secure sharepoint mobile connectivity
TRANSCRIPT
Secure SharePoint mobile connectivity
http://www.mobility-shield.com
Slide 2
Background - The problem
Connecting mobile devices to the corporate network from outside the organization increases the risk of data leaks and possible exposure of a user’s network credentials.
As there is no control over apps installed on employees’ smartphones, these devices are more prone to malware infection.
Publishing SharePoint externally exposes the Active Directory to new security risks.
Slide 3
Security issues addressed
Active Directory password leakageConnecting non authorized devicesDoS, DDoS and Brute force attacksConnecting mobile device using smart cards
Slide 4
SharePoint Shield overviewServer side solution with no additional client installment
requirements.SharePoint Shield interacts directly with the client- server
SharePoint traffic.• Available either as an add-on to the Microsoft Forefront
security server family (ISA/TMG), or with a proprietary pluggable Reverse Proxy platform (Bastion) on windows or Linux.
• Part of Mobility-shield product suite securing Lync and corporation application
Slide 5
AD credential protection approach
SharePoint Shield introduces a new approach for protecting the Active Directory credentials
SharePoint Shield completely eliminates the need to store Active Directory passwords on the device.
With SharePoint Shield the connection to SharePoint is done by using dedicated SharePoint credentials that are created by the user rather than the regular network Active Directory credentials.
Using this approach the AD credentials are never used or stored on the mobile device
Slide 6
Active Directory dedicated login
The user creates dedicated SharePoint credentials on a self service internal web site for use on device, instead of Active Directory credentials.
Slide 7
Mobile Smart Card solution
Many organizations that smart card for network login do not have a username and password for Active Directory.
SharePoint Shield allows the usage of SharePoint without the need to manage Active Directory credentials.
With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated SharePoint credentials for use on the mobile device.
Slide 8
Block Dos/Brute force attacksPublishing SharePoint to the internet exposes your
network toDoS (denial-of-service) Brute force attacks
Such attacks can result in the network becoming unavailable and may cause significant business damage.
SharePoint Shield blocks these attacks on the gateway level by configuring a block failed login policy, thus blocking attack attempts from reaching the Active Directory.
Slide 9
Active Directory Lockout GuardAccount lockout can be the result of two scenarios:
The user changed the Active Directory password, but did not change the settings on the device.
A hacker got hold of the username (without the password) and tries to login several times.
SharePoint Shield eliminates these threats by blocking the failed attempts on the gateway server side, before reaching the Active Directory
Slide 10
Two Factor authenticationBased on Device ID sent by clientSeveral registration/ enrolment options to enforce access
control policy based on matching the device and the user.Available for specific third party SharePoint Clients
Slide 11
Access Control – EnrollmentSupport several access control policies:
Automatic Registration – Device ID is registered upon first use of account.
Two steps registration process: Two Step Registration – User registers on internal site and
then must sync within a defined time frame to complete registration.
Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.
Slide 12
Two Step Registration
Slide 13
Access Portal admin View approved & blocked usersBlock specific usersProduct settingsAllow multiple users per deviceTwo level admin - local domain adminReportsSearch
Slide 14
Access Portal admin control
Slide 15
SharePointShield typical architecture
Slide 16
Bastion Reverse proxy forwarding traffic to the configured
backend servers.Cross-platform- Windows / LinuxPluggable filtering architecture.Filters HTTP(S).Scalable Event-Driven Architecture.Can publish multiple servers in parallel. Highly efficient asynchronous architecture. Bi-directional content filtering.
Slide 17
Bastion (cont) Geared towards full-featured HTTP filtering.
Most reverse proxy solutions are geared towards web acceleration.
Supports many HTTP features and scenarios.Chunked, gzip and deflate Transfer-Encodings.Pipelining.
Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).
Slide 18
AGAT Security suite - Overview
SharePointShield and MobilityShield are part of AGAT’s Security suite.
AGAT Security suite is a set of unique components that allow extending Forefront (ISA/TMG IAG/UAG) functionality to solve complex architectures and requirements, typically implemented in large, complex and well secured networks.
The solution is also available on Bastion reverse proxy without the use of Forefront.
Slide 19
To learn more about our solutions please visit our website at
http://www.mobility-Shield.com