Workspot Client Ensures Secure Access
Workspot Client is a downloadable application for the user’s device. It ensures secure access by conducting device posture checks, securing data in motion and at rest, whitelisting and blacklisting traffic, and logging events for compliance and auditing.
Secure Access Using Azure AD
When a user logs in, based on IT configuration, the user can be challenged to authenticate against Microsoft Azure AD or an AD Domain Controller in the cloud or on-prem. All existing Workspot security policies configured to work with your AD Groups are embraced and used to unlock the Workspot client. Conditional Access policies are supported transparently in the Workspot Client because of deep integration your AD configuration.
Secure Access with PIN
When a user launches the Workspot Client for the first time on their device, the user is prompted for their AD credentials for authentication (which are then encrypted and stored) and then they are prompted to create a PIN for the Workspot Client on that device. The next time the user launches the Workspot Client, the AD credentials are provided via SSO (single sign on) and only the PIN is required. The PIN is validated against the client master secret (CMS). If the CMS can be decrypted, the PIN is deemed valid; otherwise the PIN is invalid. Incorrect PIN entries are subject to increasing wait times to circumvent brute force attacks. The Workspot Client will allow up to 5 invalid PIN entries after which the data inside Workspot Client will be wiped from the device, thereby keeping organization assets secure.
Securing Data in Motion
All communication to Workspot Control and Azure cloud assets are protected with SSL/TLS. The embedded network stack enables secure L4-L7 access to network resources. The client implements a split tunnel that allows the Workspot Client to be connected simultaneously to both the corporate and public networks. Application traffic can be routed to either network based on IT policies. Workspot is using a FIPS compliant TLS/SSL library in the embedded network stack.
Securing Data at Rest
All configuration information inside the Workspot client is encrypted with a multi-layer scheme using industry standard AES-256 encryption.
- All assets are encrypted in memory before they touch the file system. Every object is encrypted using a different key.
- Each key is encrypted using a master key.
- The master key is encrypted with a user specified PIN that is not stored on the device. The user can access the Workspot application only when they can successfully provide the PIN or authenticate with Microsoft Azure AD or Microsoft AD credentials.
Secure Access to Desktops & Apps
Workspot Client enables secure access to different classes of applications running in the data center:
- Windows 10 Desktops: Access to desktops hosted in Microsoft Azure or on-premises datacenters. Workspot supports Win10 delivery on Microsoft Azure.
- Windows Applications: Workspot client is integrated with industry leading H.264 based RDP10.x protocol stack and enables access to an application running on Windows Server 2012 and above. Deep integration with Microsoft RDSH Service enables seamless delivery to Windows applications.
- Web Applications: There is a secure browser bundled into Workspot that enables access to web applications like SAP, SharePoint, etc.
Whitelist / Blacklist Traffic
IT can control which sites the user can and cannot visit from inside the Workspot client by configuring a blacklist/whitelist. Browser based apps can leverage this feature for restricted intranet access.
Big Data Contextual Security
When a user accesses enterprise IT assets, Workspot Client collects contextual data about who did what, when, where, and how. Workspot cannot see this data and only collects it for business activity – not for personal applications such as Facebook – on the device. This data can be used for compliance, auditing, and adaptive authentication.
Compliance and Auditing
Workspot Events provides a log of all user and administrator activities. The events are searchable within Workspot Control, and this data can also be pushed to a SIEM system such as Splunk. This is granular data of the activity performed by the end user on the device and includes the following:
- Location and time of activity
- Device used to perform activity
- Application accessed
The Events module provides a searchable view of the end user activity data.