1 / 53

Secure Skype for Business

Secure Skype for Business. V6.9. http://AGATSoftware.com. Security Challenges. Connecting external devices through Skype for Business to the corporate network raises security risks related to Authentication, Network and Content breaches.

scalzo
Télécharger la présentation

Secure Skype for Business

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Skype for Business V6.9 http://AGATSoftware.com

  2. Security Challenges Connecting external devices through Skype for Business to the corporate network raises security risks related to Authentication, Network and Content breaches. SphereShield (formerly SkypeShield) is a leading innovative security solution for these issues

  3. End-to-End Security Assurance Secure Authentication • Simple and secure TFA based on device as second factor. • Protect SfB & Exchange EWS Device Access Control Manage which devices can connect using device enrolment process Network Account Lockout Protection • Prevent Account lockout issues in DDoS attacks through multiple Unified Communication channels and methods

  4. End-to-End Security Assurance MDM Conditional Access • Verify only devices that are managed by MDM and compliant with security policy can connect Credential Protection • Prevent network password theft by using app specific credentials instead of domain credentials Ethical Wall - Functional control • Granular policy for all activities (IM, File sharing, presence etc.), controlling external (Federation) and internal traffic

  5. End-to-End Security Assurance Application firewall • Sanitize and validate all anonymous traffic requests in the DMZ before entering the network DLP – Content Inspection • Inspect content passing through Skype for Business by DLP (Data Loss Prevention) policy rules RSA integration Use RSA authentication code instead of domain password

  6. End-to-End Security Assurance Disclaimer • Display disclaimers for internal and external users based on domains eDiscovery • Advanced search export and modify dashboard for Skype for Business Archiving DB Risk Engine • Define Geo location (Geo fencing)  rules. Display live map of connections. Profile user behavior and create security alerts events

  7. Features in depth

  8. Secure Authentication/TFA • Blocking any request received in network servers unless coming from an approved device • Matching device and user based on endpoint ID sent by client • Several registration/enrolment options are available to enforce access control policy • Protects both Skype for Business & Exchange (EWS)

  9. Two Step Registration

  10. Device Access Control • Three Level enrollment Options • Admin Manual enrollment • Admin management of user list using training mode and rejected auditing list Play • Self Service/Two Step Registration • Internal site registration and additional sync within a defined time frame to complete registration Play • Automatic Registration Device ID is registered upon first use of account Play

  11. MDM Integration MDM Conditional Registration • Limit the registration only to managed devices (with MDM) • Supported with all MDM vendors in the market MDM Conditional Access • Ongoing validation that device is managed and has not become Out Of Compliant (OOC) as defined in the MDM vendor • Supported with leading vendors

  12. MDM Conditional Registration • SkypeShield can limit the registration of SfB to managed devices only – devices with MDM • Compatible with any MDM solution supporting one of the following capabilities: WIFI access control Application management (MAM) VPN triggering / control • Compatible with all MDM vendors in the market

  13. MDM Registration Using Wi Fi

  14. MDM Registration Using SkypeShield App Play movie

  15. MDM Registration Using VPN

  16. MDM Conditional Access • Automatically and immediately block SfB access for devices that: • Have become Out Of Compliance • Removed from MDM control • Available for: • MobileIron • VMware AirWatch • IBM MaaS360 • Citrix XenMobile • BlackBerry UEM and GOOD • Microsoft Intune

  17. MDM Continuous Verification Topology

  18. Secure Authentication

  19. Architecture - Bastion Reverse Proxy • SphereShield solution includes Bastion which is a dedicated reverse proxy developed by AGAT. • Can be implemented in conjunction with any generic products such as F5, Netscaler, Barracuda, Kemp and more • Typically traffic is routed through to Bastion • Specific integration available For F5 BIG-IP

  20. TFA+ Access control Main features • View approved & blocked devices • Restrict registration and ongoing connection by IP range • Access Rule black/white list • Filter by device type & OS • Allow/Block Web app login • Define number of devices per user • Require re-authentication by time -Session termination • Disable save password on client • Registration policy (Two steps/ Manual/ Automatic)

  21. General Capabilities • Multi LDAP support (for HA & distributed implantation) • Support of Multi level admin management • Web service for external event to lock/approve device/user • House keeping service - AD sync, cleanup, notification • Auditing, logs, event viewer • Reports & Search

  22. Access Portal Reports Authentication Devices Failed logins Security Auditing

  23. Network Account Lockout Protection • Multi protocol – HTTPS/SIP • Multi method – Basic, NTLM, SOAP • Multi channel – Sign in, Meeting, Web API, Exchange • Multi Locations – APAC, EMEA and USA Account Lockout Occurs When: Network Attacks Password Change Username Hack User changed the Active Directory password, but did not change the settings on the device The username (without the password) discovered by a hacker who tried to log in several times DDoS, DoS, brute force attacks - Such attacks can result in network downtime The challenge:

  24. Network Account Lockout Protection • All failed login are audited • Activate Soft Lockout in DMZ when attack detected • Unified defense • Solution protecting all protocols, methods and channels • Device pre authentication • Only authentication requests coming from registered devices will reach the Active Directory

  25. Application firewall • Protocol level sanitization • Application data validation (meeting ID) • Session termination and requests rewrite • Solve security risks from anonymous traffic entering the network without inspection Security Layers:

  26. Ethical Wall • Solves ethical and compliance regulations, security and data protection issues controlling both • Federation with external companies • Internal communication between different groups

  27. Sample policy External Domain A Company domain Chat File transfer Bob (Group A) Chat File transfer Alice (Group B) Block all communication All other groups

  28. Ethical Wall- Federation & Internal Policy Condition Policy Rule

  29. Ethical wall rules

  30. Ethical Wall dimensions • Control specific modalities: • Build rule based on • Active directory groups • External/Internal domain • External/Internal SIP • In contact list • - Present program • - Presence • - IM • - File transfer • - Contact card • - App sharing • - PowerPoint sharing • - Audio • - Video • - Conferencing • - Present desktop

  31. Ethical Wall- notification • IM user notification of Ethical wall activity/policy • Activity auditing registration - table, logs and admin email notifications External user is unable to reach you External user unable to see your presence User blocked from a specific operation

  32. Ethical Wall Topology Optional connections are required when there is a need to control internal communication

  33. DLP Engine Server side solution inspecting content passing through any channel

  34. DLP Engine • Content policy rules based on content such as: • Actions – Block, Mask, Notify • Group membership based rules • Commercial DLP integration with Symantec, Websense and any standard ICAP interface DLP engine • Credit Card Numbers • ID Numbers • Social Security Numbers

  35. DLP Notification Sample Play movie

  36. Active Directory Credential Protection • A new approach in protecting the Active Directory credentials • Connect using App dedicated Skype credentials • Eliminate risk of domain password theft • No storage of Active Directory passwords on server or device • Supports Exchange & Skype with one App credentials

  37. Active Directory App login Creating dedicated Skype credential on a self service internal web site for use on the device, instead of Active Directory credentials. Play movie

  38. SkypeShield Credentials Architecture

  39. Mobile Smart Card Solution Network login without username and password for Active Directory With the dedicated login solution, the user logs into the Access Portal Authenticates to the network computer using a smart card Creates a dedicated password for use on device

  40. RSA integration • Strong TFA • Avoid using domain credentials • Users enter their RSA Token authentication code instead of Active Directory password • SkypeShield verifies password against RSA Authentication Manager and impersonate useragainst Skype

  41. Disclaimers rules • Set disclaimer for internal and external (federated or guests ) based domain

  42. Disclaimer types • Different disclaimer types: • Internal User Client -Presented to the internal user in the SfB client every time a new conversation/conference has started. • Invite To External Conference - Sent as IM to internal user when he was invited to an external conference. • IM Conference - Sent as IM once a user has joined the conference. • IM Conversation - Included with the first IM message sent while the communication is a conversation (one on one)

  43. eDiscovery • Advanced search by text, user, dates and more • Meet with compliance and GDPR • Search for personal information • Delete personal information • Data governance • Export user data

  44. eDiscovery

  45. Risk engine – geo location map

  46. SphereShield CASB Road Map

  47. Targeted Services Skype for Business on premises Skype for Business online Microsoft Teams Office 365 -Exchange, OneDrive, SharePoint Cisco Webex Teams (Spark) Slack Google Hangouts Meet = Release by Begging 2019 = Release end 2018 = Released

  48. SphereShield CASB • Main features: • Inline DLP • Online Ethical wall • Inline Anti Malware/ Virus • eDiscovery • Risk Engine • MDM conditional access • Disclaimers • Based on Reverse & Forward Proxy • Additional capabilities by cloud API • On premises or SAAS Unique for Online Unified Communication Services

  49. Topology

  50. SphereShield for Office • Inline inspection for Teams and Skype • Data at rest inspection based on API for Exchange, OneDrive, SharePoint, Teams and Skype • Offered as a service • Each customer has dedicated machines

More Related