Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Skype for Business

Published byDavid Hubbard Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure Skype for Business"— Presentation transcript:

1 Secure Skype for Business
V6.6

2 Security Challenges Connecting external devices through Skype for Business to the corporate network raises security risks related to Authentication, Network and Content breaches. SkypeShield is a leading innovative security solution for these issues

3 End-to-End Security Assurance
Secure Authentication Simple and secure TFA based on device as second factor. Protect SfB & Exchange EWS Device Access Control Manage which devices can connect using device enrollment process Network Account Lockout Protection Prevent Account lockout issues in DDoS attacks through multiple UC channels

4 End-to-End Security Assurance
MDM Conditional Access Verify only devices that are managed by MDM and compliant with security policy can connect Credential Protection Prevent network password theft by using app specific credentials instead of domain credentials Ethical Wall - Functional control Granular policy for all activities (IM, File sharing, presence etc.), controlling external (Federation) and internal traffic

5 End-to-End Security Assurance
Application firewall Sanitize and validate all anonymous traffic requests in the DMZ before entering the network DLP – Content Inspection Inspect content passing through Skype for Business by DLP (Data Loss Prevention) policy rules RSA integration Use RSA authentication code instead of domain password

6 End-to-End Security Assurance
Disclaimer Display disclaimers for internal and external users based on domains eDiscovery Advanced search export and modify dashboard for Skype for Business Archiving DB Risk Engine Coming soon…

7 Features in depth

8 Secure Authentication/TFA
Blocking any request received in network servers unless coming from an approved device Matching device and user based on endpoint ID sent by client Several registration/enrolment options are available to enforce access control policy Protects both Skype for Business & Exchange (EWS)

9 Device Access Control Three Level enrollment Options Play Play Play
Admin Manual enrollment Admin management of user list using training mode and rejected auditing list Play Self Service/Two Step Registration Internal site registration and additional sync within a defined time frame to complete registration Play Automatic Registration Device ID is registered upon first use of account Play

10 Two Step Registration

11 Secure Authentication

12 Product Architecture - Bastion Proxy
As part of the solution SkypeShield offers the dedicated reverse proxy Bastion developed by AGAT. The SkypeShield filters are plugged into Bastion to extend access control and content filtering capabilities: Cross-platform - Windows/Linux Scalable Event - Driven Architecture (Supports HA) Highly efficient asynchronous architecture SSL termination Geared towards full-featured HTTP filtering Can publish multiple servers in parallel/multi channels Can be implemented in conjunction with generic products such as F5, Netscaler, Barracuda and more

13 TFA+ Access control Main features
View approved & blocked devices Restrict registration and ongoing connection by IP range Access Rule black/white list Filter by device type & OS Allow/Block Web app login Define number of devices per user Require re-authentication by time -Session termination Disable save password on client Registration policy (Two steps/ Manual/ Automatic)

14 General Capabilities Multi LDAP support (for HA & distributed implantation) Support of Multi level admin management Web service for external event to lock/approve device/user House keeping service - AD sync, cleanup, notification Auditing, logs, event viewer Reports & Search

15 Access Portal Reports Authentication Devices Failed logins
Security Auditing Failed logins

16 Network Account Lockout Protection
Account Lockout Occurs When: Password Change Username Hack Network Attacks User changed the Active Directory password, but did not change the settings on the device The username (without the password) discovered by a hacker who tried to log in several times DDoS, Dos, brute force attacks - Such attacks can result in network becoming unavailable The challenge: Multi protocol – HTTPS/SIP Multi method – Basic, NTLM, SOAP Multi channel – Sign in, meeting, web API, Exchange Multi Locations – EMEA, US, APAC

17 Network Account Lockout Protection
All failed login are audited Activate Soft Lockout in DMZ when attack detected Unified defense Solution protecting all protocols, methods and channels Device pre authentication Only authentication request coming from registered device will reach Active Directory

18 Application firewall Solve security risks rising from anonymous traffic entering the network without inspection Security layers: Protocol Level Sanitization Application data validation (meeting ID) Session termination and requests rewrite

19 MDM integration MDM Conditional Registration - Limit the registration only to managed devices (with MDM) - supported with all MDM vendors in the market MDM Conditional Access - Ongoing validation that device is managed and has not become Out Of Compliant (OOC) as defined in the MDM vendor - supported with leading vendors

20 MDM Conditional Registration
Skype Shield can limit the registration of SfB to managed devices only – devices with MDM Compatible with any MDM solution supporting one of the following capabilities: WIFI access control Application management (MAM) VPN triggering / control Compatible with all MDM vendors in the market

21 MDM Registration Using Wi Fi

22 MDM Registration Using SkypeShield App
Play movie

23 MDM Registration Using VPN

24 MDM Conditional Access
Automatically and immediately block SfB access for devices that: Have become Out Of Compliance Removed from MDM control Available for: MobileIron AirWatch MaaS360 XenMobile GOOD (soon for BES12)

25 MDM Continuous Verification Topology

26 Ethical Wall Solves ethical and compliance regulations, security and data protection issues controlling both Federation with external companies Internal communication between different groups

27 Sample policy Chat File transfer Chat File transfer
Company domain External Domain A Chat File transfer Bob (Group A) Chat File transfer Alice (Group B) Block all communication All other groups

28 Ethical Wall- Federation & Internal
Rule Condition Rule Policy

29 Ethical wall rules

30 Ethical Wall dimensions
Control specific modalities: Build rule based on Active directory groups External/Internal domain External/Internal SIP In contact list - Present program - Presence - IM - File transfer - Contact card - App sharing - PowerPoint sharing - Audio - Video - Conferencing - Present desktop

31 Ethical Wall- notification
IM user notification of Ethical wall activity/policy Activity auditing registration - table, logs and admin notifications External user is unable to reach you External user unable to see your presence User blocked from a specific operation

32 Ethical Wall Topology

33 DLP Engine Server side solution inspecting content passing through any channel

34 Social Security Numbers
DLP Engine Content policy rules based on content such as: Actions – Block, Mask, Notify Group membership based rules Commercial DLP integration with Symantec, Websense and any standard ICAP interface DLP engine Social Security Numbers Credit Card Numbers ID Numbers

35 DLP Notification Sample
Play movie

36 Active Directory Credential Protection
A new approach in protecting the Active Directory credentials Connect using App dedicated Skype credentials Eliminate risk of domain password theft No storage of Active Directory passwords on server or device Supports Exchange & Skype with one App credentials

37 Active Directory App login
Creating dedicated Skype credential on a self service internal web site for use on the device, instead of Active Directory credentials. Play movie

38 SkypeShield Credentials Architecture

39 Mobile Smart Card Solution
Network login without username and password for Active Directory With the dedicated login solution, the user logs into the Access Portal Authenticates to the network computer using a smart card Creates a dedicated password for use on device

40 RSA integration Strong TFA Avoid using domain credentials
Users enter their RSA Token authentication code instead of Active Directory password SkypeShield verifies password against RSA Authentication Manager and impersonate user against Skype

41 Disclaimers rules Set disclaimer for internal and external (federated or guests ) based domain

42 Disclaimer types Different disclaimer types:
Internal User Client -Presented to the internal user in the SfB client every time a new conversation/conference has started. Invite To External Conference - Sent as IM to internal user when he was invited to an external conference. IM Conference - Sent as IM once a user has joined the conference. IM Conversation - Included with the first IM message sent while the communication is a conversation (one on one)

43 eDiscovery Data governance
Advanced search by text, user, dates and more Meet with compliance and GDPR Search for personal information Delete personal information Export user data

44 eDiscovery

45 SkypeShield Roadmap Skype online (365) (Cloud Security Access Control)
Device access control Content filtering (Federation & DLP) Skype for Business Authentication risk engine Security alerts and action based on geolocation information and behavior profiling

46 Risk engine – geo location map

47 SkypeShield Roadmap DLP File inspection
Anti virus & anti malware integration - Files, SIP & IM Soft token TFA Authentication Based on Google authenticator/Azure authenticator

48 AGAT Products - Overview
AGAT Software is an innovative security provider specializing in external access authentication and data protection solutions. AGAT’s product suite handles security threats related to password and identity theft as well as data and network protection. Utilizing this expertise, AGAT developed SkypeShield to secure Microsoft Skype for Business (Lync) external connectivity. with specific unified communication (UC) requirements. AGAT also offers mobile browser and digital signature mobile apps that integrate with Bluetooth card readers enabling mobile connectivity with PKI smart cards.

49 Integrated/Partnered Technologies
Infrastructure EMM/MDM Data leak Prevention Microsoft MobileIron McAfee F5 networks ForcePoint VMWARE AirWatch Citrix IBM MaaS360 Symantec PKI BlackBerry GTB Faitien Authentication Citrix XenMobile Google authenticator Gemalto RSA secureID

50 Review product documents:
Learn more Review product documents: SkypeShield presentation SkypeShield datasheet Skype for Business Security Threats SkypeShield product page Visit our website at Contact us:

Download ppt "Secure Skype for Business"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.

Powerful and convenient management for Windows Mobile ® 6.1 devices in an enterprise environment. These features include: Centralized, over-the-air device.
!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.

!! Are we under attack !! Consumer devices continue to invade *Corporate enterprise – just wanting to plug in* Mobile Device Management.
| Copyright© 2010 Microsoft Corporation Quick Start into Activating and Selling Office 365.

| Copyright© 2010 Microsoft Corporation Quick Start into Activating and Selling Office 365.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
The Natural way for Secure Mobile Email v.1.4 www.AGATSolutions.com.

The Natural way for Secure Mobile v.1.4
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
A Guide to Getting Started

A Guide to Getting Started
Barracuda Networks Steve Scheidegger Commercial Account Manager 734-887-2422

Barracuda Networks Steve Scheidegger Commercial Account Manager
Managing Client Access

Managing Client Access
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.

UC Security with Microsoft Office Communication Server R1/R2 FRHACK Sept 8, 2009 Abhijeet Hatekar Vulnerability Research Engineer.
Enforcing Concurrent Logon Policies with UserLock.

Enforcing Concurrent Logon Policies with UserLock.
Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite www.SecureMobileEmail.com www.AGATSolutions.com.

Extending Forefront beyond the limit TMG UAG ISA IAG Security Suite
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Microsoft ® Official Course Module 13 Implementing Windows Azure Active Directory.

Similar presentations

Ads by Google