New RSA SecurID Offering Expands Protection to On-Premise and Cloud
RSA today announced the RSA SecurID Suite, moving from two-factor authentication to a full identity and access management solution. The purpose is to provide a single platform able to mitigate against identity-based threats on-premise and in the cloud. To achieve this it integrates three essential IAM attributes: secure access, access governance and access lifecycle.
In reality, RSA does not describe SecurID Suite as an IAM solution — rather it describes it as a product that can help integrate existing disparate access management solutions. Its different components are not designed to replace incumbent solutions, but to work with and bridge the gaps between them. Too often, suggests RSA, those existing solutions result in ‘islands of identity’.
SecurID Suite, says the EMC-owned company, “cohesively integrates ‘Islands of Identity’, providing consistent policies, contextual and risk-based strong authentication, governance, and automated lifecycle management, and orchestrates processes with the line of business to ensure that all user access is appropriate and seamless.”
Access is not limited to the traditional SecurID token. Users can choose from several different additional factors to reduce the ‘authentication friction’ that mars some approaches to access control. These options include mobile device based EyePrint ID technology, and TouchID technology. Furthermore, “By offering a wide range of authentication methods, organizations are enabled to control access based on context or risk,” says the RSA announcement. Context sensitivity can be achieved by examining aspects such as application type, and the user’s location. These access rules can be applied to on premise access, or cloud access.
Access governance is another key area of IAM covered by the new suite. ‘Admin proliferation’ is a common problem: users frequently request greater privilege than they actually need; and it is easier to grant it than to remove it. This leads to a greater number of privileged accounts than is necessary; and this in turn makes an adversary’s privilege escalation tactics easier to fulfill. Finding the right balance between giving users the correct level of access while minimizing the attack surface for aggressors is a problem. “Today’s CISOs and CIOs face major challenges balancing the need to protect their attack surfaces against identity-based attacks while at the same time ensuring that the right individuals have access to the tools and information they need,” comments Jim Ducharme, Vice President of Engineering and Product Management.
While the new suite doesn’t claim to be a privilege access management (PAM) system, it does provide enterprise-wide visibility into all user access privileges. It also makes it easy to identify orphan user accounts, and in both cases remediate inappropriate user access. Where users are requesting additional privileges — perhaps to allow software or a printer to be installed — the process can be managed and audited; and where policy or regulations are involved, the suite can be used to ensure that control objectives are met.
The final part of the new suite is lifecycle management. Again, SecurID Suite doesn’t claim to be a full identity provisioning system, but instead can be layered on top of existing provisioning systems to extend their value. “RSA Lifecycle,” claims the company, “combines a business-friendly interface for access request and approval with an innovative approach to provisioning user access changes automatically across all target systems.”
On-boarding new users is a time-consuming and expensive process if done manually. SecurID Suite improves this by ensuring that users quickly obtain appropriate access through suggested entitlements based on similar users’ attributes and job roles.”
“The RSA SecurID Suite helps executives take command of the whole identity lifecycle,” claimed Ducharme. “It’s one of the only solutions on the market that offers truly actionable insights into identity and access issues, helping C-level leaders protect their enterprises, minimize the friction that users face and empower their business to get more done.”