Presentation on theme: "Secure SharePoint mobile connectivity"— Presentation transcript:
Secure SharePoint mobile connectivity
Slide 2 Background - The problem Connecting mobile devices to the corporate network from outside the organization increases the risk of data leaks and possible exposure of a user’s network credentials. As there is no control over apps installed on employees’ smartphones, these devices are more prone to malware infection. Publishing SharePoint externally exposes the Active Directory to new security risks.
Slide 3 Security issues addressed Active Directory password leakage Connecting non authorized devices DoS, DDoS and Brute force attacks Connecting mobile device using smart cards
Slide 4 SharePoint Shield overview Server side solution with no additional client installment requirements. SharePoint Shield interacts directly with the client- server SharePoint traffic. Available either as an add-on to the Microsoft Forefront security server family (ISA/TMG), or with a proprietary pluggable Reverse Proxy platform (Bastion) on windows or Linux. Part of Mobility-shield product suite securing Lync and corporation application
Slide 5 AD credential protection approach SharePoint Shield introduces a new approach for protecting the Active Directory credentials SharePoint Shield completely eliminates the need to store Active Directory passwords on the device. With SharePoint Shield the connection to SharePoint is done by using dedicated SharePoint credentials that are created by the user rather than the regular network Active Directory credentials. Using this approach the AD credentials are never used or stored on the mobile device
Slide 6 Active Directory dedicated login The user creates dedicated SharePoint credentials on a self service internal web site for use on device, instead of Active Directory credentials.
Slide 7 Mobile Smart Card solution Many organizations that smart card for network login do not have a username and password for Active Directory. SharePoint Shield allows the usage of SharePoint without the need to manage Active Directory credentials. With the dedicated login solution, the user logs into the Access Portal authenticating with his smart card from his network computer and creates dedicated SharePoint credentials for use on the mobile device.
Slide 8 Block Dos/Brute force attacks Publishing SharePoint to the internet exposes your network to DoS (denial-of-service) Brute force attacks Such attacks can result in the network becoming unavailable and may cause significant business damage. SharePoint Shield blocks these attacks on the gateway level by configuring a block failed login policy, thus blocking attack attempts from reaching the Active Directory.
Slide 9 Active Directory Lockout Guard Account lockout can be the result of two scenarios: The user changed the Active Directory password, but did not change the settings on the device. A hacker got hold of the username (without the password) and tries to login several times. SharePoint Shield eliminates these threats by blocking the failed attempts on the gateway server side, before reaching the Active Directory
Slide 10 Two Factor authentication Based on Device ID sent by client Several registration/ enrolment options to enforce access control policy based on matching the device and the user. Available for specific third party SharePoint Clients
Slide 11 Access Control – Enrollment Support several access control policies: Automatic Registration – Device ID is registered upon first use of account. Two steps registration process: Two Step Registration – User registers on internal site and then must sync within a defined time frame to complete registration. Admin Manual Enrollment – Admin management of user list using training mode and rejected auditing list.
Slide 12 Two Step Registration
Slide 13 Access Portal admin View approved & blocked users Block specific users Product settings Allow multiple users per device Two level admin - local domain admin Reports Search
Slide 14 Access Portal admin control
Slide 15 SharePointShield typical architecture
Slide 16 Bastion Reverse proxy forwarding traffic to the configured backend servers. Cross-platform- Windows / Linux Pluggable filtering architecture. Filters HTTP(S). Scalable Event-Driven Architecture. Can publish multiple servers in parallel. Highly efficient asynchronous architecture. Bi-directional content filtering.
Slide 17 Bastion (cont) Geared towards full-featured HTTP filtering. Most reverse proxy solutions are geared towards web acceleration. Supports many HTTP features and scenarios. Chunked, gzip and deflate Transfer-Encodings. Pipelining. Supports filtering content, blocking content or generating proxy responses anytime during the filtering chain (unlike TMG and UAG).
Slide 18 AGAT Security suite - Overview SharePointShield and MobilityShield are part of AGAT’s Security suite. AGAT Security suite is a set of unique components that allow extending Forefront (ISA/TMG IAG/UAG) functionality to solve complex architectures and requirements, typically implemented in large, complex and well secured networks. The solution is also available on Bastion reverse proxy without the use of Forefront.
Slide 19 To learn more about our solutions please visit our website at