SphereShield for Skype for Business is a robust solution designed to help companies deal with issues of access control, compliance, and threat protection when deploying Skype for Business GDPR DDos Account Lockdown Protection DLP Ethical Wall Archive & eDiscovery Recording AI Compliance Analysis Anti-Phishing Governance Risk Engine

1. SphereShield
Secure Skype for Business
V7.0

2. Solution Overview
SphereShield offers
advanced compliance and
security solutions for Unified
Communication services
including Skype for Business.

3. Targeted Services
Skype for Business on premises
Skype for Business online (conditional access only)
Microsoft Teams
Office 365 -Exchange, OneDrive, SharePoint
Cisco Webex Teams (Spark)
Slack
Zoom
Microsoft Stream
Ring Central
= Released
=Released Q3,2020

4. SphereShield security features
Secure Authentication
Simple and secure TFA based on device as second factor.
Protect SfB & Exchange EWS
Network Account Lockout Protection
Prevent Account lockout issues in DDoS attacks through multiple UC
channels
Device Access Control
Manage which devices can connect using device enrolment
process

5. SphereShield security features
MDM Conditional Access
Verify only devices that are managed by MDM and compliant with
security policy can connect
Ethical Wall Functional control
Granular policy for all activities (IM, File sharing, presence etc.)
controlling external (Federation) and internal traffic
Credential Protection
Prevent network password theft by using app specific
credentials instead of domain credentials

6. SphereShield security features
Application firewall
Sanitize and validating all anonymous traffic requests in the DMZ
before entering the network
DLP Content Inspection
Inspect content passing through Skype for Business by DLP
(Data Loss Prevention) policy rules
Risk Engine
Define Geo location (Geo fencing) rules. Display live map of
connections. Profile user behaviour and create security alerts events

7. SphereShield security features
Disclaimer
Display disclaimers for internal and external users based on domains
eDiscovery
Advanced search export and modify dashboard for Skype for
Business Archiving DB

8. Features in depth

9. Secure Authentication/TFA
Blocking any request received in network servers
unless coming from an approved device
Matching device and user based on endpoint ID sent
by client
Several registration/enrolment options are available
to enforce access control policy
Protects both Skype for
Business & Exchange (EWS)

10. Device Access Control
There are Three Level enrollment Options.
Automatic Registration
Device ID is registered
upon first use of account
Admin Manual enrollment
Admin management of user
list using training mode and
rejected auditing list
Self Service/Two Step
Registration
Internal site registration and
additional sync within a defined
time frame to complete
registration
Play Video Play Video
Play Video

11. MDM Conditional Registration
Limit the registration only to managed devices (with MDM)
Supported with all MDM vendors in the market
MDM Integration
MDM Conditional Access
Ongoing validation that device is managed and has not become Out Of Compliant
(OOC) as defined in the MDM vendor
Supported with leading vendors

12. MDM Conditional Registration
WIFI access control
Application
management (MAM)
VPN triggering / control
Compatible with all MDM vendors in the market
SphereShield can limit the registration of SfB to managed devices only.
Compatible with any MDM solution supporting one of the following
capabilities:

13. MDM Registration Using Wi Fi

14. MDM Registration Using SphereShield App
Play Video

15. MDM Registration Using VPN

16. MDM Conditional Access
Automatically and immediately block SfB access for devices that:
Have become Out Of Compliance
Removed from MDM control
Available for:

17. MDM Continuous Verification Topology

18. Secure Authentication

19. Architecture - Bastion Reverse Proxy
SphereShield solution includes Bastion which is a dedicated
reverse proxy developed by AGAT.
Can be implemented in conjunction with any generic products
such as F5, Netscaler, Barracuda, Kemp and more
Typically traffic is routed through to Bastion
Specific integration available For F5 BIG-IP

20. Reverse Proxy Topology

21. TFA + Access control Main features
View approved &
blocked devices
Restrict registration and
ongoing connection by IP
range
Access Rule black/white list
Define number of
devices per user
Allow/Block Web app
login
Filter by device type
& OS
Require re-
authentication by time
- Session termination
Disable save
password on client
Registration policy (Two
steps/ Manual/
Automatic)

22. General Capabilities
Multi LDAP support (for HA & distributed implantation)
Support of Multi level admin management
Web service for external event to lock/approve device/user
House keeping service - AD sync, cleanup, notification
Auditing, logs, event viewer
Reports & Search

23. Access Portal Reports
Authentication
Devices
Security Auditing
Failed logins

24. Network Account Lockout Protection
Account Lockout Occurs When:
User changed the
Active Directory
password, but did not
change the settings on
the device
Password Change
The username (without
the password)
discovered by a hacker
who tried to log in
several times
DDoS, DoS, brute force
attacks - Such attacks
can result in network
downtime
Username Hack Network Attacks
The challenge:
Multi protocol – HTTPS/SIP
Multi method – Basic, NTLM, SOAP
Multi channel – Sign in, Meeting, Web API, Exchange
Multi Locations – APAC, EMEA and USA

25. Network Account Lockout Protection
All failed login are audited
Activate Soft Lockout in DMZ when attack detected
Unified defense
Solution protecting all protocols, methods and channels

26. Application Firewall
Solve security risks from anonymous traffic entering the network
without inspection.
1. Protocol level sanitization
2. Application data validation (meeting ID)
3. Session termination and requests rewrite
Security Layers:

27. Ethical Wall
Solves ethical and compliance regulations,
security and data protection issues controlling
both:
Federation with external companies
Internal communication between different groups

28. Sample Policy - External

29. Sample Policy - Internal

30. Ethical Wall Setting
Policy
Condition
Policy Rule

31. Ethical Wall Policies

32. Ethical Wall dimensions
Control specific modalities
Build rules based on
Audio
Video
Conferencing
Present desktop
Present program
Presence
IM
File transfer
Contact card
App sharing
PowerPoint sharing
Active directory groups
External/Internal domain
External/Internal SIP
In contact list

33. Ethical Wall - Notification
IM user notification of Ethical wall activity/policy
Activity auditing registration - table, logs and admin
email notifications
User blocked
from a specific
operation
External user is
unable to reach
you
External user
unable to see
your presence

34. Ethical Wall Topology

35. DLP Engine
Server side solution inspecting content passing through any
channel.
Sending messages to existing DLP vendors or SphereShield
DLP engine to meet existing policies.

36. SphereShield DLP Engine
Actions
Block, Mask, Notify
Group membership
based rules
Content policy rules
Based on content
Such as credit card
Numbers, ID numbers,
profanity And more
Commercial DLP
integration with
Symantec, McAfee,
Forcepoint and any
standard ICAP interface
DLP engine

37. DLP Topology

38. DLP Notification Sample
Play Video

39. Active Directory Credential Protection
Connect using App dedicated Skype credentials
Eliminate risk of domain password theft
No storage of Active Directory passwords on server or device
Supports Exchange & Skype with one App credentials
A new approach in protecting the Active Directory
credentials.

40. Active Directory App login
Creating dedicated Skype
credential on a self service
internal web site for use on
the device, instead of Active
Directory credentials.
Play Video

41. SphereShield Credentials Architecture

42. Mobile Smart Card Solution
With the dedicated login
solution, the user logs into
the Access Portal
Authenticates to the
network computer using a
smart card
Creates a dedicated
password for use on
device
Network login without username and password for Active
Directory

43. RSA integration
Users enter their RSA Token authentication code instead of
Active Directory password
SphereShield verifies password against RSA
Authentication Manager and impersonate user against
Skype
Strong TFA
Avoid using domain credentials

44. Disclaimers rules
Set disclaimer for internal and external (federated or guests) based domain

45. Disclaimer types
Internal User Client
Presented to the internal user in the
SfB client every time a new
conversation/conference has
started.
IM Conversation
Included with the first IM message
sent while the communication is a
conversation (one on one).
IM Conference
Sent as IM once a user has joined
the conference.
Invite To External Conference
Sent as IM to internal user when he
was invited to an external
conference.

46. eDiscovery
Advanced
search by text,
user, dates and
more
Search for personal
information
Data governance
Export user data
See message context
in incidents
Delete personal
information

47. eDiscovery

48. Risk Engine

49. Geo Fencing

50. Geo Fencing Settings
Set Geo Fencing rules based on
groups, domains or users.
Allow, block or monitor access from
specific countries.

51. Integrated/Partnered Technologies
McAfee
ForcePoint
Symantec
GTB
Microsoft
F5 networks
Citrix
Data Loss PreventionInfrastructure EMM/MDM
MobileIron
VMWARE AirWatch
IBM MaaS360
BlackBerry
Citrix XenMobile
PKI
Faitien
Gemalto
Authentication
Google authenticator
RSA secureID

52. Product Documents
Skype for
Business Security
Threats
SphereShield
datasheet
SphereShield
product page

53. More Info
Visit our website
AGAT Software
Contact us
info@agatsoftware.com
+972-525209860
Thank you