Cloud Access Service Overview
Cloud Access Service (CAS) is an access and authentication platform with a hybrid cloud architecture. CAS enables your company to control how users access resources with centralized access and authentication policies and can accelerate user productivity with single sign-on (SSO).
CAS helps protect SaaS and on-premises web applications, third-party SSO solutions, and on-premises resources that support RADIUS. CAS includes transparent and interactive authentication methods for multifactor identity assurance. These methods include biometric methods such as fingerprint verification, hardware devices such as SecurID OTP credential and FIDO authenticators, and context-based authentication using factors such as the user's location and network. Confidence in a user's identity can also be established through risk analytics, based on user characteristics such as past behavior, authenticators previously used for authentication, and other factors.
The following graphic illustrates how CAS works.
Note: The identity router can be deployed on-premises, in the Amazon Web Services cloud, or on your Authentication Manager server.
Benefits
CAS provides the following key benefits:
Integration with RSA Authentication Manager 8.x to extend your RSA deployment by making additional authentication methods available to protect AM resources.
Convenient multifactor authentication (MFA) that leverages capabilities built into devices through the RSA Authenticator app.
Centralized access control policies that consistently enforce different security requirements for applications based on assurance levels.
Support of relying parties, RADIUS-capable devices, SAML and non-SAML applications, OpenID Connect (OIDC) applications, and SaaS and on-premises web applications for MFA.
SSO with out-of-the-box connectivity to popular applications.
Single point of access to protected applications with the application portal.
LDAP directory server user passwords stay on-premises and are not synchronized to CAS.
RSA Authentication API, a REST-based programming interface that allows you to develop clients that process multifactor, multistep authentications through Authentication Manager and CAS. The interface definition can be integrated with any programming language. For instructions, see the RSA Authentication API Developer's Guide.
RSA Cloud Administration REST APIs, web service interfaces you can use to create clients that perform administrative operations. These operations include importing audit log events into your security information and event management (SIEM) solution, retrieving event logs from the Cloud Administration Service, and performing certain Help Desk functions. For instructions, see Accessing the Cloud Administration APIs.
CAS Components
CAS deployment consists of four main components: CAS (which is both the name of the managed server and the name for the set of components), the Identity Router®, the Cloud Administration Console, and the RSA Authenticator app installed on user devices.
Note: The identity router can be deployed on-premises, in the Amazon Web Services cloud, or on your Authentication Manager server.
CAS
CAS performs run-time authentication for the protected resources. CAS also allows RSA to modify and improve authentication capabilities.
CAS runs on Microsoft Azure, a cloud computing platform that is hosted through a global network of Microsoft data centers. RSA uses a multi-tenant database in an environment that shares infrastructure while segregating customer data to ensure privacy. Service levels and operational procedures are standardized for all customers due to the shared nature of the platform.
Identity Router®
The identity router is a virtual appliance that communicates with the following components.
| Component | Purpose |
|---|---|
| CAS | CAS enforces access policies, which determine which applications users can access, when additional authentication is needed, and which authentication methods are required. For example, a policy might allow only your sales team to access an application with sensitive customer information. Access policies are based on session information, such as IP addresses (for example, within a corporate network or not). |
| Identity sources | Identity routers connect to identity sources in real-time and synchronize a limited subset of user data to CAS. A minimum amount of user data is required to register authenticators. LDAP directory server user passwords are never synchronized and remain secure on your directory server. |
| Authentication Manager | Authentication Manager enables users to authenticate with SecurID OTP credentials or the RSA Authenticator app from all access points controlled by AM. For integration instructions, see Select an Integration Path for RSA Authentication Manager with the Cloud Access Service. |
The identity router can be installed on the following platforms:
On VMware or Hyper-V virtual appliances on-premises within your network.
Amazon Web Services cloud (in a subnet)
Authentication Manager 8.5 or later
All platforms support RADIUS and single sign-on (SSO) in CAS, except for Authentication Manager 8.5 and later. For details about supported platforms and services, see Identity Router.
Cloud Administration Console
CAS component contains a hosted, multi-tenant Cloud Administration Console that Super Admins use to perform setup and daily management tasks. Super Admins and Help Desk administrators both use the console to troubleshoot user issues. This is a partial list of tasks that can be performed using the console:
- Configure your company domain and certificates, if necessary.
- Add and manage identity routers.
- Add identity sources so the identity router can verify user attributes to allow or deny access to resources.
- Add resources, such as relying parties, RADIUS clients, and applications.
- Configure assurance levels that can be used by protected resources.
- Configure access policies to determine user access to protected resources.
- Configure the RSA Application Portal.
- Troubleshoot user issues with the Event Monitor.
- Unlock OTP for users.
- Manage user authenticators and known browsers.
RSA Authenticator App
RSA My Page helps provide a secure way for users to complete registration with the RSA Authenticator app, using MFA and QR or numeric registration codes. My Page guides users through registration, including downloading the app from the Apple App Store, Google Play, or Microsoft Store. The administrator provides users with the My Page URL. After successful registration, users can complete authentication for applications that require it.
Concept Information
