SkypeShield

Secure Skype Mobile & Desktop Authentication

SkypeShield - Mobile Skype Security

Security Highlights

  • Secures external mobile and desktop Skype and Lync authentication solution
  • Blocks DDoS and brute force attacks and prevents account lockout
  • Two Factor Authentication (TFA) based on device registration securing both Skype/Lync & Exchange (EWS)
  • Restricts usage to corporate devices only using several device registration options
  • Restricts usage to managed devices with MDM only, supporting all leading vendors
  • Enables usage over VPN connectivity by splitting SIP from HTTP traffic
  • Avoids using Active Directory credentials on mobile devices by using App credentials
  • Integrates with RSA secureID token using authentication code instead of domain password
  • Provides solution for enabling smart card authentication for mobile
  • Includes a built-in proxy in addition to availability on Microsoft TMG

SkypeShield is an innovative solution that guarantees secure external mobile and desktop Skype for Business (Lync) connectivity. SkypeShield allows domain users to safely connect to Microsoft servers from smartphones, tablets, desktop PCs and any other device outside the organization.

Connecting to a Skype for Business server using the Skype for Business client from smartphones, tablets and any other external device outside the organization might raise new security issues. To mitigate the risks and allow workers to safely connect, SkypeShield has developed an innovative solution that prevents unauthorized devices and users from penetrating the corporate network and protects the Active Directory (AD).

Skype for Business security Features

SkypeShield offers the following security features for mobile, tablets and desktops:

  • Active Directory Credentials Protection – defines dedicated Skype for Business credentials that are different from the Active Directory credentials to minimize damage and risk in case of a stolen or lost device, or if the credentials are hacked.
  • Two Factor Authentication – by matching the device and user, the organization can limit user’s access to Skype for Business servers by using only corporate devices or specific devices that meet the company’s security requirements.
  • Blocks DDoS & Prevents Account Lockouts  – prevent account lockout situation in a Denial-of-Service (DoS), Distributed Denial-of-Service (DDoS) and brute force attacks on Skype for Business servers or in case of domain password change. Includes failed login monitoring tools and reports.
  • Reverse Proxy Publishing – scalable, event-driven and secure reverse proxy alternative for Microsoft Forefront Threat Management Gateway (TMG) to publish Skype for Business.
  • Restrict Usage to Approved Devices – control which devices can use and connect to Skype servers based on several enrollment options from self service process to central manual control on the devices approved. Limit the number of approved devices and the devices types / OS version allowed. This prevents employees and other external users from using valid credentials on a device that has not been registered or approved.
  • Restrict Access to Corporate Devices – enable limited access to the organization’s Skype for Business server only to devices with MDM installed on them. Several approaches offered to support all leading MDM vendors in the market.
  • Smart Card Login – offers a solution for organizations with a network policy requiring smart card login to allow authentication and user of mobile Skype for Business.
  • RSA Token Authentication – enables the usage of secureID authentication code instead of domain password for users of secure tokens wishing to connect to Skype for Business servers from external devices. The RSA Token Authentication enables Two-Factor Authentication based on the token and avoids the usage of the Active Directory password on the device.
  • Edge Access Control – allows secure connectivity to Skype for Business Edge servers from desktops and laptops outside the organization’s network while eliminating the risk of account lockout and verifying that only a registered client can access.
  • EWS Protection – protects the Exchange Web Services (EWS) against account lockout and limits access to the EWS only from registered device (TFA). Allows only requests coming from Skype clients on approved devices to pass through to the Exchange.
  • VPN Access – supports Skype deployment over VPN by splitting traffic in a way that most of the traffic passes through the Internet only after a small part relevant for the authentication process goes through VPN.

Architecture

SkypeShield is a server side solution that does not require any additional installation on the mobile client*.

The product is offered with a dedicated proxy (Bastion) and is also available on Microsoft TMG.

The product can be implemented in an existing environment using other network proxies such as F5 or Netscaler.

Skype for Business Security


[1] Deloitte Global Technology, Media & Telecommunications (TMT) Security Survey  2012