Everybody knows that Lync is secure, it uses TLS encryption for signalling and media end-to-end, but for some companies that’s not enough. It’s not only important that the application traffic be secured, but the devices and credentials used to access and use corporate services also need to be kept safe. In particular, Government, Legal, and R&D organisations often have strict security guidelines designed to protect their interests.
This is where there can be clashes between flexibility and security. With ever increasing reasons to work away from of the office, staff are often outside the safety of the ‘corporate network’, away from VLANs, Firewalls, and Content Filters. And the modern pressure to allow staff to use the devices they prefer, and are familiar with using.
Lync really embraces BYOD and Microsoft have a client for all the common devices on the market (who uses Blackberry anymore?). Including extending access outside of the organisation via Lync federation, and ability to join conferences using a web browser, and mobiles apps (even if they don’t have a Lync account in their organisation).
But you know all that already…
Let’s talk about how we can secure Lync (and other services), and how you can comply with various business restrictions around external access and restrictive BYOD strategies.
Don’t just give up and block it…
It seems to be running theme recently, clients are becoming more concerned with security as they have to ‘give in’ to BYOD. Commonly they need to ensure security and compliance at all times, even beyond what technology, and how it’s used, and where it’s used from. But even down to blocking video calls in certain departments so they don’t have to consider what intellectual property might be visible in the background of a video call – something I didn’t quite appreciate could be a problem.
One client had Lync federation allowed between specific organisations to enable staff to work closely with selected trusted partners, but remote access was denied. Meaning that to use Lync, to collaborate with colleagues and partners, could only be done on-premises. Talk about clipping wings.
The reason was due to the possibility of devices getting lost or stolen and allowing sensitive information getting into the wrong hands, ok, not so much for Lync here, more for Exchange ActiveSync, but still, if you steal my device, you would have my cached credentials, you’d see my IM, call history, meeting information, emails, and oh no.. those all-important attachments. In a few moments, you would know all the details of what I’m working on, and who I’m working with.
It’s not all top secret conspiracy stuff, but data security is important. And Microsoft also take it seriously, extending Certificate Authentication on mobile devices further with passive authentication, so that during sign in, the user gets redirected to their organisations ADFS portal to authenticate and acquire a Web Ticket that the Lync client uses to request a certificate… In short, no Active Directory credentials are stored in the Lync Mobile app itself. I highlighted ‘stored’ there to make a point, the user still has to type their Active Directory username and password, nosey people, and key loggers both exist, and your password could be ‘out there’ without you even knowing. Compounded by often strict password policies, meaning that employees need to change their password every month, include numbers, symbols, and upper case characters, and not allowed to re-use the past 50 passwords. So lets just write my new password on a post-it note, and leave it on the lid of my laptop 🙂 that way I can carry on working without having to call IT to give me yet another, different, complicated password to remember.
What can be done?
Here’s the bit where I recommend a solution. There are a few out there that aim to achieve similar goals, this is just one product that caught my eye. Mainly because it doesn’t require ANY special software on the devices, it’s totally transparent to the end-user, doesn’t need any ‘specialised’ hardware tokens either (although it does support them, and more).
The company is called PointSharp – at the core of their offering is a RADIUS compatible authentication server called “PointSharp ID”, meaning that it can be used with almost anything, for example, VPNs, WiFi, 802.1x etc.
Disclaimer and Thanks
Any details in this article are only based on my assumptions and observations from deploying the software in my lab – and on that note – I’d like to say a special thanks to Mika (blog and twitter) who works as a product specialist for PointSharp and who took the time to help me get it up and running.
From my point of view the “PointSharp Mobile Gateway” is the interesting bit for Lync, Exchange, and others, as PointSharp also supports CRM, RDP, and Office 365.
Essentially the “Mobile Gateway” replaces the role of the Reverse Proxy (because it is a Reverse Proxy), publishing internal sites and services to the outside world. It intercepts the authentication requests and allows the use of non-domain passwords, multi-factor authentication i.e. one-time-passwords etc.
This is an example of the PointSharp login page for Outlook Web Access, using Forms Based two-factor authentication, after you supply the username and PointSharp password, you are prompted to enter a One-Time-Password generated from a hardware token, mobile app, or other means. Obviously it can be customised to match the corporate branding.
Sitting in that position, it can do some very clever stuff, and add much more than the boolean ‘Enable or Disable’ that’s available for Exchange ActiveSync, and Lync Remote Access.
There are two parts of this solution that addressed my clients’ concerns directly, and that was its ability to offer a kind of Lightweight Mobile Device Management, but that term is misleading, and with “Enterprise Mobility” emerging, it’s not the intended purpose of this solution, so I prefer to call it ‘Mobile Access Management’ as we’re not interested in ‘managing the device’ here, just the access it’s entitled to. Although I’m sure this solution would work extremely well with Intune etc.
Device policies let you automatically allow, quarantine, or simply block access from devices by platform (Android, iPhone, Windows Mobile), or client application version, or restrict the number and type of devices allowed (configurable per user), and what’s more you can tie users to devices, so that my credentials will only work on my device, and not even my co-workers identical corporate-issued device.
The other area where this solution addressed my clients’ concerns was its ability to operate without storing, or even having to type Active Directory passwords on the devices. And also provides a self-service user portal for managing devices, and tokens, if desired.
A couple of screenshots showing device management actions on the user portal.
Exchange ActiveSync (bare with me…)
This product seems to really excel at ActiveSync, I’ve not looked at these features in much detail, but it appears there is a very powerful policy engine behind all this… Although slightly off topic for a Lync blog, I do like to dabble, my highlights were;
Content Filters… You can allow emails on mobile devices, but replace attachments with ‘polite’ messages to avoid errors. The policies also let you configure filters for specific subjects. i.e. emails with certain keywords in the subject line could mean it’s blocked on the device, or even that all emails are only visible for a set period, i.e. 24 hours.
Synchronise Filters… You can choose to individually allow or block emails, attachments, calendars, contacts, tasks, notes, and custom folders etc. And specify attachment whitelists, i.e. allow PDF on the device, but not Word Documents.
Operation Filters… Same as above, you can allow or block certain actions that can or can’t be performed on the device, for example, Search, Folder Delete, Move Items, Send Mail, Reply Mail, Forward Mail, etc. Which sounds like you can turn the device into a read only viewer, letting you see emails, but not letting you forward or reply.
Remember this ONLY Applies to the ActiveSync device, I’m not talking about blocking file types globally, not even for the specific user, this allows a possible policy combination of per device, per user, and per platform. Hmm, lets block all attachments excepts PDFs from appearing on iPhones for only the marketing department… done.
And as if that wasn’t enough, you can specify that the ActiveSync device is only used for calendar and letting you accept meeting invitations. So you’re not allowed emails or contacts on your phone, but need to manage your diary, no problem.
Sorry, let’s get back to Lync
All the device policies, non-domain credentials, and one-time-password features are available to Lync as well – including Desktop App, Mobile App, and Lync Web App – yes, even the Lync Web App, so you can visit an internet café or use a friend’s laptop and join a Lync meeting as yourself, safely.
Digging a little deeper
Here’s a Visio diagram (yes, it wouldn’t be my blog without one) showing a very simple glimpse of where it sits, and what it does. This is just a high level reflection of what I’ve got in my lab, not indicative of a production environment.
Hopefully that is clear, and you can immediately understand it (if not, I’m blaming it on the new Microsoft Visio stencils)
- The user authenticates using their PointSharp password together with a One Time Password provided by a mobile token app (which is just how I’ve got it set up).
- The Mobile Gateway, whilst acting as a Reverse Proxy, intercepts the request and consults the PointSharp ID server.
- The PointSharp ID server checks against the credentials it holds for the user and based on the policies configured, it allows access and assigns a content policy.
- Once authenticated, Kerberos Constrained Delegation is used to Impersonate the user to access the relevant servers and protocols specified.
I’ve only just started playing with this software, but already I’m quite taken by it. I’m honestly impressed with it’s elegant, flexible, and user friendly approach to mobile security.
I’m looking forward to my first production deployment.
Thanks for reading.