This guide will assist users in migrating from applications that use RSA SecurID® to the SecureAuth® Identity Platform. The SecureAuth Identity Platform is the most advanced identity security solution for large global organizations to enable secure access to systems, applications, and data for all workforce and customer identities everywhere: hybrid, on-prem and in the cloud.
The top reason organizations switch to SecureAuth is total cost of ownership (TCO). Our customers have demonstrated as much as a 50% ROI after switching to the SecureAuth Identity Platform. Migrating to SecureAuth from RSA reduces or eliminates expenses related to:
RSA®’s token-based authentication was a state-of-the-art solution when introduced about 20 years ago. Since then, it has become expensive, cumbersome and limited in modern security functions. SecureAuth provides the tools to migrate to a more powerful and flexible identity security solution, the SecureAuth Identity Platform.
To enhance security beyond basic second-factors and preserve the user experience, the SecureAuth Identity Platform provides a broad set of adaptive authentication risk checks that analyze characteristics around device, location, IP address, behavior and more to identify legitimate users and stop bad actors. These risk checks are powered by the SecureAuth® Intelligent Identity Cloud, a service that employs a big-data approach to identity intelligence to increase identity security. Out of the box, the service analyzes a range of threat data and cultivated threat intelligence to identify a wide spectrum of known attackers, and leverages machine learning to analyze user behavior and pinpoint anomalies that signal risk is present. Adaptive authentication risk checks are executed in the background, minimizing interruptions, driving broad adoption, ensuring your identities are secure and the user experience is preserved.
Proprietary architecture imposes costs and difficulty in administering RSA’s user interface (UI). In contrast, SecureAuth utilizes standards-based support for nearly any device, identity type, VPN, identity store, MFA method, and application. This fidelity to standards such as REST (REpresentational State Transfer) enables you to utilize RESTful Application Programming Interfaces (APIs), driving down implementation and maintenance costs and slashing the time required to roll out new applications. SecureAuth’s adherence to other modern standards, such as OAuth and OpenID, enables easy support for your mobile initiatives.
Security Information and Event Management (SIEM), for which SecureAuth provides native integration to industry leading solutions including Splunk and LogRhythm, enables correlation of a broad range of security and event data. This enables quick identification of anomalies to prevent breaches and business disruptions. Customers we’ve migrated from RSA have reported waiting 3–4 weeks waiting for RSA to determine whether a credential was compromised. Quick dashboard views show login activity, failures, blocked requests, request types, realm utilization — and more — so your security team always has its fingers on the pulse of access requests.
Built around our Center of Excellence, SecureAuth’s Global Delivery & Support Team equips you with the services and tools you need to be successful at implementing, managing, and maintaining your environment. We are dedicated to ensuring you achieve the best possible outcome and offering the services and a hassle-free day-to-day experience to get you there. From professional services to 24/7 support, to training, and our online customer community, Intersections, SecureAuth can ensure that you can get the most out of your investment with us.
In most enterprises, it is not practical to convert from one “token” method to another overnight. To ease the process of moving your business from RSA SecurID to the SecureAuth Identity Platform, the SecureAuth RSA SecurID Migration Value-Added module (VAM) was designed and architected to enable a measured migration approach, ensuring there is no disruption to your users or business. During the coexistence period, both RSA SecurID tokens and SecureAuth second factor methods can be used with the Identity Platform for second factor authentication.
SecureAuth developed the SecureAuth RSA SecurID Migration VAM as a means to utilize SecureAuth’s multi-factor authentication (MFA) and adaptive authentication in conjunction with RSA’s hard-token topology, as seen in the figure below.
This interim measure works well to lower administration cost, improve user uptime, and boost user satisfaction. However, to benefit from the full range of protection and ease-of-use provided by the SecureAuth Identity Platform, full migration to SecureAuth is the next logical step.
Migrating to a new access control solution can be a daunting challenge. SecureAuth has identified several concerns that organizations encounter when considering a change in access control in their environment.
Many of the considerations associated with implementing this VAM revolve around a larger SecureAuth implementation plan. Some of the considerations listed below are specific to the RSA SecurID migration.
It’s crucial to make sure that all the relevant business units, users, customers, vendors, partners, and other stakeholders are involved in planning the migration and that participants are aware of how it could impact them. Clear communication up front paves the way for a successful migration.
Ensure that your standard company change management processes are followed, including well planned back-out procedures. It is not uncommon for some migrations to have unforeseen issues. It is critical that a well-planned back-out scenario is in place to ensure business continuity.
The planning phase can be the most powerful period in which to reduce the cost of migration, ensure minimal downtime and set appropriate stakeholder expectations, including users. This is the time when the inventory of servers and data takes place and communication with stakeholders begins.
To migrate from RSA Authentication Manager to the SecureAuth Identity Platform, the first step is to survey and inventory the existing RSA deployment in order to visualize every interconnection, as displayed in the illustration below.
Once the existing architecture and use cases are understood and documented, take an inventory of applications that currently rely on RSA for authentication and access. Each application should have its realms (workflows), rules, and rule groups cataloged and prepared for migration to the SecureAuth Identity Platform.
Next, RSA Authentication Manager policies need to be prepared for migration, with each policy cataloged and all protected resources identified. Included in this preparation are the access control lists (ACLs) and rules used, as well as any authentication requirements employed to identify users.
A subsequent step in planning a migration involves understanding and evaluating the authentication processes within your environment. Systems that use RSA Authentication Manager require a decision regarding when to transition authentication to the SecureAuth Identity Platform.
One option is to migrate all user “tokens” at the beginning of the process. This makes SecureAuth the controlling record source for identification and authentication. This option does not take full advantage of this migration module.
The other option is to migrate authentication to the SecureAuth Identity Platform at the end of migration (after all applications are migrated), or in a phased approach. In this case, RSA Authentication Manager continues to perform authentication even when users access a SecureAuth protected application. When the time comes to decommission RSA Authentication Manager and tokens, the authentication process migrates completely to the SecureAuth Identity Platform.
Once the applications have been classified, the policies cataloged, and the authentication and session management processes understood, create a project plan to bring together the necessary resources to install the SecureAuth Identity Platform, integrate it with RSA Authentication Manager, and conduct the migration.
A migration involves incremental steps made with care and deliberation in the test area, insulated from interference with the production system.
We recommended your migration follow the progression below.
The requirements for deployment of this functionality are:
When planning for deployment, keep in mind the following best practices:
To configure the SecureAuth Identity Platform installation for RSA SecurID Migration authentication, perform the following steps.
Repeat this step for every SecureAuth folder, except for the SecureAuth0 folder.
Launch the SecureAuth Identity Platform Admin Console by entering the URL http://localhost:8088/. The admin console user interface can only be viewed on the local machine. For version IdP version 9.3 and above, open the classic admin interface.
The web config files are updated using the new DLLs you copied to the appropriate folders. After the update is completed, the admin UI reappears.
NOTE: Note for this value: "RadiusOathTokenValidationEnabled" value="True"
|RADIUS Server||Select whether a RADIUS server is enabled for this SecureAuth Identity Platform appliance. Enable this feature to connect with the RSA SecurID serve|
|Host Name||Enter the IP address or the server name of the target RADIUS server|
|Authentication Port||Enter the port number this appliance will use to authenticate applications overseen by the external RADIUS server gateway|
|Authentication Account||Not used. No value is needed or used for this use case|
|Retries||Enter the number of retries the SecureAuth appliance will do before abandoning the request to the RSA RADIUS server|
|Socket Timeout||Enter the number of milliseconds this RADIUS port will wait before abandoning the request to the RSA RADIUS server|
|Shared Secret||Enter the RADIUS shared secret that enables this appliance to access the RADIUS server|
Update the configuration accordingly and click Save the to commit configuration changes.
Testing the SecureAuth RSA SecurID Migration VAM Deployment
A third component included in the SecureAuth RSA SecurID Migration VAM deployment package is the RADIUS Test Client. This command line tool enables you to test the deployment and ascertain whether the VAM configuration is working properly prior to any integration.
To initiate this test, use the following procedure:
NOTE: If you enter only the executable name, a list of all parameters supported by this executable appear.
Migrating a protected application to SecureAuth
Migrating a protected application to SecureAuth
Steps to complete the migration
Even as apps migrate to the SecureAuth Identity Platform, RSA Authentication Manager agents may still be left in place. The application owners must work with the migration project team to remove those agents so that RSA Authentication Manager can be safely retired. Once all users have registered with an alternate 2FA method, the RSA token second factor method can be disabled on a per-realm basis.
This section provides two example scenarios for the RSA SecurID Migration module after its deployment.
Token Validation for Web Applications
Typically, RSA SecurID is leveraged to protect VPN and other RADIUS compatible devices. With this module, the tokens can now be used to authenticate to web applications during the RSA token phase-out period.
The example below illustrates a typical user workflow when logging into a web based application protected by the SecureAuth Identity Platform.
Click the Security Token radio button, then click the Submit button. A screen appears, as in the next image.
Type or click the buttons to input the security-token code then click Submit.
After the token is validated, the requested application is now available to the user
Most customers that use the RSA SecurID product leverage it to protect access to network resources such as VPNs. To migrate from RSA to SecureAuth, the SecureAuth RADIUS server is often used if the VPN does not support more modern authentication methods such as SAML. SecureAuth recommends using SAML when supported by the VPN, when migrating from RSA SecurID.
In cases where the VPN (or other protected resource) does not support modern authentication methods, the SecureAuth RADIUS server is used. The RADIUS protocol is well supported by VPNs and legacy applications. The SecureAuth RADIUS server proxies authentication requests from the VPN (or other protected resource) to the SecureAuth Identity Platform server. All of the authentication methods that you choose to make available to the user are presented via the VPN (or other protected resource) login user interface.
Below is an example of the user workflow when logging into a Cisco AnyConnect VPN client.
SecureAuth, the secure identity company, provides the most advanced identity security solution for large organizations globally to enable secure access to systems, applications, and data. Our customers leverage our flexible, enterprise-grade identity and access platform coupled with the SecureAuth Intelligent Identity Cloud service to deliver the most secure, frictionless user experience for their customers, partners and employees, everywhere, exponentially reducing the threat surface, enabling user adoption and meeting business demands. To learn more, visit www.secureauth.com, or connect with us at email@example.com, Twitter, and LinkedIn.