How To Microsoft Lync Mobile Security Skype for Business SkypeShield Two Factor Authentication

How to safely connect to Skype for Business using RSA security token

SkypeShield offers innovative security solution that allows users of RSA SecurityID and other secure tokens to safely connect to their organization’s Skype for Business server without using their  Active Directory (AD) credentials.

SkypeShield’s solution adds another secured authentication option, enabling strong mobile and external Skype for Business authentication for organizations with a network policy that requires Hardware One Time Password (OTP) or Two Factor Authentication (TFA).

Organizations that use OTP tokens, such as RSA SecurID Authenticator device, have a problem using them in conjunction with Skype for Business. The new solution enables therefore both mobile and desktop users to connect to Skype for Business using their RSA token while avoiding the usage of AD credentials and implementing TFA.

Moreover, SkypeShield can require the user to register in a self-service portal to further add security to the authentication process and make sure only registered devices can connect.

The device registration process is completed once and the user uses his RSA token to authenticate and enable Skype for Business connectivity thereafter.

“The market for security tokens is constantly growing, requiring organizations, that use Skype for Business to look for new security solutions,” said Guy Eldan, CEO of AGAT Software which developed SkypeShield. “After we launched a special solution for smart card mobile authentication, it was only natural to add another special solution for security tokens.”

SkypeShield’s solution does not require setting Active Directory Federation Services (ADFS) and offers a complete user experience including both Skype for Business & Exchange information, which can be safely used from the external device.

It also addresses account lockout protection and other TFA software solutions for external Skype for Business clients.

A recent survey by research company Frost & Sullivan indicated that the global OTP market is growing at an annual rate of 7.5 percent and is expected to reach $1.2 billion by 2017.

Microsoft Lync Mobile Security Skype for Business SkypeShield Two Factor Authentication Uncategorized

Protecting EWS while publishing Skype for Business

Using Skype for Business (Lync), the client interacts with the Exchange server to obtain meeting information. In order to implement this connection, the deployment of Skype for Business requires Exchange Web Services (EWS) published externally to the world.

This exposes the client to several threats:

  • The deployment of EWS includes an authentication service, thus exposing the network to account lockout in case of a DDoS attack.
  • The EWS service allows for retrieving events, mails and attachments, tasks and contacts. Therefore, once exposed, all the Exchange data is also exposed.

So, for example, users using Outlook Web Access (OWA) have access to their full mail data, creating the risk that an attacker with valid AD credentials will also obtain access to the users’ organizations’ mail by using this services.

To minimize this risk, SkypeShield blocks any request for information that arrives from a device that is not registered, and adds a Two Factor Authentication (TFA) layer for the Exchange.

SkypeShield is based on a Two Factor Authentication using the client’s password and device. Thus, unauthorized use of the user’s credentials will not be sufficient to connect to Lync or Exchange without having access to the device itself. This also allows for restricting the usage of these services to approved or registered devices only.

Uncategorized MDM Microsoft Lync Skype for Business SkypeShield

How to deal with security vulnerabilities while publishing Skype for Business

Microsoft’s aggressive move of switching the enterprise world from its old branded unified communications platform (Lync) to Skype for Business, has not solved entirely all the security vulnerabilities arising from connecting mobile and other external devices to the corporate network.

Here are some security vulnerabilities arising from external access to Skype for business that organizations should pay attention to:

  • Account lockout – someone who knows your user name can lock your internal account by sending failed login attempts. Generic solutions fail to monitor all authentication channels exposed, including SIP and SOAP. SkypeShield offers a unified monitoring and protection solution.
  • Malicious code accessing internal server – In order to support guests joining meetings, some service support anonymous access. From a security perspective, there are requests that can reach the web servers in the domain without the need to authenticate and without inspection. SkypeShield offers a four-layer application firewall for Skype for Business including session termination, application and protocol inspection and rewriting requests.
  • Password theft from infected device – A valid employee can use any device, including his personal device that might be jail broken or infected, to connect to the network. In such a case, domain credentials can fall to the wrong hands. Even with an MDM solution implemented, there is no control when using a non-managed device. Protect yourself by using device access control and limit the usage only to devices with MDM.
  • Exposing emails – If calendar information is enabled on the organization’s Skype for Business clients, someone with valid credentials can have access to all emails. SkypeShield offers a solution for protecting the corporate Exchange by blocking any Exchange request, unless coming from a registered device and from a Skype for Business client.
  • Data and privacy information exposed – While implementing federation trust with external companies, privacy (availability) and server information data is exposed. The federation is available globally for all company members with all federated external companies with no control over the different modalities allowed, such as file sharing. Deploying SkypeShield ethical wall handles these issues by defining granular control based on user, groups and companies based policies.
  • Data loss prevention (DLP) – As the usage of Skype for Business extends outside the network boundaries, enabling communication with external parties via federation meetings poses some serious security and data protection risks. This arises from the fact that data flow between parties is very accessible and easy to use at any time, any place, and by any device.Preventing data leaks going through Skype for Business is a serious challenge because of the variety of mobile, Web and desktop clients Skype for Business offers and because of the SIP protocol in use by the clients. SkypeShield offers a new concept based on a server side inspection covering all of the data channels. The DLP solution supports both a built in DLP engine as well as integration with commercial DLP vendors.

SkypeShield is continuously adding security layers to make sure your company can allow external access to Skype for Business with the highest level of protection available.