SphereShield for Skype for Business

Connecting smartphones from public Wi-Fi networks  to corporate networks introduces a critical security issue – corporate credentials, which are stored and used on the mobile device, can be easily hacked or stolen. The low level of device security raises two issues:

  1. Active Directory (AD) usernames and passwords can be hacked and used to provide unauthorized access to many core business applications.
  2. If Skype for Business (Lync) is published to an external network, a hacker can use the user’s credentials to receive his Skype for Business data & mails without being noticed.Using Active Directory credentials in the non-secured environment of a mobile device introduces risks. The exposed credentials might be hacked and used to either receive  emails or login to other corporate applications. Hacking is typically done: “Eavesdropping” on public networks, or through hostile applications installed by users or received by SMS.

Securing Skype for Business connectivity is therefore essential and this issue should be addressed properly.

By using SphereShield, organizations can protect corporate passwords by defining custom log in credentials exclusively for Skype for Business. In this approach, the Active Directory credentials are not stored on the mobile device and the risk is eliminated.

SphereShield also reduces the risk of exposing the Active Directory to DoS and Brute force attacks because of Skype for Business publishing.

Avoid Storing Active Directory Credentials on Mobile Devices

SphereShield protects corporate passwords by defining custom log in credentials exclusively for Skype for Business. Using this approach, the Active Directory credentials are not stored on mobile device

SphereShield offers a unique approach to avoid the usage of network credentials on  mobile devices. This solves the threat of someone getting hold of  the user’s Active Directory credentials and using them to connect to corporate applications to get hold of sensitive information.

By using SphereShield, users create  dedicated user names and passwords (on the Skype for Business Access Portal web site)  specifically for connecting Skype for Business that are different from the AD credentials.

Two Factor Authentication

Smartphones and personal computers can connect to Skype for Business server using the Skype for Business client. While connected, sensitive information is exposed, requiring the organization to take precautions.

It is clear that securing Skype for Business connectivity is as important as securing remote access, since smartphones can be used as a tunnel into the corporate network.

SphereShield offers Two Factor Authentication (TFA) , adding the device of the user as something he has. In this case, getting hold of the user’s credentials  is not enough to connect to Skype for Business without  using the device.

Registering the device adds an authentication factor and allows the organization to control which devices will be allowed to connect.

SphereShield offers several approaches for registering and approving the device using the Lync access control module.

Block DoS and Brute Force Attacks

Publishing Skype for Business to the internet exposes your network to Dos (denial-of-service) and brute force attacks. Such risks can block access to the network and cause significant business damage.
SphereShield blocks attacks on the gateway level by configuring a block-failed log in policy, thus blocking the attack attempts from reaching the Active Directory. By using SphereShield, all failed attempts are blocked on the gateway level (Forefront/Bastion) before reaching the Active Directory, thus avoiding  Account lockout, Dos (denial of service ) attacks and Brute force attacks

Active Directory Account Lockout Guard

Account lockout can be a result of two scenarios:

      • User changing his Active Directory password without changing the device settings, so the device keeps trying to authenticate with the old password.
      • An attacker that got hold of the username (without the password) tries to log in several times.

These scenarios cause help desk overhead and may even lead to denial of service in case of an attack.

Smart Card Authentication

Many organizations, with high security requirements, use smart cards or tokens for network log in. In these networks, users do not have a username and password for Active Directory.

Skype for Business custom log in allows the usage of Skype for Business without the need to manage Active Directory credentials. With the custom log in solution, the user logs into the Access Portal, authenticates with his smart card from his network computer and creates dedicated email credentials for use on the mobile device.

Restrict Usage of Skype for Business to Approved Devices

SphereShield controls which devices can use and connect to Skype for Business servers based on several enrollment options from self service process to central manual control on the devices approved. Limit the number of approved devices and the devices types / OS version allowed. This prevents employees and other external users from using valid credentials on a device that has not been registered or approved.

Restrict Skype for Business to Managed Devices

SphereShield enable limited access to the organization’s Skype for Business server only to devices with MDM installed on them. Several approaches offered to support all leading MDM vendors in the market.

RSA Token Authentication

SphereShield enables the usage of secureID authentication code instead of domain password for users of secure tokens wishing to connect to Skype for Business servers from external devices. The RSA Token Authentication enables Two-Factor Authentication based on the token and avoids the usage of the Active Directory password on the device.

Edge Access Control

SphereShield allows secure connectivity to Skype for Business Edge servers from desktops and laptops outside the organization’s network while eliminating the risk of account lockout and verifying that only a registered client can access.

EWS Protection

SphereShield protects the Exchange Web Services (EWS) against account lockout and limits access to the EWS only from registered device (TFA). Allows only requests coming from Lync (Skype for Business) clients on approved devices to pass through to the Exchange.

VPN Access

SphereShield supports Skype for Business deployment over VPN by splitting traffic in a way that most of the traffic passes through the Internet only after a small part relevant for the authentication process goes through VPN.

Device control

Filter according to device type. SphereShield enables limiting the access to Skype for Business to specific devices based on the vendor and OS version (for example, iPhone 6, OS version 8 and above). LyncShield also supports limiting the number of allowed devices per user.

Authentication policy

SphereShield offers the ability to disable the “save password” option in the client. It can also force the user to authenticate every defined period (for example every 2 weeks) by terminating the session and forcibly logging the user out. SphereShield will wait once the time has passed until user is idle to avoid terminating a live session.