The leading Skype for Business security solution treating external access security risks.
SkypeShield offers Two Factor Authentication, Device access control, Account lockout protection, Exchange Web Service protection, MDM binding, VPN, DLP , Ethical Wall and application Firewall.
Why Teams call analytics are critical to your entire business
SkypeShield - Securing Skype for Business
1. Leading Skype for Business Security
http://AGATSoftware.com
V6
http://SkypeShield.com
2. Slide2
Background & Overview
Connecting external devices (mobile/computers) to the
corporate network raises security risks related the Active
Directory exposure.
Typically there is no control over apps installed on
employees’ smartphones and the networks that these
devices are connected to.
SkypeShield is a server side solution with not additional
client install supporting all devices.
3. Slide3
SkypeShield high level feature list
Two Factor Authentication – Add the device as the
second factor for authentication.
Protect both SfB & Exchange EWS
Account lockout protection – Block attacks sending
failed login attempts to authentication service
Device Access Control – manage devices connected using
device enrollment process
MDM binding – Verify only devices that are managed by
MDM can connect to SfB server
4. Slide4
SkypeShield feature list (cont)
Active Directory credential protection – Avoid using
domain password by creating dedicated app password
Federation Ethical Wall- granular policy control based on
users/groups/domain for each modality (IM, File sharing,
Application sharing, Audio, Video, meetings)
RSA integration – Use RSA authentication code instead
of domain password
VPN traffic splitter – Split authentication from SIP to
allow secure and efficient deployment over VPN
5. Slide5
Two Factor authentication
Based on end point ID sent by client
Several registration/ enrolment options to enforce access
control policy based on matching the device and the user.
Protects both Skype for Business & Exchange (EWS) –
blocking any request passing to network servers unless
coming from an approved device
6. Slide6
Access Control – Enrollment
Support several access control policies:
Automatic Registration – Device ID is registered upon first
use of account.
Two steps registration process:
Self Service / Two Step Registration – User registers on
internal site and then must sync within a defined time
frame to complete registration.
Admin Manual Enrollment – Admin management of user
list using training mode and rejected auditing list.
9. Slide9
Access Portal main Settings
View approved & blocked devices
Restrict registration and ongoing connection by IP range
Access Rule black / White list
Allow / Block guest users
Filter by device type & OS
Allow / Block Web app login
Define number of devices per user
Registration policy (Two steps/ Manual/ Automatic)
Failed login auditing & Soft Lockout management
10. Slide10
Access Portal main Settings (cont)
Require re-authentication by time -Session termination
Save password policy management
Multi LDAP support (for HA & distributed implantation)
Support of Multi level admin management
Web service for external event to lock/ approve
device/user
House keeping service
Notification settings
Reports & Search
12. Slide12
Account Lockout protection
Account lockout can be the result of the following:
The user changed the Active Directory password, but did
not change the settings on the device.
The username (without the password) being obtained by a
hacker who tried to log in several times
DDoS , Dos , brute force attacks- Such attacks can result in
the network becoming unavailable
13. Slide13
Account lockout protection (cont)
SkypeShield blocks the failed attempts on the
gateway server side, before reaching the Active
Directory
SkypeShield offers a multi-site defense approach
covering all authentication channels
Unified solution that protects all distributed resources.
Failed attempts are counted and stored in a central
database table which is shared by all SkypeShield
components.
14. Slide14
MDM binding
SkypeShield can limit the usage of Lync to managed
devices only – devices with MDM
Compatible with any MDM solution supporting one of
the following capabilities:
Certificate enrollment
Application management (MAM)
VPN triggering / control
These are available from most of the vendors around the
market including Microsoft Intune, AirWatch, MobileIron,
MASS360, Good, XenMobile and more.
16. Slide16
VPN support for Skype for Business
MSFTs recommendation is to keep all voice and video
traffic going through the Edge and not over the VPN
SkypeShield offers an Hybrid solution requiring the
authentication to be done over VPN and routing the
Video/Audio to go through the Edge over the internet.
Does not require VPN splitting
18. Slide18
Federation Ethical Wall
Solves ethical and compliance regulations , security and
data protection issues
Apply federation policies based on specific users , groups
and domains/companies
Specific modality policy control- IM, File transfer,
Meeting, Audio, Video
Enforces policy in the DMZ and blocks non-approved
traffic
20. Slide20
AD credential protection
SkypeShield introduces a new approach for protecting
the Active Directory credentials
With SkypeShield the connection to Skype is done by
using App dedicated Skype credentials that are created
by the user rather than the regular network Active
Directory credential
SkypeShield completely eliminates the need to store
Active Directory passwords on the device
Supports work against Exchange & Skype with one App
credentials
21. Slide21
Active Directory App login
The user creates dedicated Skype credentials on a self
service internal web site for use on device, instead of
Active Directory credentials.
23. Slide23
Mobile Smart Card solution
Many organizations that smart card for network login do
not have a username and password for Active Directory.
SkypeShield allows the usage of Skype without the need
to manage Active Directory credentials.
With the dedicated login solution, the user logs into the
Access Portal authenticating with his smart card from his
network computer and creates dedicated Skype for
Business credentials for use on the mobile device.
24. Slide24
RSA integration
Mobile users enter their RSA Token authentication code
instead of Active Directory password
SkypeShield verifies password
against RSA Authentication
Manager and impersonate user
against Skype
Desktop users Authenticate in web
site from Browser and than can login
from Skype desktop client
25. Slide25
Product architecture - Bastion Proxy
SkypeShield solution offers as part of the solution the
dedicated reverse proxy Bastion developed by AGAT.
The SkypeShield filters are plugged into Bastion to
extend access control and content filtering capabilities
Cross-platform- Windows / Linux
Scalable Event-Driven Architecture.
Can publish multiple servers in parallel/ mulita channels.
Highly efficient asynchronous architecture.
Supports high availability deployment
26. Slide26
Bastion (cont)
Main characteristics :
Geared towards full-featured HTTP filtering.
HTTPS - Decrypt SSL
Supports many HTTP scenarios: Chunked, gzip and deflate
Transfer-Encodings
Pipelining.
Supports filtering content, blocking content or
generating proxy responses anytime during the filtering
chain (unlike TMG and UAG).
27. Slide27
Skype for Business SIEM
Security Information Event Management
Security alerts based on geolocation information and
behavior profiling
Skype for Business Application Firewall-
Sanitize all non authenticated requests in DMZ:
Verify request type, content type headers, content length,
URL validation, validate request structure, characters etc.
Break any direct request to enter domain- session
termination
SkypeShield Road map
28. Slide28
SkypeShield Road map (cont)
Soft token TFA Authentication (Google authenticator /
Azure authenticator) for :
Lync on premise
Lync online (Office 365)
DLP engine
Apply content rules policy on IM data
Examples of content handled in messages:
Social security numbers
Credit card numbers
ID numbers
29. Slide29
AGAT products- Overview
AGAT Software is a company focusing on security
solutions for authentication and content filtering while
externally connecting devices to company network.
The companies Mobility-Shield core product suite
secures applications such as Skype and other apps based
on Active Directory authentication like outlook.
SkypeShield is part of MobilityShield AGAT’s Security
suite.
AGAT also offers secure browser and digital signature
mobile applications for mobile PKI requirements.
30. Slide30
To learn more about our solutions
please visit our website at
http://SkypeShield.com
http://AGATSoftware.com
info@agatsoftware.com