SphereShield for Skype for Business is a robust solution designed to help companies deal with issues of access control, compliance, and threat protection when deploying Skype for Business
3. Targeted Services
Skype for Business on premises
Skype for Business online (conditional access only)
Microsoft Teams
Office 365 -Exchange, OneDrive, SharePoint
Cisco Webex Teams (Spark)
Slack
Zoom
Ring Central
= Release Q4,2019
= Released = Release Q1, 2020
4. SphereShield security features
Secure Authentication
Simple and secure TFA based on device as second factor.
Protect SfB & Exchange EWS
Network Account Lockout Protection
Prevent Account lockout issues in DDoS attacks through multiple UC
channels
Device Access Control
Manage which devices can connect using device enrolment
process
5. SphereShield security features
MDM Conditional Access
Verify only devices that are managed by MDM and compliant with
security policy can connect
Ethical Wall Functional control
Granular policy for all activities (IM, File sharing, presence etc.)
controlling external (Federation) and internal traffic
Credential Protection
Prevent network password theft by using app specific
credentials instead of domain credentials
6. SphereShield security features
Application firewall
Sanitize and validating all anonymous traffic requests in the DMZ
before entering the network
RSA integration
Use RSA authentication code instead of domain password
DLP Content Inspection
Inspect content passing through Skype for Business by DLP
(Data Loss Prevention) policy rules
7. SphereShield security features
Disclaimer
Display disclaimers for internal and external users based on domains
Risk Engine
Define Geo location (Geo fencing) rules. Display live map of
connections. Profile user behaviour and create security alerts events
eDiscovery
Advanced search export and modify dashboard for Skype for
Business Archiving DB
9. Secure Authentication/TFA
Blocking any request received in network servers
unless coming from an approved device
Matching device and user based on endpoint ID sent
by client
Several registration/enrolment options are available
to enforce access control policy
Protects both Skype for
Business & Exchange (EWS)
10. Device Access Control
There are Three Level enrollment Options.
Automatic Registration
Device ID is registered
upon first use of account
Admin Manual enrollment
Admin management of user
list using training mode and
rejected auditing list
Self Service/Two Step
Registration
Internal site registration and
additional sync within a defined
time frame to complete
registration
Play Video Play Video
Play Video
11. MDM Conditional Registration
Limit the registration only to managed devices (with MDM)
Supported with all MDM vendors in the market
MDM Integration
MDM Conditional Access
Ongoing validation that device is managed and has not become Out Of Compliant
(OOC) as defined in the MDM vendor
Supported with leading vendors
12. MDM Conditional Registration
WIFI access control
Application
management (MAM)
VPN triggering / control
Compatible with all MDM vendors in the market
SphereShield can limit the registration of SfB to managed devices only.
Compatible with any MDM solution supporting one of the following
capabilities:
16. MDM Conditional Access
Automatically and immediately block SfB access for devices that:
Have become Out Of Compliance
Removed from MDM control
Available for:
19. Architecture - Bastion Reverse Proxy
SphereShield solution includes Bastion which is a dedicated
reverse proxy developed by AGAT.
Can be implemented in conjunction with any generic products
such as F5, Netscaler, Barracuda, Kemp and more
Typically traffic is routed through to Bastion
Specific integration available For F5 BIG-IP
21. TFA + Access control Main features
View approved &
blocked devices
Restrict registration and
ongoing connection by IP
range
Access Rule black/white list
Define number of
devices per user
Allow/Block Web app
login
Filter by device type
& OS
Require re-
authentication by time
- Session termination
Disable save
password on client
Registration policy (Two
steps/ Manual/
Automatic)
22. General Capabilities
Multi LDAP support (for HA & distributed implantation)
Support of Multi level admin management
Web service for external event to lock/approve device/user
House keeping service - AD sync, cleanup, notification
Auditing, logs, event viewer
Reports & Search
24. Network Account Lockout Protection
Account Lockout Occurs When:
User changed the
Active Directory
password, but did not
change the settings on
the device
Password Change
The username (without
the password)
discovered by a hacker
who tried to log in
several times
DDoS, DoS, brute force
attacks - Such attacks
can result in network
downtime
Username Hack Network Attacks
The challenge:
Multi protocol – HTTPS/SIP
Multi method – Basic, NTLM, SOAP
Multi channel – Sign in, Meeting, Web API, Exchange
Multi Locations – APAC, EMEA and USA
25. Network Account Lockout Protection
All failed login are audited
Activate Soft Lockout in DMZ when attack detected
Unified defense
Solution protecting all protocols, methods and channels
Device pre authentication
Only authentication requests coming from registered devices will
reach the Active Directory
26. Application Firewall
Solve security risks from anonymous traffic entering the network
without inspection.
1. Protocol level sanitization
2. Application data validation (meeting ID)
3. Session termination and requests rewrite
Security Layers:
27. Ethical Wall
Solves ethical and compliance regulations,
security and data protection issues controlling
both:
Federation with external companies
Internal communication between different groups
32. Ethical Wall dimensions
Control specific modalities
Build rules based on
Audio
Video
Conferencing
Present desktop
Present program
Presence
IM
File transfer
Contact card
App sharing
PowerPoint sharing
Active directory groups
External/Internal domain
External/Internal SIP
In contact list
33. Ethical Wall - Notification
IM user notification of Ethical wall activity/policy
Activity auditing registration - table, logs and admin
email notifications
User blocked
from a specific
operation
External user is
unable to reach
you
External user
unable to see
your presence
35. DLP Engine
Server side solution inspecting content passing through any
channel.
Sending messages and files to existing DLP vendors or
SphereShield DLP engine to meet existing policies.
36. SphereShield DLP Engine
Actions
Block, Mask, Notify
Group membership
based rules
Content policy rules
Based on content
Such as credit card
Numbers, ID numbers,
profanity And more
Commercial DLP
integration with
Symantec, McAfee,
Forcepoint and any
standard ICAP interface
DLP engine
39. Active Directory Credential Protection
Connect using App dedicated Skype credentials
Eliminate risk of domain password theft
No storage of Active Directory passwords on server or device
Supports Exchange & Skype with one App credentials
A new approach in protecting the Active Directory
credentials.
40. Active Directory App login
Creating dedicated Skype
credential on a self service
internal web site for use on
the device, instead of Active
Directory credentials.
Play Video
42. Mobile Smart Card Solution
With the dedicated login
solution, the user logs into
the Access Portal
Authenticates to the
network computer using a
smart card
Creates a dedicated
password for use on
device
Network login without username and password for Active
Directory
43. RSA integration
Users enter their RSA Token authentication code instead of
Active Directory password
SphereShield verifies password against RSA
Authentication Manager and impersonate user against
Skype
Strong TFA
Avoid using domain credentials
45. Disclaimer types
Internal User Client
Presented to the internal user in the
SfB client every time a new
conversation/conference has
started.
IM Conversation
Included with the first IM message
sent while the communication is a
conversation (one on one).
IM Conference
Sent as IM once a user has joined
the conference.
Invite To External Conference
Sent as IM to internal user when he
was invited to an external
conference.
46. eDiscovery
Advanced
search by text,
user, dates and
more
Search for personal
information
Data governance
Export user data
See message context
in incidents
Delete personal
information
53. Targeted Services
Skype for Business on premises
Skype for Business online (conditional access only)
Microsoft Teams
Office 365 -Exchange, OneDrive, SharePoint
Cisco Webex Teams (Spark)
Slack
Zoom
Ring Central
= Release Q4,2019
= Released = Release Q1, 2020
54. • Main features:
• Inline DLP
• Online Ethical wall
• Inline Anti Malware/ Virus
• Risk Engine
• eDiscovery
• MDM conditional access
• Disclaimers
• Based on Proxy & API
• On premises or SAAS
Unique for Online Unified
Communication Services
Targeted Services