RSA SecurID Access

1
Dell Customer Communication - Confidential
RSA SECURID® ACCESS
Zee Sayi Erich Stasko
Systems Engineer Authentication Specialist

2
WHAT IS AUTHENTICATION?

3
3
Identification “This is Who I Am”
Authentication “This is My Claim to an Identity”
Authorization “This is What I Can Do”
ACCESS CONTROL

4
4
• Proof of who you are
• Done during the on-boarding process
IDENTIFICATION

5
AUTHENTICATION
5
• A claim to identity
• The most commonly used authentication method in the online world is the
Password.

6
AUTHORIZATION
6
• Authorization deals with what you can do once you’ve been authenticated to a system

7
WHAT IS TWO-FACTOR AUTHENTICATION?
7

8
8
Two-Factor Authentication:
“The act of identifying an individual by using any combination of something they know,
something they have OR something they are.”
“Something you know” = PIN, password,
life question
“Something you have” = Token, Smartcard,
Trusted Device
“Something you are/do” = Biometrics
(fingerprint, retinal scan, etc)

9
9
Something you Know
Something you Have
ATM WITHDRAWAL

10
RSA SECURID COMPONENTS

11
COMPONENTS - AT A GLANCE
AUTHENTICATORS AGENTS Authentication Manager

12
RSA SECURID
RSA
Web Tier
Web
Server
DMZ Internal Network
Auth Mgr 8.x
(Primary)
Identity Source
External Network
Login: RGasparian
Passcode: 2468159759
RBA
SSC
CT-KIP
PASSCODE = PIN + TOKENCODE
SSL-VPN
VPN

13
SECURID COMPONENTS
Authenticator Agent SERVER
(Authentication Manager
Platforms & Architecture)

14
HARDWARE AUTHENTICATORS OVERVIEW
 Hardware Token: a physical device assigned to a specific user and generates a unique number at a specified
interval.
 Customer choice based on their requirements for:
— Function: OTP, hard disk encryption, transaction signing, etc.
 All of RSA’s tokens utilise the cryptographically strong AES algorithm for time synchronous authentication

15
HARDWARE AUTHENTICATOR
Username: JJONES
Passcode: 2468032848
Token code:
changes every
60 seconds
PASSCODE =PIN + TOKENCODE
http://searchsecurity.techtarget.com/definition/RSA

16
16
WHY IS TIME-SYNCHRONOUS AUTHENTICATION
IMPORTANT?
• Time-based OTP has precise clock that changes a password every 60 seconds
• Very hard to phish as OTP becomes invalid in one minute
• More secure than an event-based OTP where password does not expire until another
one is entered into the system.
• Trojan attacks must be in real-time to be able to compromise system
Same Seed
Same Algorithm
Same Time
Algorithm
Time
Seed
Algorithm
Time
Seed
159759 159759
Authentication
Manager

17
HARDWARE TOKEN OPTIONS
Quality Authenticators
Highest-quality authenticator-manufacturing processes,
which means fewer token failures in the field
Multi-Use Tokens
Multiple uses for these authenticators such
as hard-disk encryption, email signing, and
more
Customisable
Brand your organization and demonstrate your commitment
to security with custom artwork on your RSA tokens
Time-Synchronous
An approach that combines time,
an algorithm and a unique
identifier to strengthen overall
cryptographic value
Warranty
Covers each RSA token for
the entire life of the device

18
SID 700
Known as a ‘Key Fob’ token
Simply read the changing number on the display
Robust design, built to survive harshest conditions
▪ Rigorously tested to be the industry's highest quality token
RSA’s most popular hardware token
EZ-View Display (SID700)

19
WHAT’S INSIDE OF A HARDWARE TOKEN (SID 700)
Coin cell 3V
Lithium ion
battery
Display
• Time crystal (clock)
• Microprocessor
• Microcontroller
• Epoxy filling
• Case
Creates a “tamper-evident” authentication device

20
A PLANNED LIFETIME
1. Hardware tokens are built with an assigned life
2. Range from 24 mths up to 60 mths
(depends on token type and system software release)
3. The most commonly purchased token is the 36 month SID 700
4. A pre-expiring shelf life enables customers to budget and plan token rotations
5. In most cases, the expiration date is stamped on the back of the token

21
HOW WE DO IT BETTER – SID 700
Designed to Last
− Ultrasonic welded case
− Epoxy filled
− Beveled LCD display
− Anti-shock foam
 Rigorously Tested
– Over 20 tests performed; including:
High / Low Temperature
Temperature Cycling
High Humidity
Mechanical Shock & Vibration
Drop Test
Electrostatic Discharge (ESD)
Radiated Immunity (EMI)
Radiated Susceptibility
Radiated Emissions
X-ray
Altitude Testing
Accelerated Life Testing
Cert Testing: UL / FCC / CE
• 40+ million actively in use
• 8 yrs in the marketplace
• Only 0.05% in field failures

22
SID 800
Known as the ‘Hybrid Token’
SecurID & PKI in a single multi-purpose authenticator
Supports one time password (OTP), digital certificate, and password credentials
— Auto login to Windows Domain or other applications
Maintains traditional anywhere, anytime access
— Read token code from display
Provides OTP auto-entry for ease of use
— No need to type in the OTP, just insert the device into the USB port
Provides support for file and full disk encryption
— Prevent data breach from stolen laptops

23
Digital Certs
SecurID OTP
Passwords
VPN/Wireless
File/Disk
Encryption
Email
Signing
Web/App
Auth
PC/Domain
Auth
Multiple Credentials…
Multiple Applications…
One Seamless End User Experience
SID 800: MULTI-AUTHENTICATOR IN ONE

24
SID 800: COMPONENTS IN PLAY
• Display SID800 OTP
• No software seed record provisioning necessary, uses SID 800
• ADA compliance with JAWS screen reader
• Desktop API authenticator extends SID800 OTP access (Windows login, VPN login,
etc…)
Desktop
Authenticator
(Windows Only)
• RSA Authentication Client (RAC) aka “Middleware”
• Manage smartcard PIN, certificates and credentials
• Display SID 800 OTPRAC
• Seed record on device
• Display OTP
• Smartcard in device
• Stores Digital Certificates
• Stores Password Credentials
SID 800

25
HOW WE DO IT BETTER- SID 800
Insert token and enter PIN to…
▪ Authenticate to the PC/laptop
▪ Unlock an encrypted hard drive
▪ Establish a secure network connection to a VPN or
wireless access point
▪ Authenticate to the corporate domain
▪ Access secure applications and web sites
▪ Authenticate to remote PCs or terminal servers
▪ Encrypt sensitive documents and files
▪ Sign and encrypt emails
Remove the token to…
▪ Lock down or log off from the PC/laptop

26
SOFTWARE AUTHENTICATORS

27
TODAY: ANY USER, ANY DEVICE, ANYWHERE
Server
Applications
Cloud
Applications
Remote Managed
Device
BYOD
Inside the
Network
Network
VPN
Virtual Desktop
Mobile Apps
Web Browser
External and Temporary
Users
Unmanaged
Devices
Uncontrolled
Access Points
Information in Public Cloud and
Hosted Applications
Employees
Contractors
Partners
Customers

28
RSA SECURID SOFTWARE AUTHENTICATORS
RSA SecurID Mobile SDK
Desktop Tokens
Mobile Phones and Tablets

29
RSA SOFTWARE AUTHENTICATORS
• Transforms devices your users
already own and carry into
SecurID tokens
• Reduces frequency of lost or
forgotten tokens
• Eliminates the “token necklace”
problem
• Removes hurdle of end user
acceptance of two-factor
authentication
• Eliminates the need to inventory
additional tokens
• Simplifies deployment process
• Decreases support calls for lost
or forgotten tokens
• Lower TCO than hardware tokens
• Leverages investment in existing
hardware
• Expand strong auth. to
applications accessed by
partners and customers
• Provides an easy and convenient
mass deployment option
• Enhances confidence to offer
more self-service options to
customers and partners.
Convenience Value Expansion

30
TWO COMPONENTS OF A SOFTWARE TOKEN
OS-specific application downloaded from
RSA.com or app stores
Must be installed first on a user’s device
before provisioning occurs
Application/Token Container
+
Customer Token Record
(Seed Record)
• Purchased from RSA (SID 820)
• Provisioned by admin to the user’s
device

31
SOFTWARE TOKEN DEPLOYMENT OPTIONS
SDTID
• File Based Token Delivery
• Devices must support email
attachment import
• Supported Form Factors
• Mobile Tokens
• Desktop Tokens
CTF String
• Text Based Token Delivery
• Generated by Token
Converter or AM 8.x
• Converts SDTID file into
compressed token format
(CTF) string
• Alternative to file
attachments
• Supports Android, iOS and
Windows Phone Mobile
Devices
CT-KIP
• Dynamically Provisioned
Tokens
• Requires CT-KIP Server
• Recommended Provisioning
Method
• Supported on AM 7.1 & 8.x
• Supported Devices include
Mobile and Desktop Tokens
QR Code
•CTF or CT-KIP encoded QR
Code
•Allows option to provision
without needing email
•QR Code generated via AM
8.1 SP1 SSC, AM Prime,
Token Converter, 3rd party
QR Code generator
•Supports Android & iOS
Devices
Basic Use Case Use only as
Required
Recommended

32
Out-of-Band Activation Code
via Secure Email Channel
SecurID Admin
Mobile Device User
• Secure “over-the-wire” provisioning
• No Token Record to Intercept
• Activation Code is only valid once
• Add Device Binding for Additional Security
Click CT-KIP URL with
Activation Code
CT-KIP Server CT-KIP URL to Mobile
Device
CT-KIP DYNAMIC PROVISIONING

33
QR CODE PROVISIONING
 QR Code Provisioning of Software Tokens will
reduce provisioning time and costs by 80%
 Increase user self-service
 Eliminates “email” to End User Mobile Device
 Eliminate help desk calls
 Streamline the provisioning process with
fewer, intuitive steps. Point & click.
 QR codes are becoming more accepted by end
users
 Software tokens are “QR Code Ready” (iOS and
Android)

34
RSA SECURID SOFTWARE TOKEN SECURITY
• Server Side Attribute
• Validates the Mobile Device
• Token Record cannot be imported to another device
• Augment with OOB password to validate the user
Device Binding
• Client Side Security feature on import
• Device biometrics used to unlock the token database for each use
• Token will not function on a device without matching device biometrics
Copy Protection
•Software Token does not store the PIN in permanent memory
•The PIN cannot be brute forced
• Something you and your mobile device know is not two-factor
• The PIN does not unlock a valid passcode
Something you Know

35
RSA DESKTOP TOKENS
Authenticator on the Desktop
Desktop Authenticator
IE Toolbar (Win)

36
Software Development Kit (SDK) for mobile apps
▪ Includes sample application, documentation and library for embedding
functionality in mobile apps
▪ Available free of charge for RSA customers and RSA Secured
partners
Developers can choose from the following functionality
▪ SecurID OTP Module
− Import software tokens, generate OTP
− User visible or invisible OTP
SDK: ENABLING STRONG AUTH FOR MOBILE APPS
RSA Mobile Authentication SDKs

37
RISK-BASED AUTHENTICATION

38
So what does RBA actually mean….
Risk-based authentication (RBA) identifies potentially risky or fraudulent authentication attempts by silently analysing
user behaviour and the device of origin. RBA strengthens RSA SecurID authentication and traditional password-
based authentication. If the assessed risk is unacceptable, the user is challenged to further confirm his or her identity
by using one of the following methods:
• On-demand authentication (ODA). The user must correctly enter a PIN and a one-time token code that is
sent to a preconfigured mobile phone number or e-mail account.
• Security questions. The user must correctly answer one or more security questions. Correct answers to
questions can be configured on the Self-Service Console or during authentication when silent collection is
enabled.

39
How it works
RISK-BASED AUTHENTICATION
Web Browser
Protected
Resources
Identity
Challenge
?
On-Demand
Tokencode
Challenge
Questions
PASS
User
Behavior
FAIL
Access Denied
OWA
SharePoint
SSL VPN
Web Portals
PASS
RISKY
Authentication
Policy
Assurance
Level
RSA
Risk Engine
Activity Details
Device
Fingerprint
Network
Forensics
Device Token
Profile Relative Velocity
Device
Identification

40
Strengthens traditional password
authentication by silently applying risk-
based analytics
− Is the user authenticating from a
known device?
− Does the user’s behavior match
known characteristics?
Risky authentication attempts require
additional validation
− Security Questions
− On-Demand Authentication
RISK-BASED AUTHENTICATION (RBA)
1
3
2
4
1
2
3
4
1st Factor: Something you KNOW
2nd Factor: Something you HAVE
3rd Factor: Something you DO
Step-Up : Something you KNOW or HAVE

41
Proven sophisticated risk engine
− Same risk engine as Adaptive Auth
− Protects 350+ million online identities
Optimized for Enterprise use cases
− Optimized for: Network Security vs. Fraud
Mitigation
− Predictable: Use case vs. challenge rate
− Simplified: Assurance levels vs. risk scoring
Self tuning risk model adapts to each customer
environment
− Common device characteristics are de-prioritized
in the risk score
− Suspicious behavior is based on norms for the
overall user population
THE RSA RISK ENGINE
RSA Risk Engine

42
ON-DEMAND AUTHENTICATION
Bundled with RBA License
Utilise SMS or Email
Customizable Message
Configurable Validity
Contractors, Vendors, Backup Authenticator

43
AM WEB TIER

44
AM WEB TIER
Lightweight application installed in the DMZ that hosts services exposed to the Internet
▪ Enables secure deployment of
− RBA
− Self-Service
− CT-KIP (Cryptographic Key Initialization Protocol)
Above services require a web tier for the following reasons
− Blocks Internet access to the Security Console
− Allows customization of the RBA/Self-Service logon pages
− Up to 16 web tiers

45
AUTHENTICATION MANAGER ARCHITECTURE

46
AM ONLY ARCHITECTURE
For Critical Infrastructure
Resources
• SAML
• Http-Federation
• Trusted Headers
• RADIUS
• SecurID Protocol
• REST API
Authentication Methods
• Push
• Device Biometrics
• OTP
• Voice/SMS
• FIDO
• Soft Token
• Hard Token
• RBA/On-Demand Token
• Identity Confidence
• SSO
Risk Level
• User
• Resource
• Context

47
AGENTS

48
WHAT IS AN AGENT?
A SecurID agent is installed or embedded on an access point (VPN, Web Site, Server)
that accepts credentials from an end user (Username + Passcode) and directs them to
Authentication Manager.
1. Native (RSA Partner Program)
2. Downloadable (RSA Owned)
3. RADIUS
4. SDK (until 8.3, Now Rest API)
Agent Options

49
WHAT DOES AN AGENT DO?
Trust
▪ Mechanism to allow mutual trust between Agent and Server. Protection from a malicious user
impersonating the agent or a Server.
Authentication
▪ Intercept access attempts
▪ Collect Credentials
▪ Verify with Server
▪ Provide (or deny) access
▪ Single Sign On
▪ Support for New Pin Mode, Next Token Mode
How do I know if a resource can be protected by SecurID? www.rsasecured.com
▪ Search by product or vendor
▪ Ex. Cisco ASA
▪ Displays RSA and 3rd Party owned Agents

50
RSA SECURED® PARTNER PROGRAM (NATIVE)
Out-of-the-box interoperability and
documentation for 400+ partner
applications
Reduce integration costs
Ensure interoperability through stringent
certification program
Compatibility maintained through
integration updates
Fully supported by RSA and its partners

51
Features:
• Next Generation SecurID Agents
Benefits:
• Agent connects to RSA SecurID Access AM Server
or Cloud Authentication Service
• More Authentication Options: (Push to Approve,
Fingerprint, Windows Hello, etc…)
• Stronger Security / Cryptographic Algorithms (FIPS
compliant is target plan)
• Connect via REST (TCP) instead of UDP
• IPv6
• Agent Reporting
F o o t e r
Authentication
Manager
Cloud Authentication
Service
1. PAM v8.1
2. ADFS
3. MFA AGENT (Windows)
4. Web
5. Citrix Storefront
NOTE: GEN II agents developed in parallel by the Agent
Team with close collaboration with AM Teams
GEN II SecurID Agents

52
RSA LINK SOLUTION GALLERY
Search all
solutions
https://community.rsa.
com/community/produ
cts/rsa-ready

53
DOWNLOADABLE (RSA OWNED)
Some agents are owned by RSA Agents to provide tighter integration
Assures integration is always up to date
Windows/PAM Agent
▪ Protects Windows/Linux logon
− Servers, Laptops, RDP, Terminal Services…
▪ Offline Authentication available
IIS/Apache Agent
▪ Protects websites served by these 2 web servers
▪ Exchange/Sharepoint protection available (IIS only)
▪ Optional RBA support available!

54
RADIUS

55
WHAT IS RADIUS?
• Remote Authentication Dial-In User Service
• Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables
remote access servers to communicate with a central server to authenticate dial-in users and authorize their
access to the requested system or service.

56
RADIUS CLIENT
A RADIUS client is any device that supports the RADIUS protocol
Are typically network endpoint devices such as
▪ Network Access Server (NAS)
▪ Firewall
▪ 802.1x Access Point
▪ VPN Server
▪ Web Server
Serves as the gateway to the network
▪ Provides the interface for user interaction (credential input, etc)

57
WHY IS RADIUS IMPORTANT?
• An industry standard for authentication
- Numerous network access products are enabled for RADIUS
- Supports a wide variety of authenticators
• OTP Tokens
• Challenge/Response
• Passwords
• Certificates
• Ability to integrate with other authentication services
- RADIUS Accounting, Access Control and Authentication can be proxied to other systems (such as
AM or Windows AD)
• Used in about 2/3 of SecurID deployments

58
• The Authentication Agent SDK enables applications to authenticate via the RSA SecurID protocol.
• Supports the Java and C programming languages (the C library can also be utilized in a .NET
environment as unmanaged code).
• This SDK can perform SecurID authentication with Authentication Manager versions 5.x, 6.x, 7.1, 8.x.
SDK – SOFTWARE DEVELOPMENT KIT

59
REST API
• A REST API defines a set of functions which developers can perform requests and receive
responses via HTTP protocols.
• Because REST API’s use HTTP, they can be used by practically any programming language.

60
RSA SecurID Authentication API is a REST API for developers who want to build clients that send
authentication requests to RSA SecurID Access, either through the RSA Authentication Manager server,
the Cloud Authentication Service, or both.
https://community.rsa.com/docs/DOC-75741

61
C O N F I D E N T I A L
Benefits of REST API:
REST is simple.
➢ other APIs have to follow a lot of rules that make them challenging to use. In practice, this
formality, power, and flexibility generally gets in the way of doing what you want to do,
costs a lot more to implement and maintain, and is generally more trouble than it's worth.
REST is "of the web".
➢ Not only does REST assume HTTP but it adopts all of the well understood mechanisms
of HTTP. A web app developer can be very productive very fast -- both creating and
consuming these APIs -- because it just like working with a web page.
JSON which is the native data format for JavaScript, the language in all of our web
browsers... thus it's a more web-centric approach.
REST is object centric not message centric.
➢ REST wants you to focus on the THINGS in your application With REST, you can only do
four things GET, POST, PUT, and DELETE. In practice that covers about 90% of what
you want to do.

62
REVIEW - WHAT DOES AN AGENT DO?
Trust
− Mechanism to allow mutual trust between Agent and Server. Protection from a malicious user
impersonating the agent or a Server.
Authentication
− Intercept access attempts
− Collect Credentials
− Verify with Server
− Provide (or deny) access
How do I know if a resource can be protected by SecurID? www.rsasecured.com
− Search by product or vendor
− Ex. Cisco ASA
− Displays RSA and 3rd Party owned Agents

63
VIRTUAL & PHYSICAL APPLIANCE
Virtual Appliance
Deployable in 10-20 minutes
Hardened Security Profile to meet EMC/RSA
compliance
Hardened SUSE OS
Support for VMWare & Hyper-V
Physical Appliance
• Model A130 & A250 (Redundancy)
• Same or Cross Platform Migration
• SNMP Hardware MIB
• Deployable in 10-20 minutes
• Hardened Security Profile to meet EMC/RSA
compliance
• Remote Factory Reset
Optimised Deployments: Mix & Max Between Virtual / Hardware Appliance
Simple, Secure
deployment
Standards-based
Platforms
Lower Deployment
Costs

64
CONSOLES IN AM

65
SECURITY CONSOLE
65
• Main administrative interface
• Manage users, groups, tokens, agents, policies
• Generate reports, configure admin roles and system settings

66
OPERATIONS CONSOLE
66

67
SELF-SERVICE CONSOLE
67
• Base License – Basic Self-Service
• Enterprise License – Workflow Provisioning

68
PRIMARY AND REPLICA’S

69
A primary is the main “instance” of the
RSA Authentication Manager
deployment
It is the master database hub
The primary is where the administration
functions are performed – “Read-
Write”
There is only 1 primary in a deployment
PRIMARY AND REPLICAS

70
Used for accepting authentication
requests and providing backup
capabilities
Can be multiple, up to 15
Synchronized database copy
Can become the primary in a planned
or unplanned scenario in a process
called ‘Promotion’
Read-Only
REPLICAS

71
JOURNEY TO THE CLOUD

72
SecurID Protocol
-OR-
RADIUS
REST API
SAML
WS-Fed
Etc.
AM IDR

73
C ON VEN IEN T & SEC U R E A C C ESS IN A W OR LD W ITH OU T B OU N D A R IES
RSA SECURID ACCESS
The Gold Standard
for Strong Authentication
The Next-Generation
of Identity Assurance
• Trusted by 25,000+ Enterprises
• More than 50 million active users
• 500+ certified technology partners
• Dynamic risk-based Identity Assurance
• Mobile MFA: Push, OTP, biometrics & more
• Any application: on-premises or in the cloud
• SaaS delivery, subscription pricing

74
CONNECT TO ANYTHING
Centralised
Access
Policies
SaaS
Applications
Traditional/on-premise
Applications (400+ RSA
SecurID integrations)
Web
Applications
Mobile
Applications
(SAML-Enabled)

75
75
PROTECT CLOUD APPS AND CONTROL ACCESS WITH SSO
Centralized
Access
Policies
SaaS
Applications
Traditional/on-premise
Applications (400+ RSA SecurID
integrations)
Mobile Applications
(SAML-Enabled)
SecurID Tokencode
Pull down to check for
authentication
3905 0001

76
FROM ANYWHERE
Optimise
Security &
Convenience
At Work
Remote
On Mobile

77
THE RSA DIFFERENCE: A HYBRID APPROACH
• A secure approach to
supporting on-prem
applications
• Sensitive user & org
information remains on-
premises
• Active Directory passwords
are NEVER sent to cloud
• Dedicated runtime not shared
with other tenants
Web
Reverse Proxy
Active Directory
/LDAP
Authentication
Manager 8.x
Identity Router
SecurID Access
App Portal

78
RSA SECURID ACCESS ARCHITECTURE

79
Next Generation Authentication
Resources
• SAML
• Http-Federation
• Trusted Headers
• RADIUS
• REST API
• Push
• OTP
• Voice/SMS
• FIDO
• Soft Token
• Hard Token
• SSO
Risk Level
• User
• Resource
• Context
IDR ONLY ARCHITECTURE

80
FULL HYBRID ARCHITECTURE
Maximum Flexibility
Resources
• SAML
• Http-Federation
• Trusted Headers
• RADIUS
• REST API
• Push
• OTP
• Voice/SMS
• FIDO
• Soft Token
• Hard Token
• SSO
Risk Level
• User
• Resource
• Context

81
CLOUD IDP ARCHITECTURE
Lightweight Requirements
Resources
• SAML
• Http-Federation
• Trusted Headers
• RADIUS
• REST API
• Push
• OTP
• Voice/SMS
• FIDO
• Soft Token
• Hard Token
• SSO
Risk Level
• User
• Resource
• Context

82
SECURID ACCESS
USER CASES

83
5 ACCESS USE CASES FOR THAT NEED 2FA/MFA
C L O U D A P P S D I G I TA L
W O R K S PA C E S
N E X T- G E N
F I R E WA L L
P R I V I L E G E D
A C C O U N T S
V P N

84
VPN

85



MFA for VPN
▪ Something you have and know
▪ High-level of security
▪ Always on and available
▪ Broadest number of use scenarios
VPN
Remote Access (VPN)
▪ Remote access is critical for today’s
distributed and mobile workforce
▪ Passwords are easily compromised
and used in attacks
Mobile MFA for VPN
▪ Offer smartphone-based options
▪ Provide users with more choices
▪ Streamline user provisioning
▪ Apply auth method based on risk
Machine Learning
Risk-based Analytics

86
PRIVILEGED
ACCESS MGMT
+ MFA
Password Vault
▪ Automatically rotates and controls
access to privileged account
passwords
▪ Defaults to password-level security for
access
▪ Very attractive target for attackers
Multi-factor Authentication
▪ Protect front door access to PAM
solutions and other privileged accounts
▪ Offer a broad set of authenticators
▪ Use machine learning risk analytics to
increase security and reduce friction
▪ Secure cloud admin tools like AWS and
Azure management consoles


Machine Learning
Risk-based Analytics

87
CLOUD CREATES NEW CHALLENGES
creates gaps between
“islands of identity”
LIMITED VISIBILITY
that’s convenient to any
cloud app from any device
AN YTIME AC C ESS
are easy to compromise
and reuse undetected
PASSW OR D S
12345678
!

88
SECURING ACCESS TO CLOUD APPLICATIONS
MU LTIFAC TOR
AU TH EN TIC ATION
• Give users choice and convenience
with a broad set of MFA options
• Bridge islands of identity, and limit
multi-vendor costs with one
authentication platform
• Eliminate user friction and preserve
the cloud simple UX with risk based
analytics
• Provide a consistent experience for
on-prem and cloud apps

89
89
4
Palo Alto requests
identity assurance from
RSA (SAML, RADIUS
or API)
6
ID verified
5
RSA challenges user
User
3
Palo Alto prompts user
for MFA
1
Access application
Palo Alto Networks
Next-Gen Firewall
7
Access granted
2
Check policy
Multi-factor
authentication methods
APP SERVER
IOT DEVICES
ISOLATED NETWORK
ENFORCE MFA
AT THE
FIREWALL
Next-Gen Firewall + MFA
▪ Mitigate identity risk with a multi-layer
approach to secure access
▪ Save time and money deploying multi-
factor authentication by avoiding the
need to modify applications
▪ Increase security and reduce user
friction with machine learning risk
analytics and mobile authentication
methods
▪ Bridge islands of identity across
custom apps, IoT devices and isolated
networks
▪ Provide security and convenience by
challenging users according to the
level of risk

90
MULTI-FACTOR
AUTHENTICATION
DIGITAL
WORKSPACES
+ MFA
Application
Mgmt
Endpoint
Mgmt
User
Mgmt
Application and Device Management
▪ Delivers cloud-based, on-prem and
virtual applications
▪ Supports BYOD and corporate owned
device models
▪ Provides consumer-simple SSO
Multi-factor Authentication
▪ Protect front door access to digital
workspace SSO portal
▪ Offer a broad set of authenticators
▪ Step up authentication to individual
apps based on the level of risk.
▪ Use machine learning risk analytics to
increase security and reduce friction

91
AUTHENTICATORS

92
Traditional Authenticators
RSA SECURID TOKENS
Software Token
Hardware Token

93
RSA SECURID®
AUTHENTICATE
Approve Software TokenDevice Biometrics
Enhanced Authenticators

94
RSA SECURID
AUTHENTICATE

95
RSA SECURID
AUTHENTICATE

96
RSA SECURID
AUTHENTICATE

97
RSA SECURID
SOFTWARE
TOKEN

98
• MyPage
• RSA Hosted Self-Service
• QR Code and Activation code
• just like SW Token
MFA ENROLMENT

99
SECURID APP – MOBILE MFA
R S A A u t h S o l u t i o n s
SecurID Tokencode
Pull down to check for authentication
3905 0001
Provisionless
OTP (Token)
Push Notification
(1 tap approve)
Touch ID
(fingerprint)
FINGERPRINT
SKIP TO TOKEN
Face ID
(iPhone X)

100
FIDO Tokens – A standard (U2F) for a specific type of hardware token from any supporting vendor.
E.g. Yubikey. (* Fully supported but not sold by RSA)
SMS / Robocall Option – for non-smartphone users (* extra licence cost)
Full Support for Traditional Tokens – keep existing fleet or leverage traditional HW or SW token

101
“CHAINING” AUTH METHODS
SecurID Tokencode
Pull down to check for
authentication
3905 0001
FINGERPR
INT
SKIP
TO
TOKEN
You can chain almost any combination of 2 methods to provide
Higher Assurance
of a user’s identity when they access something

102
Device Registration
SECURID ACCESS USER EXPERIENCE
Approve PIN protection Fingerprint
sp45
sp41

103
RSA SECURID ACCESS
AUTHENTICATION SYSTEM
The Platform

104
RSA SECURID ACCESS
User
Resource
Traditional Identity Assurance

105
RSA SECURID ACCESS
Resource
User

106
RSA SECURID ACCESS
Granted
Resource
User

107
RSA SECURID ACCESS Denied
Resource
User

108
RSA SECURID ACCESS
Resource
Seamless Identity Assurance
User
Risk Level
User
❑ Admin
❑ Executive
❑ Worker
Resource
❑ I.P. Data
❑ Classified
❑ Public
Context
❑ Network
❑ Location
❑ Behavior
❑ Country
❑ Agent
❑ Browser

109
RSA SECURID ACCESS
Granted
Resource
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P. Data
❑ Classified
✓ Public
Context
✓ Network
✓ Location
✓ Behavior
✓ Country
✓ Agent
✓ Browser
Risk Level

110
RSA SECURID ACCESS
Step-Up
‒ Token
‒ Biometric
‒ Push
Resource
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P. Data
❑ Classified
✓ Public
Context
× Network
× Location
✓ Behavior
✓ Country
✓ Agent
✓ Browser
Risk Level

111
RSA SECURID ACCESS Denied
Resource
User User
❑ Admin
❑ Executive
✓ Worker
Resource
❑ I.P. Data
× Classified
❑ Public
Context
× Network
× Location
× Behavior
× Country
× Agent
× Browser
Risk Level

112
RSA SECURID ACCESS
Step-Up
‒ Token
‒ Biometric
‒ Push
Denied
Granted
Resource
User
Risk Level
User
❑ Admin
❑ Executive
❑ Worker
Resource
❑ I.P. Data
❑ Classified
❑ Public
Context
❑ Network
❑ Location
❑ Behavior
❑ Country
❑ Agent
❑ Browser

113
Risk-based Authentication
Access in context
RISK RISKYPASS DENY
Device AppRole Location Behavior
MACHINE
LEARNING
Pervasive MFA
Certified and supported
CRITICAL SECURE ACCESS CAPABILITIES
Modern MFA Methods
Easy & convenient
Push Mobile OTP Biometrics Text Msg Voice Call
ProximityHW Token WearablesSW Token FIDO
Assurance Levels
Challenge according to the level of risk
Security
Risk

114
Network
Session AppDevice
Role
RISKY
PASS
Location
Static User and
Context Rules
Deny
Behavior-based
Confidence
INTELLIGENCE DRIVEN IDENTITY ASSURANCE
Approve Tokencode RSA SecurID
FIDOEyeprint IDFingerprint
Location
Time
App
Network
Device
Access
Pattern

115
Time
• Is this a normal access time
• Is this a weekend
HOW WE DETERMINE IDENTITY CONFIDENCE
Application
• Is this a common or uncommon application for the user
Device
• Is this a recognized device for this user
• A user account is being used simultaneously on more than one device
• Device language settings
Access patterns
• High authentication velocity: user authenticates unsuccessfully many times quickly
• Multiple users are authenticating from the same IP
Location
• Physical location of a user (estimated from HTML5 and IP Geolocation)

116

117

118

119

120
I N T E R N A L O N L Y
MARKET OVERVIEW – SECURID SUITE
Customer Profile:
• Size: SMB to global enterprise
• Industries: All verticals
• Protect applications & access from on-premise to cloud with convenient yet secure MFA
Customer problems:
• Need to protect cloud apps with more than just username & password with convenient yet secure MFA
• Next generation authentication required to allow for secure but convenient authentication
• Need to meet audit or regulatory controls for user access management
Questions to ask:
• How do you protect cloud-based apps
• Do you have islands of identity (uncontrolled SaaS services)
• What would happen if you were breached via a cloud app
• Are you failing any security audits or regulatory compliance
around access management
Things to listen for:
• Two-factor authentication or multi-factor authentication
• Gain control
• Gain visibility to who has access to what

121
121
Security Sensitive
High Touch
Low Touch
Convenience Driven
PROFILE / MATURITY
SIZE / COMPLEXITY
THE FOUR KEY CUSTOMER CONVERSATIONS
Modern Authentication
Ensure seamless user access to critical resources with MFA options that are securely managed,
aligned to risk, work uniformly from ground-to-cloud and are adaptable to any situation or need
Identity Assurance
Mitigate risk and ensure the highest levels of identity assurance for
sensitive use cases while further reducing sources of friction that can
inhibit end user productivity
Enterprise Grade
Provide best-in-class support for complex environments, diverse
user populations and custom tools & workflows with enterprise
grade reliability, performance & scale
Journey to the Cloud
Enable customers to take that “next step” in their journey to
the cloud with minimal friction and with options aligned to
their individual risk tolerance, timing and phase of maturity
R S A C O N F I D E N T I A L . I N T E R N A L U S E O N L Y

122
122
Compliance
I face ongoing compliance regulations and
internal policies that I must adhere to for strong
auth.
Prevent Fraud
I am fighting malware such as Trojans and don’t trust
my end users (or their PCs). How, I have to trust them
due to both business & regulatory reasons!
Enable Mobility
It is difficult to cost-effectively and accurately manage
auth for multiple types of remote workers and multiple
apps
Enterprise Authentication
Secure Access
I am planning to shift my auth and IT infrastructure to
the cloud to lower costs and ease admin burden.
CUSTOMER CHALLENGES: FOUR MAIN DRIVERS

123
RSA SECURID
COMPETITIVE INTEL

CONFIDENTIAL
• Microsoft
• Gemalto
• Duo

CONFIDENTIAL
• Microsoft offers two options for MFA: Microsoft MFA for Office 365, or MFA
capabilities built into Microsoft Azure Active Directory Premium.
• Authentication is assigned for all the apps or none of the apps.
• One authentication option for when users are offline.
• Microsoft offers just one option for user cases where mobile phones are prohibited
or mobile service is unreliable
Microsoft MFA

CONFIDENTIAL
What you should know
SecurID vs Microsoft :
• The organisation has both on-premise and cloud user cases
• The organisation has a security-first mindset and understands the need for
Identity Assurance.
• The organisation needs at least some hardware or desktop, software tokens

CONFIDENTIAL
Gemalto
• Safenet Authentication Manager (SAM) with OTP, certificate-based and software
authentication options.
• Safenet Authentication Service delivered from SafeNet cloud with token options,
as well as mobile.
• SafeNet Trusted Access provides authentication for SaaS based applications and
SSO.
• Does not offer Identity Governance and Lifecycle

CONFIDENTIAL
Questions customers should ask Gemalto?
• How can l be confident your roadmap will align to our future authentication and
identity management needs?
• Will Thales acquisition of Gemalto change your roadmap, your structure or your
position in the access and identity management market (IAM)?

CONFIDENTIAL
DUO
• Limited capability in supplying rich contextual and user behaviour analysis
• DUO uses partners to support Governance and Lifecycle Management
• No stand-alone on-premises deployment option
• MFA capability
• Endpoint visibility

CONFIDENTIAL
• What is the largest deployment size that can be supported by DUO Trusted
Access?
• Can l Deploy DUO without requiring an on-premises component?
Questions customers should ask DUO?

CONFIDENTIAL
• Customized Authentication methods based on application assurance levels.
• Support for Offline Authentication.
• Solution for situations were smartphones cant be used.
• Strong Identity Assurance
• RSA Ready Program
• Optional On-Premises Deployment

133
RSA SECURID ACCESS
LICENSING
Product Packaging

134
RSA SECURID
ACCESS:
BASE
Future Proofing Platform
• Advanced Policies
• Authentication Context
• HA/Failover
• AMBA
• SSO Portal
• Token Based Authentication (Hard/Soft/ODA)
• Enhanced Authenticators (Authenticate/FIDO)
• RADIUS/SID Protocol Support
• SAML/HTTP Fed/Trusted Headers Support
• IP Address Contextual Authentication

135
High Availability and Bulk Token Deployment
• HA/Failover
• AMBA
• SSO Portal
RSA SECURID
ACCESS:
ENTERPRISE

136
RSA SECURID
ACCESS:
PREMIUM
Next Generation Authentication
• HA/Failover
• AMBA
• SSO Portal

137
Demo Time!

138
AUTHENTICATION MANAGER 8.4
138

139
SOME FACTS
• Host RSA Authentication Manager 8.4 in the Microsoft Azure cloud
• AM 8.4 Cloud Value
• Upgrade Path to AM 8.4
139

140
AUTHENTICATION MANAGER 8.4 P4

141
PATCH 4 UPDATES
• AM 8.4 Patch 4 allows you to connect RSA Authentication Manager to the Cloud Authentication Service and
quickly roll out modern MFA to your users.
• You do not need to replace or update your existing agents
• Security Console wizard to configure the connection and invite users to authenticate to the Cloud.

142
CONFIDENTIAL
AM 8.4 AM 8.4 P4 Comments
IDR deployment and CAS*
connection
Needed Needed Needed for CAS user sync
IDR connection in AM Needed Available/Optional Supports
Authenticate Tokencode
Connect to CAS* Not Available Available Supports
Authenticate Tokencode
PIN+Approve
Authenticate Tokencode Supported Supported Supported in
IDR
Connect to CAS
PIN + Approve** Not Supported Supported Only for Connect to CAS
CONNECT TO CLOUD DEMYSTIFIED
*CAS - Cloud Authentication Service
**Details discussed in next slides

143
JOURNEY TO CLOUD
Authentication Manager 8.4 Patch 4
CONFIDENTIAL

Authentication
Agents
SecurID Access
Authentication
Manager
User
RSA SecurID
Software
Tokens
RSA SecurID
Hardware
Tokens
Authenticate App
Token
IDR
Approve

145
CONFIDENTIAL
✓ Enabling seamless one-time Configure the Cloud Connection
✓ Ability to Invite users to enroll for MFA
✓ Expand Authentication Methods to support Mobile MFA (PIN + Approve)
✓ Support for Unified users dashboard for SecurID Access Users
✓ What happened to my IDR connection?
THE HOW

146
CONFIGURE THE CLOUD CONNECTION
CONFIDENTIAL

147

148

149

150

151
CONFIDENTIAL
ENABLE/DISABLE CLOUD AUTHENTICATION

152
CONFIDENTIAL
CLOUD AUTHENTICATION STATUS: ENABLED

153
INVITE USERS FOR MFA ENROLLMENT
CONFIDENTIAL

154
CONFIDENTIAL
✓ Cloud Authentication Service and Authentication Manager has to be connected to the same
identity source.
✓ Authentication Manager has to be connected to Cloud Authentication Service.
✓ SMTP service has to be configured in Authentication Manager.
PRE REQUISITES

155
ENABLE MFA WITH EXISTING AGENTS (PIN +
APPROVE)
CONFIDENTIAL

156
CONFIDENTIAL
As an existing SecurID customer, my users should be able to use
”existing PIN” + “Mobile MFA method Push to Approve”
versus using their Passcode to access existing applications (VPN, etc.).
REQUIREMENT

157
CONFIDENTIAL
✓ Authentication Manager has to be connected to Cloud Authentication Service.
✓ Cloud Authentication should be enabled in Authentication Manager
✓ Cloud Authentication Service and Authentication Manager are connected to same identity
source
✓ Policy must contain Approve.
✓ User has RSA SecurID Authenticate app registered with Cloud Authentication Service.
PRE REQUISITES

158
Thank You!

159
Any Questions?

RSA SecurID Access

More Related Content

What's hot

Similar to RSA SecurID Access

More from MarketingArrowECS_CZ

Recently uploaded

RSA SecurID Access