RSA Tutor

RSA SECURID ACCESS
SIDFLIX SERIES:
ZERO TO HERO WITH SECURID
Craig Dore Vinod Nair

Lead IAM Strategist – RSA APJ Lead Presales Architect – RSA APJ
Australia | New Zealand | SE Asia | India | Korea | Japan Australia | New Zealand | SE Asia | India | Korea | Japan
craig.dore@rsa.com vinod.nair@rsa.com
 Internal Use - Confidential

STARRING
Craig Dore Vinod Nair

2
Lead ID Strategist, APJ Lead ID Architect, APJ
IN THE PREVIOUS EPISODE…
A Quick Recap

WHAT WAS CO VERED…
TOKEN PROFILES Best Practices:
• Use “Over the Air” Provisioning!
OR
• Typically requires the RSA Web Tier Software
• The most secure way and automated method to distribute software tokens
• Provides Email or QR Code activation
SIEM and SNMP Best Practices:

• Use SIEM for security alerting and correlation
• Use SNMP for system health
• Use RSA for specific guidance
• Online Help is invaluable here
Quick Search and Dashboard Efficiency Tips:

• Click the ‘Home’ button and do a quick search for a user
• Dashboard is everything you need to manage / view user info
• The username at the top includes a fly-out menu for additional settings/assignment
The RSA Link Community An amazing resource:

• Community forums – ask questions!
• Better yet, ANSWER QUESTIONS too! Are you an expert?
• Encourage your customers to use
• Live Tech Support chat coming soon!
4

CONGRATS!

DOUBLE
CONGRATS!

EPISODE 2 :
What’s This Cloud and MFA Stuff?

AGENDA SI DFLI X EP ISO DE 2:
W H AT ’ S T H I S C L O U D A N D M FA S T U F F ?
 Introducing the SecurID Access Cloud Authentication Service

 What does the Cloud Service Do?
 Main Components
o “MFA”
o The Scary Sneaky Identity Router
o Conditional Access Policies
o Identity Sources
o My Page – Self-service
o The Risk Engine
 Tying it together
 And… what’s next?
8 C O N F I D E N T I A L

LET’S HAVE A QUICK ‘SELLING’
CONVERSATION

Agnostic Hybrid Threat aware
• Not tied to a • Deploy anywhere • Risk-based and

single technology • Resilient failover real time
stack capabilities
VPN • Combat insider
• RSA covers the • Provides threat
‘100%’ – users, coverage for • 360o awareness –
applications, cloud, perimeter network,
privileges and on-prem application and
• Zero-trust by devices
default • Provides a means
to eliminate
phishing
10

All SaaS users are mobile users
11

12

SO ME STAT S
“63% of breaches stemmed from

compromised or stolen credentials”
“81% of breaches stemmed from

compromised or stolen credentials”
“Stolen credentials / phishing remain the
number one attack vector.”
13

R S A S E C UR I D A C C E S S – M O D E RN M FA
 Single MFA licence includes all of these MFA methods
Provisionless TouchID® / FIDO

Push Notification FaceID®
OTP (1 tap approve) (iPhone X+) Samsung FP
(U2F +
(Token) Passwordless)
MODERN MFA
R S A14 A u t h S o l u t i o n s
REMEMBER
THIS
STUFF?
TOKEN PROFILES Best Practices:
• Use “Over the Air” Provisioning! CTKIP, blah blah…
• Typically requires the RSA Web Tier Software
OR
• The most secure way and automated method to
distribute software tokens
• Provides Email or QR Code activation
• Needs profiles to specify distribution method, etc.
15

I N S TA N T O N B O A R D I N G
User signs in Scans QR. Done.
16

SE CURID ACCES S CAPABI LITI ES
Pervasive MFA Risk and Context
Certified and supported Access and Machine Learning
MACHINE
LEARNING
RISK PASS RISKY DENY
Role Device Location Behavior App
Push Mobile OTP Biometrics Text Msg Voice Call
Risk
HW Token SW Token FIDO Proximity Wearables
Security
Modern MFA Methods Assurance Levels

Secure and Convenient Challenge according to the level of risk or privilege
17

MFA to Secure Admins
MFA to Secure VPNs MFA to Secure Cloud Apps & Privileged Access
MFA with Next Gen Firewalls Identity Assurance with

18 (Palo Alto Networks) VMware Workspace ONE
19

20

LET’S GET INTO IT
What does the Cloud Authentication Service provide?
21

CLO UD SERV ICE SUMMARY
Modern MFA INTEGRATIONS
MFA App called SecurID Authenticate • SAML v2 (IDR IDP)
o Non-expiring soft token • SAML v2 (Cloud IDP) (aka Federation or Relying party
o Push-to-Approve
o Biometric
• RADIUS
Desktop PC MFA • APIs (Auth, Event, Administration)
• Windows 10 MFA Agent
HW FIDO Support (e.g. Yubikey), SW FIDO coming soon
• MacOS MFA Agent (coming soon)
SMS Telephony (Voice/SMS OTP) • Many direct-to-cloud RSA Agents (e.g. Citrix Storefront,
Support for existing SecurID Token fleet (HW, SW, OnDemand) Linux)
Risk and Policy Engine Benefits

• Real-time and automated machine learning engine • Reduced on-premise footprint to manage
o Looks at dozens of attributes, makes 1000 • Instant on-boarding of MFA and FIDO users
correlations for every access request • Hugely flexible, hybrid with many points of
o SIEM can be utilised to alert on high risk events redundancy
• Conditional access policies use any LDAP attribute, • Fits into Enterprise ecosystem (Apps, Monitoring,
Network ranges, Geolocation, Country, Trusted Helpdesk, SIEM, etc.)
Browser, Authentication Sources • Patching is automated; Features added constantly
22

A U T H E N T I C AT O R S A P P L I C AT I O N S
Cloud
On-Prem
VPN 500+ certified integrations.
Thousands more supported
PAM through open standards
SID700
SID800
SID900
WAM
HW Token
iOS Desktop
Android Authentication
Windows Traditional OTP Agent / RADIUS / SDK VDI
Mac OSX
SW Token
Manager
SDK Network
Gateway Legacy
HTTP
ODA/RBA
23

B E S T I D E N T I T Y A S S U R A N C E P L AT F O R M
Dynamic Identity Confidence Scoring Policy & Context
A U T H E N T I C AT O R S A P P L I C AT I O N S
Behavior Location Device External Role Application Preference
FIDO Push SaaS
RISK PaaS
IaaS
Proximity Mobile OTP
Modern MFA
Cloud Authentication
SAML / WS-Fed / OIDC
Service Web
Mobile
Modern MFA
Wearables Biometrics
Traditional OTP
Cloud
On-Prem
SMS Voice Call
VPN 500+ certified integrations.
Thousands more supported
PAM through open standards
SID700
SID800 Identity Router WAM
SID900
HW Token
iOS Desktop
Android Authentication
Windows Traditional OTP Agent / RADIUS / SDK VDI
Mac OSX
SW Token
Manager
SDK Network
Gateway Legacy
HTTP
ODA/RBA
24

IDENTITY: A MULTI -FACE TED BUSI NESS ISS UE
Cloud 3rd Party Compliance

Adoption Trust
Integration
Costs User
(Time, complexity, Experience
resources)
Operational
Business ROI
Costs
Agility
25

LET’S GET DIRTY
(Technically speaking…)
26

WELCOME
TO
CLOUD!
27

WELCOME
TO
CLOUD!
28

OUR
FIRST TIP!
29

YEAH,
U S E T H AT.
30

FI RST ST EPS .
Create more admins Tips and Best Practices:
• Administrators cannot share the same email across multiple tenants

• Two Roles – Helpdesk and Super Admin – why only 2?
• Admin accounts are not inherited from Identity Source (LDAP) – why?
• Even APIs can have Administrator or Helpdesk privileges
• Be sure to enforce password change at first logon
Get the Identity Router Image Tips and Best Practices:
• You’re not ready to install this

yet…
• Requirements next slide
31

THE SCARY SNEAKY IDENTITY ROUTER
(Psst, it’s not so scary)
32

THE IDENTITY ROUTER
Hi there! I’m used to do a
I’m Mr. Identity bunch of things,
Router! My such as talking to
friends call me the Cloud
IDR for short! Service!
33

THE IDENTITY ROUTER
Yum yum slurrrp.
Hey Mr. Cloud Mmm users. <belch>
Service! I see that Gimme gimme
you’re lonely up gimme…
there. Want some
users?
Hey Mr. Identity

Store! Mind if I
read some users Hey! Yeah dude
from you? here you go!
Hemlata
Enterprise Connector
Identity Store
34

THE IDENTITY ROUTER
Golly, that was So what else
fun! I just read should I do
10,000 users. Mr. today? Hmm…
Cloud service was
hungry!
35

THE S NEAKY SCARY IDENTI TY RO UTER
Core Features Tips and Best Practices:
Enterprise Connector (Required) • For rapid prototyping or POC deployments, simply use the EC Mode and add the
• Synchronizes identities other features later
• Sends passwords for validation • Identity Router supports both single and dual NIC configurations. For the easiest
path from zero to hero use the dual NIC configuration.
RADIUS Server (Optional)
• Responds to RADIUS requests
• Includes checklist attributes and return
attributes
Single Sign-On Portal (SSO)) (Optional)

• Protected applications can be displayed
here
• Portal includes an IDR SAML IDP
• REST-based Custom Portal API
available for full customization
• Integrates with an “Integrated Windows
Authentication” plugin for MS IIS
Webserver
36

THE I DENTITY ROUTE R CONT’D
Requirements Requirements Clusters:
• Clusters control which features

VMWare AMI Machine Image are enabled
• Start with the default cluster
• VMWare ESXi 5.5+ + VSphere • Family Type: General Purpose
• Minimum Disk 54GB • Type: t2 Large and create more as needed
• RAM 8GB (16GB for SSO) • vCPUs: 2 • Each cluster can contain 3 load
• 4 x Virtual CPUs • Memory: 8GB balanced IDRs
• E1000 Virtual NIC (x2 for SSO) • Can have up to 12 clusters,
Amazon Cloud Environments more than you’ll ever need
• Access to t2.large or better instance types
Hyper-V • Virtual Private Cloud with private and public
subnets
• Win 2012 R2 or Win 2016 • Route Tables, Security Groups, and Network
• Minimum Disk 54GB ACLs that allow traffic between the identity
• RAM 8GB (16GB for SSO) router and all other components in your
• 4 x Virtual CPUs deployment
• Synthentic Net Adaptor (x2 for SSO) • DHCP Option Sets that specify all DNS
servers required for your deployment
• Elastic IP addresses (if your organization
manages its own DNS service)
37

NETWORK RE QUIREMENTS
DNS (UDP 53)
REQUIRED
Public DNS entry and Root-Signed Cert

needed for SSO Deployments
Internal DNS entry recommended but not

strictly required
NTP (UDP 123)
REQUIRED, most envs have one
Syslog (UDP 514)
Optional, but best practice
LDAP Directory (TCP 636)
REQUIRED
Private Interface (TCP 443)

For IDR Management GUI Access
38
* SSH for troubleshoot (TCP 22)

LET’S GO.
 Username:
idradmin
 Password (shh!):
s1mp13
39

FRIENDLY
WELCOME
SCREEN .
40

Enter - TAB -
Data – Enter
- TAB - F10! Don’t you dare
forget to check
this box.
Management IP
address &
gateway.
Did we say F10?

Don’t forget F10!
41

Don’t
forget to
Commit!
42

Pay attention to
what it tells you.
You’re not done
yet!
43

IDR ADMIN
CONSOLE
GUI
• Same U/PW as Console
• Bookmark this thing because:
• It is where the IDR gets registerd
to the cloud tenant
• Final networking config if needed
• It contains log bundle download
for troubleshooting
44

IDR ADMIN
CONSOLE
GUI
• Confirm network settings
• Can add a transparent proxy
here if needed
45

CLOUD
GUI
• Initiate a new IDR Setup in the Cloud
GUI
• After config information is entered, a

registration code is displayed.
• Save the following:
• Registration Code
• Authentication Service Domain
46

IDR MGT GUI
• Click “Connect Administration
Console”
• Fill in the regcode and auth
service domain
• Wait for victory.
• After the registration information is

entered, a series of checks will
progress and the registration
process and post-checks will
complete.
• Common trouble:
• Connectivity
• DNS Resolution
• Do a SSH WGET to the Auth URL from
the IDR (same idradmin account)
• (SSH needs to be enabled in Diagnostics)
47

Return to the Cloud GUI
• Scroll down and you will see

the System Status area
• Allow ~ 10 minutes ish-ish
• If you see the magic green

circle you are up and running!
48

CONGRATS!
49

WHAT’S NEXT?
We’ve got the IDR, but we’re not cool quite yet.
50

51

 View detailed IDR
status on the IDR
page
 Notice we have
some stuff left to
do… (Identities)
 If Heartbeat is
red…uh oh
52

One SUPER Important Tip
Blue is “new”
Green is “clean”
53

WE NEED IDENTITIES!
54

55

56

57

 Vinod to share screenie
 Common issues
 Root DN
 Bind ID
 Email as usern
58

 Vinod to share screenie
 Common issues
 Bind ID
 Email as username
59

 Mandatory
60

61

62

63

Victory!
64

OK NOW WE’RE ALMOST THERE
Policies!
65

Assurance Levels:
• High, Medium and Low
Assurance
• Three buckets for MFA methods
• Up for debate which are high
and low
Policies:
• Control how and when users
auth
• Optionally filter the users that
the rule applies to
• Access can be subject to futher
conditions or rules based on
attributes such as:
• Geolocation
• Trusted Networks
• Country
• Trusted Browser
• Identity Confidence
• High Risk User
• Policies can have a lot of rules,
but simple is better
• Finally, the policy can make the
user’s access subject to step-up
authentication based on
Assurance Levels!
66

My Page Self-Service
 A 1-stop shop for MFA
and FIDO activation
 Head to Platform > My
Page
 We will configure with our
new Policy, just for test
purposes
67

LETS ENROLL A USER WITH MFA
Using...a Policy!
68

69

70

‘ M Y PA G E ’ S E L F -S E RV I C E A P P A CT I VAT I O N
 Pay attention!  Automated: Administrator does nothing other than set up a relevant
policy
Go to GOOGLE PLAY or
 Is secured in many ways (e.g. IP Adress, Group/Role, SMS, etc.)
Apple Store and get:  Customisable Logo
 Pre-deployed in the Cloud
RSA
71
SecurID Authenticate
72

Conditional Value
Emergency
• Country =
Vietnam
+ Access Code
73

S u p p or t i n g P o l i c y
74

RISKY BUSINESS
AKA, “Adaptive Authentication”, “Risk-Based Authentication”, “RBA”,
“Risk Engine”, “User Entity Behavioural Analytics”, “UEBA”, “UBA”
75

THE RISK ENGINE
Mmm Ken is
cool…mmm yum.
Hi Ken!! Nice to
see you again!
You’re right on
time as usual
and are in the
office early in
Tokyo!
Ken
76

THE RISK ENGINE
Mmm Ken is
cool…mmm yum.
Hi Ken!! Nice to
see you again!
You’re right on
time as usual
and are in the
office early in
Tokyo!
Ken
77

THE RISK ENGINE
Mmm Ken is
cool…mmm yum.
Hi Ken!! Nice to
see you again!
You’re right on
time as usual
and are in the
office early in
Tokyo!
Ken
78

THE RISK ENGINE
Mmm errrr… What is this sorcery?
looks risky, yuck. • Real time monitor
• Machine learning
Hi Ken! Nice to
• Makes 1000 decisions
see you again? for every access request
You’re a bit late • 3 Major categories:
today! And uh, o Location
you seem to be o Behaviour
in Russia? o Device
Привет? • Takes action based on
identity confidence of High
or Low
• Constraint:
only works over the
Web (browser) or
certain agents
“Ken”
Step-up Challenge!
79

VI SIBIL IT Y INTO RISK Denied
BEYOND THE SCORE, INTO THE BLACK BOX
INTELLIGENT
Risk Level
User User Resource

Resource
 Admin  I.P. Data
 Executive  Classified
 Employee  Public
Granted
Context
 Network
 Location
 Behavior
 Country
 Agent
 Browser
Step-Up (L/M/H)
‒ Token
‒ Biometric
‒ Push
80

R I S K E N G I N E V I S U A L I Z AT I O N I N P R O D U C T D A S H B O A R D
How many users How many users

had risk scoring were high or low
applied to them? confidence?
81

 Identity
Confidence
Attribute
 Low or High
confidence
82

LETS TALK…SAML!
</saml:Subject>
83

This is the
cool part
84

Link: https://community.rsa.com/community/products/securid/blog/2016/05/19/need-a-demo-saml-service-provider-we-got-you-covered
85

86

 Control if it’s displayed in the Portal
 Adjust the icon
 Name the tooltp
 Portal URL is auto-generated
 Choose allow everyone or select a

policy
87

LET’S TALK…
Visibility with Syslog/SIEM
88

• Craig has done a blog article – posting soon
INTEGRATION • We can send you a reviewed draft if you like
WITH SIEM • Docs: https://community.rsa.com/docs/DOC-96950
IDR
Events Cloud Events (API)
89

Configure IDR
based events to
syslog here
Cloud-based
events (e.g.
Cloud IDP) must
be obtained:
• Through RSA
support
• API
90

TROUBLESHOOTING
Lots of ways...
91

See all cloud
events as they
happen
92

93

The RSA Link Community
An amazing resource:
• Community forums – ask questions!
• Better yet, ANSWER QUESTIONS too! Are you an expert?
• Encourage your customers to use
• Live Tech Support chat coming soon!
94

LET’S SUMMARISE
Tying it all together
95

ALL OF T HIS DRIV ES TO BUSINE SS BENEF ITS
Controls &
visibility
Cloud 3rd Party Compliance

Adoption Trust
Integration
Costs User
(Time, complexity, Experience
resources)
Operational
Business ROI
Costs
Agility
Easy to integrate Speed to Value for Simplicity for end

and manage full coverage investment users AND admins
96

Summary
Consolidation We cover the 100% FIDO Enterprise Ready
The World is Bigger Hybrid is a cornerstone

then just 1 vendor
97

RSA Tutor

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RSA Tutor

Uploaded by

Copyright:

Available Formats

RSA SECURID ACCESS

Craig Dore Vinod Nair

 Internal Use - Confidential

Craig Dore Vinod Nair

 Internal Use - Confidential

SIEM and SNMP Best Practices:

Quick Search and Dashboard Efficiency Tips:

The RSA Link Community An amazing resource:

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

 Introducing the SecurID Access Cloud Authentication Service

 Internal Use - Confidential

 Internal Use - Confidential

• Not tied to a • Deploy anywhere • Risk-based and

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

“63% of breaches stemmed from

“81% of breaches stemmed from

 Internal Use - Confidential

 Single MFA licence includes all of these MFA methods

Provisionless TouchID® / FIDO

 Internal Use - Confidential

User signs in Scans QR. Done.

 Internal Use - Confidential

Role Device Location Behavior App

Push Mobile OTP Biometrics Text Msg Voice Call

Modern MFA Methods Assurance Levels

 Internal Use - Confidential

MFA with Next Gen Firewalls Identity Assurance with

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

Risk and Policy Engine Benefits

 Internal Use - Confidential

 Internal Use - Confidential

Behavior Location Device External Role Application Preference

FIDO Push SaaS

 Internal Use - Confidential

Cloud 3rd Party Compliance

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

• Administrators cannot share the same email across multiple tenants

Get the Identity Router Image Tips and Best Practices:

• You’re not ready to install this

 Internal Use - Confidential

 Internal Use - Confidential

 Internal Use - Confidential

Hey Mr. Identity

 Internal Use - Confidential

 Internal Use - Confidential

Single Sign-On Portal (SSO)) (Optional)

 Internal Use - Confidential

• Clusters control which features

 Internal Use - Confidential

Public DNS entry and Root-Signed Cert

Internal DNS entry recommended but not