Secure Access Using Azure AD
Workspot Client is a downloadable application for the user’s device. It ensures secure access by conducting device posture checks, securing data in motion and at rest, whitelisting and blacklisting traffic, and logging events for compliance and auditing.
When a user logs in, based on IT configuration the user can be challenged to authenticate against Microsoft Azure AD or an AD Domain Controller in the cloud or on-prem. All existing Workspot security policies configured to work with your AD Groups are embraced and used to unlock Workspot Client. Conditional access policies are supported transparently in Workspot Client because of deep integration with your AD configuration.
Secure Access with PIN
When a user launches Workspot Client for the first time on their device, the user is prompted for their AD credentials for authentication (which are then encrypted and stored) and then they are prompted to create a PIN for Workspot Client on that device. The next time the user launches Workspot Client, the AD credentials are provided via SSO (single sign on) and only the PIN is required. The PIN is validated against the client master secret (CMS). If the CMS can be decrypted, the PIN is deemed valid; otherwise the PIN is invalid.
Incorrect PIN entries are subject to increasing wait times to circumvent brute force attacks. Workspot Client will allow up to 5 invalid PIN entries after which the data inside Workspot Client will be wiped from the device, thereby keeping the organization’s assets secure.
Securing Data in Motion
All communication to Workspot Control and cloud assets are protected with SSL/TLS. The embedded network stack enables secure L4-L7 access to network resources. The client implements a split tunnel that allows Workspot Client to be connected simultaneously to both the corporate and public networks. Application traffic can be routed to either network based on IT policies. Workspot is using a FIPS compliant TLS/SSL library in the embedded network stack.
Securing Data at Rest
All configuration information inside Workspot Client is encrypted with a multi-layer scheme using industry standard AES-256 encryption.
- All assets are encrypted in memory before they touch the file system. Every object is encrypted using a different key.
- Each key is encrypted using a master key.
- The master key is encrypted with a user specified PIN that is not stored on the device. The user can access the Workspot application only when they can successfully provide the PIN or authenticate with Microsoft Azure AD or Microsoft AD credentials.
Secure Access to Desktops & Apps
Workspot Client enables secure access to different classes of applications running in the data center:
- Windows 10 Desktops: Access to cloud desktops hosted in Microsoft Azure, Google Cloud Platform or on-premises datacenters.
- Windows Applications: Workspot Client is integrated with industry leading H.264 based RDP10.x protocol stack and enables access to an application running on Windows Server 2012 and above. Deep integration with Microsoft RDSH Service enables seamless delivery to Windows applications.
- Web Applications: There is a secure browser bundled into Workspot that enables access to web applications such as SAP, SharePoint, etc.
Whitelist / Blacklist Traffic
IT can control which sites the user can and cannot visit from inside Workspot Client by configuring a blacklist/whitelist. Browser based apps can leverage this feature for restricted intranet access.
Big Data Contextual Security
When a user accesses enterprise IT assets, Workspot Client collects contextual data about who did what, when, where, and how. Workspot cannot see this data and only collects it for relevant business activity – it does not collect data from personal applications such as Facebook – on the device. This data can be used for compliance, auditing, and adaptive authentication.
We’re here to help! Access these valuable resources to help guide your journey to cloud desktops.