SaaS services)
• What would happen if you were breached via a cloud app
• Are you failing any security audits or regulatory compliance
around access management
Things to listen for:
• Two-factor authentication or multi-factor authentication
• Gain control
• Gain visibility to who has access to what
121. 121
Dell Customer Communication - Confidential
121
Security Sensitive
High Touch
Low Touch
Convenience Driven
PROFILE / MATURITY
SIZE / COMPLEXITY
THE FOUR KEY CUSTOMER CONVERSATIONS
Modern Authentication
Ensure seamless user access to critical resources with MFA options that are securely managed,
aligned to risk, work uniformly from ground-to-cloud and are adaptable to any situation or need
Identity Assurance
Mitigate risk and ensure the highest levels of identity assurance for
sensitive use cases while further reducing sources of friction that can
inhibit end user productivity
Enterprise Grade
Provide best-in-class support for complex environments, diverse
user populations and custom tools & workflows with enterprise
grade reliability, performance & scale
Journey to the Cloud
Enable customers to take that “next step” in their journey to
the cloud with minimal friction and with options aligned to
their individual risk tolerance, timing and phase of maturity
R S A C O N F I D E N T I A L . I N T E R N A L U S E O N L Y
122. 122
Dell Customer Communication - Confidential
122
Compliance
I face ongoing compliance regulations and
internal policies that I must adhere to for strong
auth.
Prevent Fraud
I am fighting malware such as Trojans and don’t trust
my end users (or their PCs). How, I have to trust them
due to both business & regulatory reasons!
Enable Mobility
It is difficult to cost-effectively and accurately manage
auth for multiple types of remote workers and multiple
apps
Enterprise Authentication
Secure Access
I am planning to shift my auth and IT infrastructure to
the cloud to lower costs and ease admin burden.
CUSTOMER CHALLENGES: FOUR MAIN DRIVERS
125. CONFIDENTIAL
• Microsoft offers two options for MFA: Microsoft MFA for Office 365, or MFA
capabilities built into Microsoft Azure Active Directory Premium.
• Authentication is assigned for all the apps or none of the apps.
• One authentication option for when users are offline.
• Microsoft offers just one option for user cases where mobile phones are prohibited
or mobile service is unreliable
Microsoft MFA
126. CONFIDENTIAL
What you should know
SecurID vs Microsoft :
• The organisation has both on-premise and cloud user cases
• The organisation has a security-first mindset and understands the need for
Identity Assurance.
• The organisation needs at least some hardware or desktop, software tokens
127. CONFIDENTIAL
Gemalto
• Safenet Authentication Manager (SAM) with OTP, certificate-based and software
authentication options.
• Safenet Authentication Service delivered from SafeNet cloud with token options,
as well as mobile.
• SafeNet Trusted Access provides authentication for SaaS based applications and
SSO.
• Does not offer Identity Governance and Lifecycle
128. CONFIDENTIAL
Questions customers should ask Gemalto?
• How can l be confident your roadmap will align to our future authentication and
identity management needs?
• Will Thales acquisition of Gemalto change your roadmap, your structure or your
position in the access and identity management market (IAM)?
129. CONFIDENTIAL
DUO
• Limited capability in supplying rich contextual and user behaviour analysis
• DUO uses partners to support Governance and Lifecycle Management
• No stand-alone on-premises deployment option
• MFA capability
• Endpoint visibility
130. CONFIDENTIAL
• What is the largest deployment size that can be supported by DUO Trusted
Access?
• Can l Deploy DUO without requiring an on-premises component?
Questions customers should ask DUO?
132. CONFIDENTIAL
• Customized Authentication methods based on application assurance levels.
• Support for Offline Authentication.
• Solution for situations were smartphones cant be used.
• Strong Identity Assurance
• RSA Ready Program
• Optional On-Premises Deployment
139. 139
Dell Customer Communication - Confidential
SOME FACTS
• Host RSA Authentication Manager 8.4 in the Microsoft Azure cloud
• AM 8.4 Cloud Value
• Upgrade Path to AM 8.4
139
141. 141
Dell Customer Communication - Confidential
PATCH 4 UPDATES
• AM 8.4 Patch 4 allows you to connect RSA Authentication Manager to the Cloud Authentication Service and
quickly roll out modern MFA to your users.
• You do not need to replace or update your existing agents
• Security Console wizard to configure the connection and invite users to authenticate to the Cloud.
142. 142
Dell Customer Communication - Confidential
CONFIDENTIAL
AM 8.4 AM 8.4 P4 Comments
IDR deployment and CAS*
connection
Needed Needed Needed for CAS user sync
IDR connection in AM Needed Available/Optional Supports
Authenticate Tokencode
Connect to CAS* Not Available Available Supports
Authenticate Tokencode
PIN+Approve
Authenticate Tokencode Supported Supported Supported in
IDR
Connect to CAS
PIN + Approve** Not Supported Supported Only for Connect to CAS
CONNECT TO CLOUD DEMYSTIFIED
*CAS - Cloud Authentication Service
**Details discussed in next slides
145. 145
Dell Customer Communication - Confidential
CONFIDENTIAL
✓ Enabling seamless one-time Configure the Cloud Connection
✓ Ability to Invite users to enroll for MFA
✓ Expand Authentication Methods to support Mobile MFA (PIN + Approve)
✓ Support for Unified users dashboard for SecurID Access Users
✓ What happened to my IDR connection?
THE HOW
154. 154
Dell Customer Communication - Confidential
CONFIDENTIAL
✓ Cloud Authentication Service and Authentication Manager has to be connected to the same
identity source.
✓ Authentication Manager has to be connected to Cloud Authentication Service.
✓ SMTP service has to be configured in Authentication Manager.
PRE REQUISITES
156. 156
Dell Customer Communication - Confidential
CONFIDENTIAL
As an existing SecurID customer, my users should be able to use
”existing PIN” + “Mobile MFA method Push to Approve”
versus using their Passcode to access existing applications (VPN, etc.).
REQUIREMENT
157. 157
Dell Customer Communication - Confidential
CONFIDENTIAL
✓ Authentication Manager has to be connected to Cloud Authentication Service.
✓ Cloud Authentication should be enabled in Authentication Manager
✓ Cloud Authentication Service and Authentication Manager are connected to same identity
source
✓ Policy must contain Approve.
✓ User has RSA SecurID Authenticate app registered with Cloud Authentication Service.
PRE REQUISITES