Secure SharePoint mobile connectivity

http://www.mobility-shield.com

Slide 2

Background - The problem

Connecting mobile devices to the corporate network from outside the organization increases the risk of data leaks and possible exposure of a user’s network credentials.

As there is no control over apps installed on employees’ smartphones, these devices are more prone to malware infection.

Publishing SharePoint externally exposes the Active Directory to new security risks.

Slide 3

Security issues addressed

Active Directory password leakageConnecting non authorized devicesDoS, DDoS and Brute force attacksConnecting mobile device using smart cards

Slide 4

SharePoint Shield overviewServer side solution with no additional client installment

requirements.SharePoint Shield interacts directly with the client- server

SharePoint traffic.• Available either as an add-on to the Microsoft Forefront

security server family (ISA/TMG), or with a proprietary pluggable Reverse Proxy platform (Bastion) on windows or Linux.

• Part of Mobility-shield product suite securing Lync and corporation application

Slide 5

AD credential protection approach

SharePoint Shield introduces a new approach for protecting the Active Directory credentials

SharePoint Shield completely eliminates the need to store Active Directory passwords on the device.

With SharePoint Shield the connection to SharePoint is done by using dedicated SharePoint credentials that are created by the user rather than the regular network Active Directory credentials.

Using this approach the AD credentials are never used or stored on the mobile device

Slide 6

Active Directory dedicated login

The user creates dedicated SharePoint credentials on a self service internal web site for use on device, instead of Active Directory credentials.

Slide 7

Mobile Smart Card solution

Many organizations that smart card for network login do not have a username and password for Active Directory.

SharePoint Shield allows the usage of SharePoint without the need to manage Active Directory credentials.

With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated SharePoint credentials for use on the mobile device.

Slide 8

Block Dos/Brute force attacksPublishing SharePoint to the internet exposes your

network toDoS (denial-of-service) Brute force attacks

Such attacks can result in the network becoming unavailable and may cause significant business damage.

SharePoint Shield blocks these attacks on the gateway level by configuring a block failed login policy, thus blocking attack attempts from reaching the Active Directory.

Slide 9

Active Directory Lockout GuardAccount lockout can be the result of two scenarios:

The user changed the Active Directory password, but did not change the settings on the device.

A hacker got hold of the username (without the password) and tries to login several times.

SharePoint Shield eliminates these threats by blocking the failed attempts on the gateway server side, before reaching the Active Directory

Slide 10

Two Factor authenticationBased on Device ID sent by clientSeveral registration/ enrolment options to enforce access

control policy based on matching the device and the user.Available for specific third party SharePoint Clients

Slide 11

Access Control – EnrollmentSupport several access control policies:

Automatic Registration – Device ID is registered upon first use of account.

Two steps registration process: Two Step Registration – User registers on internal site and

then must sync within a defined time frame to complete registration.

Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.

Slide 12

Two Step Registration

Slide 13

Access Portal admin View approved & blocked usersBlock specific usersProduct settingsAllow multiple users per deviceTwo level admin - local domain adminReportsSearch

Slide 14

Access Portal admin control

Slide 15

SharePointShield typical architecture

Slide 16

Bastion Reverse proxy forwarding traffic to the configured

backend servers.Cross-platform- Windows / LinuxPluggable filtering architecture.Filters HTTP(S).Scalable Event-Driven Architecture.Can publish multiple servers in parallel. Highly efficient asynchronous architecture. Bi-directional content filtering.

Slide 17

Bastion (cont) Geared towards full-featured HTTP filtering.

Most reverse proxy solutions are geared towards web acceleration.

Supports many HTTP features and scenarios.Chunked, gzip and deflate Transfer-Encodings.Pipelining.

Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).

Slide 18

AGAT Security suite - Overview

SharePointShield and MobilityShield are part of AGAT’s Security suite.

AGAT Security suite is a set of unique components that allow extending Forefront (ISA/TMG IAG/UAG) functionality to solve complex architectures and requirements, typically implemented in large, complex and well secured networks.

The solution is also available on Bastion reverse proxy without the use of Forefront.

Slide 19

To learn more about our solutions please visit our website at

http://www.mobility-Shield.com

info@agatsolutions.com