Requirement

Companies who have invested in MDM / EMM products face challenges when deploying Unified Communication (UC) and Collaboration platforms such as Skype for Business, Microsoft Teams or Webex Teams. These apps can be freely obtained and installed on any personal device, outside of the MDM control. This can open a back-door channel into the company’s network or cloud data. Accessing the UC platform from an unmanaged device, that might be Jail-broken or hacked can result in domain credential theft, data leakage, and malicious traffic entering the network.

SphereShield’s conditional access solution verifies that only devices that are aligned with the company’s security policy, as defined by the MDM, can access corporate data through UC clients such as Skype for Business, Webex Teams or MS Teams.

Functional highlights

Restrict access to UC services such as Webex, MS Teams, Skype for Business Online
Built-in integration with MobileIron, XenMobile, MaaS360, Blackberry, and Workspace ONE (AirWatch).
Verify that only managed devices can access UC cloud services
Verify that device accessing UC service is compliant as defined in EMM vendor
Visibility and control of all device access
Two Factor Authentication to UC cloud services
Risk engine integration and geo-fencing
Risk engine integration to detect and block access when IP is detected as suspicions - for example too many failed logins attempts from a single IP or detecting password spraying attacks
Risk engine integration detecting suspicious user behavior such as impossible traveler scenarios

Solution

SphereShield offers a solution for organizations that use ADFS for authentication to cloud UC / collaboration services.

SphereShield leverages Active Directory and MDM capabilities to distribute certificates.

When a user signs into their app, the relevant service (such as O365 / Teams) send the client to authenticate through ADFS. ADFS is publihsed by Bastion with the CAF filter and allows SphereShield to request a client certificate from the device and only allows the user to proceed with signing in if the certificate matches specified criteria.

SphereShield also checks that mobile devices are compliant with company policies by querying MDM APIs in real-time.

SphereShield can be configured to apply its protections to all services using ADFS or only specified ones.

Control which services require SphereShield control on ADFS

The SphereShield functionality does not need to be applied to all ADFS traffic for all services that utilize ADFS services for authentication.

For example, task management SAAS software can continue to use ADFS without SphereShield functionality and Webex Teams access can be protected.

SphereShield servers can inspect the traffic and exempt specified types of traffic from certificate-based authentication, based on the service requesting the authentication or other parameters.

Alternately, SSL ADFS traffic can be decrypted by existing company load balancers such as F5's Big IP and relevant traffic can be sent to the SphereShield servers and the rest of the ADFS traffic can be sent directly to ADFS servers.

Browser not supported