Nandini V

Defense-in-Depth: RSA SecurID® Access in November 2020

Blog Post created by Nandini V Employee on Dec 8, 2020

We understand the challenges of our customers in the federal and public sector space who are making strategic investments to securely manage their IT infrastructure and planning to migrate to the cloud. While the scope of various regulatory frameworks (FedRAMP, FISMA, DISA STIGs) may or may not  be relevant to your organization, the benefit of “Do once, apply many times” goes beyond any specific compliance. Commercial customers gain a lot from the IT vendors who comply with the security standards and best practices, as this also increases the trust of your customers. With the additional insights and transparency, enterprises can improve the information security strategy of their overall IT programs.

RSA continues to reduce your compliance burden by always staying on top of the security best practices. Our continuous platform upgrades and improvements ensure customers are kept safe from security holes and vulnerabilities. With the latest release of Cloud, Mobile and Identity Router, we are excited to bring these updates that are layered across RSA SecurID Access to provide outstanding protection for your data and information.

 

FIPS 140-2 Update - Why Is It Important?

We are living in the era of zettabytes, where the data is growing at a mind-boggling rate. Given the proliferation of digital data, protecting data from being exposed to potential attacks is crucial. This requires the continuous update of cryptographic modules. Federal Information Processing Standard (FIPS) 140-2 standardizes the cryptographic requirements to manage data at rest (storage), as well as data in motion (transmission).

FIPS 140-2 plays an important role outside government as well. For example, healthcare organizations have a mandatory requirement of using FIPS-validated MFA for EPCS (Electronic Prescription of Controlled Substances) systems. The military uses it to be compliant with DFARS (Defense Federal Acquisition Regulation Supplement) to protect data at rest. It is also critical for fintech organizations to leverage reliable and standard cryptographic-based tools and systems.

RSA SecurID Access continues to leverage FIPS 140-2 validated cryptography modules to constantly align our various components - Cloud Authentication Service, Identity Router and RSA SecurID Authenticate app (Android, iOS and Windows) to achieve compliance on any given day. So you can march confidently towards meeting your compliance needs where FIPS 140-2 compliance is a non-negotiable item.

 

Identity Router Release - What’s Special About It?

We continue to make investments in building the most secure identity infrastructure so that we have your complete trust in enabling your business. Be it getting rid of outdated operating systems, upgrading the crypto libraries (as part our comprehensive security regimes) or making configuration changes to be compliant with the latest guidelines that created buzz yesterday, we want to have it all covered. To achieve this goal, regular upgrade cycles are necessary. With the release of Identity Router, we are excited that our customers will benefit from these additional security enhancements including those with the compliance mandates.

  •  A layer of defense: By adhering to Security Technical Implementation Guide (STIG), November release of Identity Router image adds yet another layer to meet the compliance requirements elicited by DISAthe Defense Information System Agency, part of the US Department of Defense (DoD). This ensures the operating system, network infrastructure and other computing systems are hardened to operate in the federal infrastructure.
  • Beyond Compliance: Following security benchmarks, whether you are in federal government or not, helps in maintaining the overall security posture of your IT infrastructure. STIGs play a critical role in ensuring the systems are configured as securely as possible (rather than going by the “default settings”) to prevent them from being an easy target for cyber attacks. Security vulnerabilities can be costly and frustrating for commercial organizations as well.
  • Keeping CurrentRunning an outdated operating system or application software in production is like a ticking time bomb. These could put your network infrastructure and business at risk even before the auditors raise them as red flags. With the SLES 12 SP5 upgrade, we want to ensure our customers are always on the latest and greatest of the software and keep your IT teams and auditors happy.

 

Other Updates

Admin Console - Security Beyond MFA

To further tighten the security, the administrator console of RSA SecurID Access Cloud Authentication Service now has additional access control measures baked in as part of the account and access management. These additional controls enforce stricter policies such as - session lockout interval, unsuccessful login attempts and password complexity as part of authentication. With the risk of cyber attacks, any such additional measures to prevent hackers gaining access to critical resources and accounts goes a long way.

 

Usage Reporting - The More Data The Merrier

Usage reporting of Cloud Authentication Service is enhanced to include additional usage metric data Active Users. If you are an administrator, you probably know the existing usage metrics that are made available through our Cloud Administration Retrieve License Usage API.  The existing usage reports already show MFA licenses count, users with FIDO authenticator and SMS/Voice data; the new report metric shows the number of unique users successfully authenticated by Cloud Authentication Service for MFA. Besides addressing compliance needs, this report will also come in handy for planning for the future.  You can use this data for effective budgeting and capacity planning as part of your MFA deployment strategy.  

 

To learn about additional November 2020 updates, see November Release Notes. 

 

Flexible Access Policy Assignment to Reduce Administrative Overhead

Some applications, such as SSO applications, may need to invoke a specific authentication policy in RSA SecurID Access based on a condition (for example, the user group and/or resource being accessed). SAML-based applications can use the AuthnContext SAML attribute to do just this. But some SSO platforms do not have this support and pose a challenge in complex customer environments. To overcome this limitation, we provide the flexibility to invoke a specific authentication policy based on specific conditions. As part of the SAML connector configuration, administrators can customize the Entity ID of an identity provider by adding a discriminator unique to a SAML-based service provider (SP). This enables you to use different access policies for different SAML-based applications to improve security and flexibility. To learn about additional features in September 2020, see September Release Notes. 

 

Authenticate to the Cloud Administration Console through a Third-Party Identity Provider

You can now securely sign into the Cloud Administration Console through federation by extending  your identity provider (IdP). This is useful in general but specifically becomes very handy for federal administrators who use  a common access card (CAC) and personal identity verification (PIV) and can continue to use their third-party IdP infrastructure to perform a federated sign-in to the Cloud Administration Console. We encourage you to test this feature in a development environment to make sure everything works before moving into production. To learn about additional features in September 2020, see September Release Notes. 

Outcomes