AGAT

Categories
Microsoft Lync Mobile Security Skype for Business SkypeShield Two Factor Authentication Uncategorized

Protecting EWS while publishing Skype for Business

Using Skype for Business (Lync), the client interacts with the Exchange server to obtain meeting information. In order to implement this connection, the deployment of Skype for Business requires Exchange Web Services (EWS) published externally to the world.

This exposes the client to several threats:

  • The deployment of EWS includes an authentication service, thus exposing the network to account lockout in case of a DDoS attack.
  • The EWS service allows for retrieving events, mails and attachments, tasks and contacts. Therefore, once exposed, all the Exchange data is also exposed.

So, for example, users using Outlook Web Access (OWA) have access to their full mail data, creating the risk that an attacker with valid AD credentials will also obtain access to the users’ organizations’ mail by using this services.

To minimize this risk, SkypeShield blocks any request for information that arrives from a device that is not registered, and adds a Two Factor Authentication (TFA) layer for the Exchange.

SkypeShield is based on a Two Factor Authentication using the client’s password and device. Thus, unauthorized use of the user’s credentials will not be sufficient to connect to Lync or Exchange without having access to the device itself. This also allows for restricting the usage of these services to approved or registered devices only.

Categories
Mobile Security Skype for Business Uncategorized

Ethical wall solution offers granular control over Skype for Business federation

SkypeShield launched a new Federation Ethical Wall solution, which offers granular control over federation to address security and data protection when federating with external companies.

Enabling federation raises serious business and security issues that need to be addressed by applying granular policy rules defining permitted operations between communicating parties.

Companies wanting to extend communication outside the company boundaries require protection and control over the different flows of data offered by Skype for Business.

Federation raises also privacy issues related to reviling personal and executive users details including availability (online/away), mobile phone number and location.

In order to meet security threats, while using Skype for Business, organizations need to be able to allow federation from a specific company only to specific internal users or groups.

The federation Ethical Wall offers the following features:

  • Defines granular policy rule based on a user/group communicating with a specific company (SIP domain)
  • Specific modality policy control: IM, audio, video, conference (meeting), desktop sharing, file transfer
  • Blocks presence information from external users depending on policy
  • Blocks external user from initiating an IM conversation while still allowing internal user to initiate and communicate with external user
  • Allows user some local policy management by applying different policies based on inclusion in a user’s contact list. This way, by adding the federated user to the internal user’s contact list, the policy will allow more federation such as presence information
  • Enforces policy in the DMZ and blocks non-approved traffic from entering the network
Categories
Microsoft Lync Mobile Security Skype for Business SkypeShield Smart card for authentication Two Factor Authentication Uncategorized

New security solution protects smart card login of Skype for Business mobile users

A growing number of organizations around the world, such as financial institutions and governments, are providing their workers with a smart card device to strengthen the identity authentication process. These organizations are facing a problem while implementing Skype for Business (Lync) mobile authentication requiring the user to enter his or her Active Directory (AD) credentials.

In such organizations, users do not have Active Directory credentials as they use the smart card for authentication instead. This in turn may cause a problem, as Microsoft Skype for Business requires Active Directory (AD) credentials to connect from handheld devices.

To solve this problem, SkypeShield has developed a new security solution for smart card authentication enabling mobile Skype for Business authentication for organizations with a network policy that requires their workers to use smart card login.

SkypeShield’s innovative solution addresses this challenge by applying the authentication process in two separate steps:

• The user creates dedicated Skype for Business credentials from a self-service registration web site after using his/her smart card for authentication to the site from a PC.

• The user then needs to connect his/her mobile device within a limited time frame by entering the dedicated Skype for Business credentials on the mobile device.

SkypeShield’s new solution also addresses account lockout protection and Two Factor Authentication (TFA) for external Skype for Business clients.

“We were approached by customers who couldn’t find a good solution for smart card authentication,” said Guy Eldan, CEO of AGAT Software, which developed SkypeShield. “Our simple and easy-to-implement security solution allows organizations to continue maintaining the smart card authentication policy enabling mobile users connect to the corporate network from outside network without using Active Directory credentials.”