Synchronization with Active Directory to import all your users makes getting started with the product very easy. In conjunction with software based tokens and some end user training, you can be up and running with a fresh deployment in a matter of days.
Improvements to My Organization
Primarily deployed as an authentication mechanism for remote access VPN users, it allows a more secure method of connecting to the network. This is especially a must have when dealing with any regulatory compliance initiatives.
Room for Improvement
When the 7.x release of Authentication Manager came out, the administrative interface and user interface (for self-provision) relied on the same TCP port even though the URLs were slightly different. We did not want the same port which administrators used open to the public internally, we saw that as a security concern in the fundamental way this system operated. We were excited that the self-provision feature was now built into the box but disappointed at the implementation. We hadn’t planned on standing up a separate web server in the DMZ for the purpose of brokering the self-provision process since 99% of our users were onsite, meaning they could get their tokens prior to leaving the office. When I questioned RSA about this matter, their response was to utilize a Web Application Firewall to block access to the specific administrative URL. We thought this was a bit too involved especially now that we’d need to implement a WAF, so we changed the policy and discontinued the self-provisioning option for users. While consulting on the product, I don’t come across a lot of companies using this feature so it’s not a deal breaker for most, but it’s certainly a nice to have if you would like to offload some of the administrative overhead as the self-provision feature also allows users to reset their PIN and perform some maintenance tasks.
Use of Solution
I started using this solution while working at IBM Internet Security Systems in 2007 managing client environments. Since then I’ve consulted on the product performing routine maintenance, upgrades, migrations, and administration. This has involved using RSA Authentication Manager 6.x/7.x, RSA SecurID hardware/software authenticators (tokens).
Deployment is very straightforward if this is a first time install. We did go through several migrations which required some database changes and specific requirements depending on the environment and usage. I highly recommend opening a case with RSA to inform them of your migration so they can assist with any planning and inform you of any potential issues that may arise during the migration.
We typically deployed hardware appliances which are purpose built, so I haven’t come across any stability issues yet. I could imagine that if you under spec a virtualized environment that you could run into some performance issues.
The product scales very well. With a limited license you can add an additional replica, or backup appliance, for redundancy. Depending on the licensing you purchase, you could add up to 15 replicas. We typically see anywhere from 1 to 8 replicas depending on customer requirements and their geographic locations.
Customer Service and Technical Support
I typically dealt with the regional account manager from RSA, so customer service was always exceptional. If we needed to call the regular customer support number for administrative tasks on the account, they were always helpful and resolved our cases within a few days. Technical Support
I also highly recommend purchasing an upgraded technical support package. Our dealings with technical support have always been great due to the fact that we can bypass the typical tier 1 level and get straight to the teams who have the deeper level of expertise. In certain cases, such as dealing with complex migrations, I always dealt with the same person who was very well versed in the products and could tell exactly what was going on without having to “get back to me” or “check with their peers on this one”.
Included with the hardware appliances are straightforward setup instructions for racking, powering on, and initially setting them up. RSA also provides plenty of in-depth documentation, administrative guides, and knowledgebase articles right on their support website. If the information I needed wasn’t in the admin docs, I found 90% of the answers in the knowledgebase.
I’ve implemented the technology myself as a customer and vendor. As a customer, it was easy enough to follow the standard administrative documents to get up and running. As a consultant (vendor), having had the prior experience made it easy to provide product demonstrations and answer questions.
Other Solutions Considered
Typically RSA was the incumbent and most of the time the decision was made to just stay with their products due to the initial investment. I have looked into other products and the one which came closest was Vasco’s IDENTIKEY line. Vasco had a more intuitive workflow upon the initial setup and overall administration. There was a lot less digging around in admin docs and knowledgebase articles to find answers because the layout seemed a bit more straightforward.
Reach out to a Value Added Reseller (VAR) with plenty of experience who can match your requirements with the best solution. If RSA ends up being your selection, I would recommend subscribing to a premium support option because not only will you get a faster response from them, the quality of support is much greater.