Many companies use RSA SecurID to support two-factor authentication and have implemented with Microsoft ISA to support two-factor authentication for OWA and ActiveSync with fantastic results. I’ve been asked lately if it is possible to support two-factor authentication with Outlook Anywhere. Using RSA products, it does not appear possible. I have read a couple blogs about creating a custom website that could be used as an RSA “front-end” to Outlook Anywhere but I prefer not to overcomplicate matters.
When researching for RSA solutions, I came across Deepnet Unified Authentication for Outlook that looks like a promising solution for enabling two-factor authentication for Outlook Anywhere.
I spoke to a Deepnet sales manager today and the Deepnet product suite addresses the following security concerns shared by most security administrators:
1. Weak Authentication
Deepnet allows you to enable two-factor authentication for Outlook Anywhere
2. Unmanaged devices
Only those client PCs with the Deepnet agent installed can access Outlook Anywhere. The client software we discussed was DevicePass, which is used to create a machine fingerprint. The “fingerprint” information can include the machine’s serial number, motherboard ID, CPU ID, BIOS, MAC Address, etc, etc. This ensures that only those machines approved by the company can connect to the email system using Outlook Anywhere.
3. Insecure Local Data
Deepnet can be used to enforce a disk encryption policy thereby protecting local data should a laptop be stolen.
They sent me a small PowerPoint file which provided a high-level overview of the Deepnet architecture and I hope they don’t mind me sharing it here:
Basically, 3 items are going to be required. A Deepnet Authentication Server (which can be a VM), the Deepnet Agent for IIS (installed on the Exchange 2007 CAS), and the Deepnet Agent on the client machines. Deepnet stated that the installation of these components is very easy as no consulting time is needed, in fact, they said the solution could be up and active within a day. Also, it can work with RSA so there’s no cutover required. Deepnet can replace RSA, but it can be a migration.
I’m very excited about the possibilities and hope to have more posts very soon as we should receive a fully functional 30-day evaluation license on Monday.