Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
(On-Premise) 7.1
Product Overview Guide
Contact Information
Go to the RSA corporate website for regional Customer Support telephone and fax numbers:
www.emc.com/domains/rsa/index.htm
Trademarks
RSA, the RSA Logo, eFraudNetwork, BSAFE and EMC are either registered trademarks or trademarks of EMC Corporation
in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a
list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and
may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice
below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any
other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any
unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Note on encryption technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption
technologies, and current use, import, and export regulations should be followed when using, importing or exporting this
product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change
without notice.
Copyright 2013 EMC Corporation. All Rights Reserved. Published in the USA.
July 2013
RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide
Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5
RSA Adaptive Authentication (On-Premise) Documentation ............................................ 5
Support and Service ............................................................................................................ 6
Before You Call Customer Support............................................................................. 6
Contents 3
RSA Adaptive Authentication (On-Premise) 7.1 Product Overview Guide
Preface
Preface 5
Security Best Practices Guide. Provides recommendations for configuring your
network and RSA Adaptive Authentication (On-Premise) securely.
Web Services API Reference Guide. Describes RSA Adaptive Authentication
(On-Premise) web services API methods and parameters. This guide also
describes how to build your own web services clients and applications using web
services API to integrate and utilize the capabilities of Adaptive Authentication
(On-Premise).
Whats New. Highlights new features and enhancements in RSA Adaptive
Authentication (On-Premise) 7.1.
Workflows and Processes Guide. Describes the workflows and processes that
allow end users to interact with your system and that allow your system to interact
with RSA Adaptive Authentication (On-Premise).
Risk Engine
Adaptive
Back Office eFraudNetwork
Authentication
Authentication
Methods
Back Office. Web-based Back Office applications used to manage and administer
Adaptive Authentication (On-Premise).
For more information about each component, see Chapter 2, RSA Adaptive
Authentication System Overview.
As shown in the preceding figure (from left to right), the following stages occur within
the flow:
1. The end user enters an application protected by Adaptive Authentication.
End users can include employees, customers, contractors, partners, administrators,
and any other members of organizations who have access to an application
secured by Adaptive Authentication. Adaptive Authentication provides protection
for the end user who enters an application using one of the following:
Website or portal.
SSL VPN applicationAn organization uses an SSL VPN to provide
employees and partners with remote access to its network inside a firewall.
Web access management application (WAM)An organization uses a WAM
application to secure access to web-enabled applications and resources.
Mobile applications and mobile browsers.
ATM deviceFor information about the ATM Protection Module, see ATM
Protection Module on page 13.
2. End-user activities are profiled.
When an end user uses one of the protected entry methods, activity details are
gathered by the RSA Risk Engine for risk assessment and authentication.
Behavioral profiles, device profiles, and RSA eFraudNetwork input are correlated
into end-user profiles by the Risk Engine.
3. Risk assessment of the end user is performed behind the scenes.
Adaptive Authentication is powered by risk-based authentication technology that
conducts a behind the scenes risk assessment of all end users. Transparent
authentication helps organizations to increase security without compromising user
convenience. A unique risk score is assigned to each activity, and users are only
challenged when an activity is identified as high-risk or an organizational policy is
violated.
Based on the risk scores and other factors, the Policy Management application
creates policies and rules regarding end-user activities. Events and activities that
are suspected or confirmed fraudulent activities are flagged by the system.
4. Authentication methods are applied.
Non-flagged activities are invisibly authenticated while flagged activities lead to
further monitoring and tracking, as well as the use of additional authentication
methods including challenge questions, knowledge-based authentication (KBA),
one-time password (OTP), out-of-band phone, out-of-band SMS, out-of-band
email, or client-defined authentication methods using the multi-credential
framework.
5. Authentication results determine continuation of end-user activity and contribute
to Risk Engine assessments.
End-user activity can continue, pass, or fail depending on the success of
authentication. Failed authentication data is fed back to the Risk Engine, as is data
gathered during case management. This data collection contributes to the
ever-increasing relevance and accuracy of Risk Engine assessments.
Architectural Overview
The following figure shows the components of RSA Adaptive Authentication
(On-Premise) and how the components interact with each other. Adaptive
Authentication (On-Premise) is made up of various types of components including
databases, applications, utilities, and agents. Outputs include logs, reports, and data
sent to RSA Central and the RSA eFraudNetwork service.
Information Sources
The RSA Risk Engine takes information from a variety of sources, including from
your online application, and performs a risk analysis to determine how much risk an
event might contain. This information (also known as facts) includes the following:
Client machine information, such as the system language, screen resolution, and
time zone.
Browser information, such as cookies, browser language, user agent string, and
HTTP header information.
IP information, such as that which determines where an IP address is located, the
number of users seen on an IP address, and device profile (velocity).
User device history information, such as whether Adaptive Authentication has
seen the device before and whether the user's browser information changed.
User profile and behavior, such as the number of days after the last user logon and
the number of days after a password change.
Transaction information, such as specific user data, time, and payment
information.
Information about a users current DOM (Document Object Model) elements for a
specific HTML page, such as fields, JavaScript function names, and frames on the
page, used for the HTML Injection Protection feature.
Browser events that occur on an HTML page, such as keyboard strokes and mouse
movements, used for the Man vs. Machine Detection feature.
DevicePrint latency (ping time) information, such as the time taken to reach the
end users local host and the end users external IP address, used for the Proxy
Attack Protection feature.
Information about the location of the end user mobile device, such as longitude,
latitude, altitude, and speed, used for the Mobile Location Awareness feature.
Policy Management
The Policy Management component determines what to do about potentially risky
events, based on the risk analysis. The Policy Management component is configured
by adapting the RSA Adaptive Authentication default policies to your existing
business policies.
The Policy Management component takes the information from the Risk Engine and
recommends what actions need to be taken for that given event. Adaptive
Authentication (On-Premise) returns the recommended actions to your application.
Actions may include the following:
Allow. Allows the user to access your online system (logon) or continue with the
transaction (transaction analysis or transaction monitoring).
Challenge. Challenges the user by requesting additional authentication, by way of
challenge questions or out-of-band authentication.
Deny. Denies the user access to your system (logon) or denies the transaction
event.
Review. Flags the event for review through Case Management by a fraud analyst.
This action can be a supplemental recommendation to other action types. After the
fraud analyst completes the review, the final result is sent to the Risk Engine to
improve its learning ability and fraud detection rate.
The following figure shows the interaction between the Risk Engine and the Policy
Management component.
RSA Central
RSA provides a centralized service called RSA Central that helps you access and
provide log files to RSA and pull information from reports and GeoIP data. The
service is specifically designed for receiving log files from sources, such as RSA
Adaptive Authentication (On-Premise), and for allowing you to retrieve and view
reports through the Report Viewer application. Reports are available as PDF and CSV
files.
GeoIP Service
The geographic IP location information (GeoIP) files used by RSA Adaptive
Authentication (On-Premise) need to be updated over time as IP addresses are moved
to different locations or ISPs.
Scheduler
Keeping RSA Adaptive Authentication (On-Premise) in operational mode requires
running maintenance, monitoring, and database-related tasks. The Scheduler allows
you to schedule and manage all of these tasks using a single console. You can specify
the tasks to run and the configuration parameters for that run.
The Scheduler generates log files on a daily basis for troubleshooting system
operation.
For information about how to configure scheduled tasks in Adaptive Authentication
(On-Premise), see the topic Scheduler Operation in the Operations Guide.
Access Management
The Access Management application allows you to create users for personnel within
your organization. It also allows you to manage user roles and permissions for the
different Back Office applications.
If your organization manages its users with an external identity store, such as an
LDAP directory or Active Directory, you can grant access to RSA Adaptive
Authentication (On-Premise) through the external identity framework. For more
information about access for these users, see the chapter Managing Access to the
Back Office Applications in the Back Office Users Guide.
Administration Console
The Administration Console application allows you to manage system configuration
parameters. You use the Administration Console application to modify and maintain
parameter values according to your Adaptive Authentication implementation,
business requirements, and system setup.
Case Management
The Case Management application is used to review events that are flagged as
high-risk by RSA Adaptive Authentication (On-Premise) and require a fraud analysts
review.
Events are flagged for review by Adaptive Authentication (On-Premise) and the Case
Management application pulls these events into its dedicated database. Fraud analysts
review the events and provide resolution. Using web services calls, the flagged events
and the resolutions are updated in the Core Database.
Customer Service
The Customer Service application allows customer service representatives to search
for and modify user account information and help your end users with online account
troubleshooting.
In addition, the Customer Service application provides user activity logs that customer
service representatives can monitor.
Policy Management
The Policy Management application allows you to define your organizations policy
by which RSA Adaptive Authentication (On-Premise) detects and acts upon a
high-risk event. For security reasons, RSA recommends that you verify and test the
policy set before implementing policies in Adaptive Authentication (On-Premise). For
more information, see the chapter Managing Policies in the Back Office Users
Guide.
Report Viewer
The RSA Risk Engine produces forensic log files. Based on these log files,
RSA Central provides reports for your organization regarding your forensic activity.
With the Report Viewer application, you can view daily, weekly, and monthly reports
created by RSA Central. Reports from RSA Central are synchronized with the Report
Viewer application for accurate reading of the files.
Network Integration
The following high-level diagram shows the recommended network deployment for
RSA Adaptive Authentication (On-Premise). The diagram reflects the following
business flow:
A user connects to a customer website from the Internet zone.
A customer website located in the demilitarized zone (DMZ) collects information
from the user and passes it to Adaptive Authentication (On-Premise) in the
Application Tier.
Adaptive Authentication (On-Premise) manages the information and returns a risk
score along with a policy-based action.
Adaptive Authentication (On-Premise) uses the Core Database, located in the
Organizational Data Tier, for storage of operational data.
2UJDQL]DWLRQDOILUHZDOO
3XEOLFILUHZDOO 3ULYDWHILUHZDOO RSWLRQDO
2UJDQL]DWLRQDO
'DWD0DQDJHPHQW=RQH $SSOLFDWLRQWLHU GDWDWLHU
56$$GDSWLYH
$XWKHQWLFDWLRQ
+70/DQG-63SDJHV
DQGVFULSWV &RUH
GDWDEDVH
(QGXVHU
:HEVHUYHU $SSOLFDWLRQVHUYHU
Batch Loader
The Batch Loader utility is a command-line tool for loading historical customer data
into the Core Database for use in risk analysis. You can execute the Batch Loader
utility in one of the following modes:
Risk Engine only. In this mode, the Batch Loader utility only loads data to the
Risk Engine. It does not create users and devices. RSA recommends using this
mode for increased efficiency and performance.
Full. In this mode, the Batch Loader utility loads Risk Engine data, user IDs, and
device information. Full mode should only be used when device recognition and
recovery is key to role authentication.
For more information about the Batch Loader utility, see the Operations Guide.
Encryption
The encryption feature is a mechanism that allows you to encrypt and decrypt
sensitive data from RSA Adaptive Authentication (On-Premise). The encryption
process ensures that private, end-user details are protected from potential attacks. You
can enable and disable the encryption feature by modifying the relevant configuration
settings in the Administration Console. In addition, an encryption utility is provided to
manage master key generation and rotation.
For more information about the encryption feature, see the chapter Encrypting User
Data in the Operations Guide.
Diagnostics Manager
The Diagnostics Manager provides you with an automated process of analyzing issues
that may occur during operation of RSA Adaptive Authentication (On-Premise). The
Diagnostics Manager collects data from Adaptive Authentication (On-Premise) for
analysis and ultimate issue resolution by RSA. This information is collected in the
form of a ZIP file that you send to RSA Customer Support for analysis.
Note: The Diagnostics Manager is only for use with the guidance of an RSA
representative.
HealthCheckServlet
The HealthCheckServlet performs an overall system health check and can assess a
database connection status. RSA Adaptive Authentication (On-Premise) usually
initiates the health check but system administrators can use the HealthCheckServlet to
perform a manual check. This tool outputs its results to a log file and an HTML page
that the system administrator can inspect to check for any problems.
6. Educate end users and project manager or training Product Overview Guide
internal functional teams. specialist For a description of each
guide in the
documentation set, see
Chapter 4,
Documentation Set
Overview.
7. Customize the Adaptive Back Office user Back Office Users Guide
Authentication policies to
meet business needs, such
as updating the policies so
that 5% of all customers
must complete additional
authentication.
9. Set up Back Office Back Office user Back Office Users Guide
applications for use on an
ongoing basis. Customize
the Adaptive
Authentication
(On-Premise)
configuration to meet
business needs (updating
policies) and reduce
intrusion attempts
(managing cases).