Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - RSA Multi-Factor Authentication - Overview

Introduction

This document describes how you can use the services of RSA SecurID Access to authenticate the sessions of your privileged users with One Identity Safeguard for Privileged Sessions (SPS).

One Identity Safeguard for Privileged Sessions:

One Identity Safeguard for Privileged Sessions (SPS) controls privileged access to remote IT systems, records activities in searchable, movie-like audit trails, and prevents malicious actions. SPS is a quickly deployable enterprise device, completely independent from clients and servers — integrating seamlessly into existing networks. It captures the activity data necessary for user profiling and enables full user session drill down for forensic investigations.

SPS acts as a central authentication gateway, enforcing strong authentication before users access sensitive IT assets. SPS can integrate with remote user directories to resolve the group memberships of users who access nonpublic information. Credentials for accessing information systems can be retrieved transparently from SPS's local credential store or a third-party password management system. This method protects the confidentiality of passwords as users can never access them. When used together with RSA (or another multi-factor authentication provider), SPS directs all connections to the authentication tool, and upon successful authentication, it permits the user to access the information system.

Integrating RSA with SPS:

SPS can interact with your RSA Authentication Manager and can automatically request strong multi-factor authentication for your privileged users who are accessing the servers and services protected by PSM. When used together with RSA SecurID Access, SPS prompts the user for a second factor authentication, and upon successful authentication, it permits the user to access the information system.

The integration adds an additional security layer to the gateway authentication performed on SPS. If the user has a RSA SecurID Hardware Token, the user can generate a one-time password using the device. This will be used for the authentication to the One Identity platform. The one-time password is changed after 60 seconds.

Meet compliance requirements

ISO 27001, ISO 27018, SOC 2, and other regulations and industry standards include authentication-related requirements, for example, multi-factor authentication (MFA) for accessing production systems, and the logging of all administrative sessions. In addition to other requirements, using SPS and RSA helps you comply with the following requirements:

  • PCI DSS 8.3: Secure all individual non-console administrative access and all remote access to the cardholder data environment (CDE) using multi-factor authentication.

  • PART 500.12 Multi-Factor Authentication: Covered entities are required to apply multi-factor authentication for:

    • Each individual accessing the covered entity’s internal systems.

    • Authorized access to database servers that allow access to nonpublic information.

    • Third parties accessing nonpublic information.

  • NIST 800-53 IA-2, Identification and Authentication, network access to privileged accounts: The information system implements multi-factor authentication for network access to privileged accounts.

How SPS and RSA MFA work together

Figure 1: How SPS and RSA work together

  1. A user attempts to log in to a protected server.

  2. Gateway authentication on SPS

    SPS receives the connection request and authenticates the user. SPS can authenticate the user to a number of external user directories, for example, LDAP, Microsoft Active Directory, or RADIUS. This authentication is the first factor.

  3. Authentication using RSA SecurID Access

    If gateway authentication is successful, SPS connects the RSA Authentication Manager. Then SPS requests the second authentication factor from the user and sends it to the RSA server for verification.

  4. If multi-factor authentication is successful, the user can start working, while SPS records the user's activities. (Optionally, SPS can retrieve credentials from a local or external credential store or password vault, and perform authentication on the server with credentials that are not known to the user.)

Technical requirements

In order to successfully connect SPS with RSA, you need the following components.

In RSA:
  • An RSA Authentication Manager deployed.

  • RADIUS access parameters, for example, host, port, and an RSA shared secret. You will need it to configure the SPS plugin.

  • Your users must be enrolled in RSA Authentication Manager.

  • The users must be able to perform the authentication required for the fasctor (for example, possess the required RSA SecurID Hardware Token).

In SPS:
  • A One Identity Safeguard for Privileged Sessions appliance (virtual or physical), at least version 5 F1.

  • A copy of the SPS RSA plugin. This plugin is an Authentication and Authorization (AA) plugin customized to work with the RSA multi-factor authentication service.

  • SPS must be able to access the RADIUS port of the RSA Authentication Manager.

Availability and support of the plugin

The SPS RSA plugin is available as-is, free of charge to every SPS customer from the Plugin Page. In case you need any customizations or additional features, contact professionalservices@balabit.com.

You can use the plugin on SPS 5 F5 and later. If you need to use the plugin on SPS 5 LTS, contact professionalservices@balabit.com.

Learn more

To find out more about SPS, visit the One Identity page.

For a detailed tutorial about how to connect your RSA account with SPS, see RSA Multi-Factor Authentication - Tutorial.

If you need help in connecting your RSA account with One Identity Safeguard for Privileged Sessions, contact our Sales Team or contact professionalservices@balabit.com.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating