In this Blog, I will be focusing on 2FA for Web-based Application.
Being an Presales, I have come across to many request, like enabling the 2FA for for OWA, HRMS or Outlook.exe and Web Apps.
How can we enable the 2FA for Web-apps without changing any source code of web application.
We can Enable the 2FA for any application, there are two possibility to enable the MFA or 2FA on the Application (Web Based or Client-Server Apps).
First we need to understand the Application Architecture, Whether apps is integrated to MS AD or LDAP, ADFS or SAML etc.
Based on that we can design the Solution.
Client Based 2FA (Client Need to be Install on end user device).
Client less 2FA.
Now if the machines are in domain or Application is Integrated with AD. we can go with the Clientless based 2FA, In this option we are able to provide 5 type of option for 2FA (SMS, Email, Mobile Token, Hardware Token, Push Notification).
Now lets assume the Application is not integrated to AD or ADFS and Even SAML Integration is not possible, In that case we need to install the Accops HyID Client on the end user device. In this option we are able to provide 7 type of option for 2FA (SMS, Email, Mobile Token, Hardware Token, Consent Based, Push Notification & PC Token).
Thanks Akshay Poddar Blogger and Technology Evangelist
Although Accops has there own VDI and Application Virtualization Solution, which Support all the flavours of VDI (Persistant VDI, Non Persistant, App Virtualization, Linux Shared Desktop, Linux Dedicated Desktop, Shared Hosted desktop etc.
But still many of the organisation wanted to run Citrix XenApp or Xendesktop, either they have already under the support / Maintainance or the management is not accepting to replace the Xenapp or Xendesktop.
However there are many cases where the Organisation dont wanted to Buy Netscaler or Wanted to replace the Netscaler becasue of the Citrix Policy to replace the old hardware box with new due to OFS (out of Sale) and OFS (out of Support) of the Hardware model of Netscaler.
Accops Provides the Secure Access to the Citrix Storefront, with the below features list:
1. MFA (SMS, Email, TOTP, Biometric, HardwareToken, Push Notification 2. Device Based restriction. 3. End user device Forensics Information. 4. Domain PreCheck. 5. AV Precheck. 6. GeoLocation Based Access. 7. Secure vendor Access 8. WAN IP Based Access. 9. InBuilt Remote Meeting (Team viewer Based Access). 10. Bidirection Copy/Paste restriction. 11. or Unidirectional Copy/Paste Restriction. 12. Restrict to use the Recording Software and Snipping tool. 13. Restrict Print Screen. 14. Restrict to use the Anydesk and Teamviewer to restrict the Data leakage.
Zero Trust Network (ZTN), is the new buzz word in the Market now a days. According to the recent market survey, majority of the Virus / Ransomware attacks happened primarily because of three reasons: internal employees knowingly or unknowing clicked on a SPAM mail, through USB devices that were infected or pre-orchestrated Zero Day Attacks. Here neither the employees nor the IT / Infrastructure managers are to be blamed.
Why do you need Zero Trust Network?
Today’s organizations expect the employees to be productive whether stationary or mobile, whether in office or remote. The IT managers need to enable them to be productive and allow them access from remote locations. This pressure of mobility adds a new layer of security vulnerabilities, making it even more difficult to manage such complexities. This should prompt you to look for zero trust networks that protect your data without you even knowing it, whether in office, at customer location, whether using enterprise products, third party products or free ware. Once you enable zero trust network, it makes it easy for IT Managers and CISOs to manage. What ZTNs primarily do is that they allow all employees to access the network through single port 443 and provide secure access to critical business applications that are of importance.
Enabling Zero Trust Networks – The
All though the theory looks amazing,
but how do you make it happen? There are solutions that provide security, but
also dent the budgets significantly. Also such enterprise suites contain a
laundry list of applications that you may not even need. How do you find the
middle path? Well with Accops’s Enterprise Application Access solution, you can provide remote users with seamless access to only the
applications you need, not your entire network. It’s easy to set up, without
the need of a device software to configure and manage. Since Accops
HySecure SSL-VPN works on Application Layer, rather than
working on Networking Layer like traditional SSL-VPN, making Accops HySecure
SSL-VPN more robust, agile and secure. (You can read my blog on Accops
HySecure, difference between Accops SSL-VPN and other SSL-VPN in terms of
Architecture etc. here.)
Talking about the Secure Application Access, Below are some of the Features provided by the Accops Solution:
End User Device Forensics Information Able to Capture the device Forensics Information Based on CPU ID, HDD, MAC, WAN IP, LAN IP, IMEI No., Gateway etc.
2. Restrict the No. of Users Per device:
We can restrict the No. of Users per device, It can be Auto Approval or Manual Approval.
3. Time Based Access for Certain Applications / Users.
In a BFSI Sector, Banks need to provide the Connectivity to the Vendors or Consultant, Using Accops we can have Time based Access to the User / Group for certain month or Days depending on the projects. Once the Project is over the Accessibility of the application will be disabled as per the complaince.
4. Allow / Deny Business Application Based on User Location:
Reporting server details for geolocation of the users:
5. Windows Update Pre-check Policy
Wannacry was one of the Ransomware attack, which affect the most of the organisation who are using the Windows Machine in the year 2018. Microsoft released the Security Patch the other day.
Now Let say, user is working from home and connecting to Corporate DC, to make sure the End user device is updated and upgraded, this MS Update Precheck is mandate in many of the organisation.
6. End Point Scan for Secure and Trust Logins:
When ever a User Logins to the Corporate DC, IT Team need to make sure the users do not bring the Vulnerability, Virus Etc.
Accops Provide, AV Scans Based on more then 20+ Knows AV of the Worlds. Accops Can Allow Users to Login Based on AV Status of the User Machine or MAC Address, Geo location, Domain and the WAN IP from which the User is connecting.
7. AV Precheck
8. Domain Precheck
Accops Allow to check whether the machine is in domain or not, If you have a multi-domain Architecture, that will also e allowed.
Again, If out of 10 Domain, Organisation whats one of the Domains to Deny Login that rule can also be created.
9. DLP protection (Data Leakage Prevention) “not data loss”
Now using Accops you have enable the BYOD and Work from Home, or Vendor Access etc. What About the Download, Copy/Paste, Print Screen Etc.
Accops, Also make sure that no data can go out of the Data center to make sure the compliance and regulation.
Accops provide the restriction to Use the Print screen, USB and Printing of the Local User machine when connected or accessing the Corporate App / Server etc.
Also Copy/Paste from Corporate to Local Machine can be Restricted.
not only this, Snipping tool in Windows 7/10 can be restricted.
Recording Software can be Blocked.
Teaamviewer and Ammyy Admin or other .exe Files can be Blocked.
I will add the Features as and when there is a new Feature released.
Please refer to my youtube Videos on Installation and Configuration of Accops Hyworks and HySecure. Link is here