Introduction

SphereShield is a security platform designed to let companies deal with access control, compliance and threat protection. The SphereShield platform is based on a proprietary proxy with extendable multi-protocol filtering capabilities and an admin site for product management, reporting and configuration.

SphereShield for Teams is a security suite tailor-made for Microsoft Teams, designed to protect the Microsoft Teams environment using a CASB approach

AGAT Software offers a sandboxed demonstration environment to demonstrate the abilities of SphereShield for Teams.



What is a CASB?

CASB (Cloud Access Security Broker) is a security product made to handle the security challenges introduced by utilizing a software solution in the cloud.

CASB is usually offered in 3 flavors:

  1. Adapter API - a service connecting to APIs exposed by the Cloud Service provider without intercepting traffic.
  2. Reverse Proxy - a proxy server that intercepts traffic sent directly to it and responds as a server.
  3. Forward Proxy - a proxy server configured on a client device to intercept traffic sent to any of the hosts configured for inspection.

These options can be used together or individually for different purposes. Each option has its own benefits and limitations.

For full protection including Data-in-Motion and mobile apps - you should utilize all three modules of the SphereShield for Teams product suite.


Comparison of CASB approaches




Feature comparison


Note: When deploying Ethical Wall, the Proxy must be used to block Search, Audio, Video and Screen sharing.

API Vs Proxy : Further comparison 


APIProxy

Real Time

(DLP and Ethical Wall)

X

(will delete content within seconds)

V

(will block communication from reaching the cloud)

                        Ethical Wall
Block SearchXV
ChatVV
FilesVV
AudioXV
VideoXV
Screen shareXV
Remove users from Teams/ChatV

There is no need to do this with the proxy approach since all communication can be blocked at source

Block remote control in meetingXV
Block user from being Guest in external tenantXV
eDiscovery
Chat messages and filesVX
Meeting events XV
Screen share events XV

eDiscovery using Proxy and API components 

For Full eDiscovery both proxy and API are needed.

The API can get info on Chat and Files.

The proxy can get info on Audio, Video, Desktop sharing and meeting participants


Deployment can support having both Proxy and API components.

Adapter API Topology

 


This topology is the most simple to implement and is recommended to start with.

Forward Proxy topology

SphereShield for Teams as a Forward Proxy protects MS Teams mobile apps, MS Teams browser access, and MS Teams desktop client. 

It can be configured as a global proxy using an MDM/EMM solution or using proxy chaining with an existing Forward Proxy or Security Gateway.

SphereShield for Teams as a Forward Proxy does not require ADFS or any other IdP to redirect the traffic to the proxy.

Distribution of the SphereShield Root CA to end-user devices is required in order to implement this solution.

Reverse Proxy topology (requires ADFS) 

SphereShield for Teams as a Reverse Proxy protects MS Teams browser access and MS Teams desktop client. 

It is an agent-less solution that does not require any changes on the end user device.

It does require use of ADFS or another IdP in order to redirect the traffic to the SphereShield Reverse Proxy.

SphereShield Reverse Proxy must reverse proxy ADFS traffic to provide the necessary client redirection.



What does the CASBA (API) module offer?

SphereShield for Teams Cloud Access Security Broker Adapter (CASBA) communicates with the Office 365 API.

It does not require any changes on the end user device and does not inspect Data-in-Motion.

SphereShield for Teams CASBA does not require ADFS or any other IdP to redirect the traffic to the proxy.


Note:  A Key Vault subscription is required in the Azure tenant to securely store keys used by the application.   This is a free subscription by Microsoft.