November 12, 2020

Don’t risk it: It’s time to rethink your data governance and security in Teams

As we approach the end of a year that’s been like no other, now is the perfect opportunity to reflect on a period of significant and rapid change – led by the shift to an almost entirely remote workforce.

In response to the pandemic, deploying or scaling up collaboration platforms was at the top of the list for many organisations, with the new need to keep teams connected.

However, the rush to rearrange the way we work placed a significant, sudden strain on IT and leadership. In many cases, IT teams were forced to overlook the finer points of security and governance requirements in the urgent rush to deploy solutions.

As a leader of the collaboration platform pack, Microsoft Teams has been a popular choice this year. Many users presumed that its native security features would adequately protect their organisation. While Teams is a highly secure platform, any unexpected environmental change can drive security risk.

So, if your organisation dove into Teams almost overnight, now is a good time to take a step back to review the platform’s alignment with your organisation’s wider security solutions and access policies.

Examine and finetune your data encryption policies

Within Teams, data itself is encrypted natively- in transit and at rest. As for how long the data is stored, it depends on the length of your license. Additionally, many users don’t realise that SharePoint is used in the backend of Teams to facilitate the sharing of files.

In this instance, SharePoint has been configured specifically to support the Teams app – you can’t customise the SharePoint security settings as you would otherwise be able to when using it independently of Teams.

For organisations with highly sensitive conversations or files, this level of security may not provide adequate protection. In this case, incorporating other identity management, data governance and conditional access policies will help alleviate the risks of potential security breaches.

For example, additional policies that are a default Teams feature can be put in place, to protect files being uploaded and shared via Teams by external parties and employees.

Protect data outside of the Teams environment

Without proper policy, files can also be downloaded and uploaded to untrusted locations not authorised by the organisation. To prevent this, application protection policies can be put in place to restrict data relocation, and keep files safely contained in a managed app. To ensure data protection at the document level, organisations can apply policies based on the sensitivity of the information they contain.

For example, you can dictate whether documents must be encrypted, not moved, or not copied to USB. This can be managed within the wider Microsoft solution suite via Azure Information Protection (AIP).

Restrict unauthorised access to Teams with identity management

There’s a big difference between accessing Teams in the office versus remotely, which is where identity management plays an important role. For example, if a user’s credentials are stolen and access is attempted from an unknown or suspicious location, Teams can be configured to invoke additional conditions, such as multifactor authentication.

Similarly, identity spoofing – users bypassing security measures and pretending to be coming from within the organisation itself – is another major concern. Multifactor authentication is again a key element, as well as polices that will reject the connection altogether based on location.

Again, this level of identity management can only be achieved by setting up additional conditions within the wider Microsoft portfolio; they are not standard settings within Teams.

Prevent unauthorised access to Teams Meetings

‘Zoom bombing’ – uninvited people accessing Zoom calls to share less-than-savoury content with unwitting participants – created a security scare earlier this year. In a similar vein, Teams customers have voiced concern around the potential for eavesdropping on conversations within Teams Meetings – specifically, how participants can ensure that only authorised people are in the meeting.

This concern can be addressed by enabling a non-default feature that ensures those outside the organisation cannot enter the room until approved by the host.

Avoid malicious links shared in Teams

To safeguard users against malicious links shared in Microsoft Teams, a relatively new feature called ‘Safe Links’ will soon be rolled out. When enabled, it will check URLs shared via Teams in real time against a list of known malicious links. When a user clicks the link, they’ll be prevented from visiting the site.

Integrate security with Microsoft Teams

Teams, as a collaboration platform, shares common infrastructure with other Microsoft applications such as SharePoint, OneDrive and Office 365. The benefit of this architecture is that the security policies invoked in these applications will also provide protection within your Teams environment.

Rethink your data governance in Teams

Data governance is not native to Teams, but it’s highly compatible and must be a key part of any technology initiative that involves a distributed information environment. If governance did not play a key role in your original Teams deployment, now is the time to develop and communicate clear rules and policies to protect staff and your organisation.

Governance in Microsoft Teams requires a rethink of the type of data that can be shared on collaboration tools and the workflows required to ensure users are not sharing unsolicited information. For example, sharing a document with credit card details should be considered a definite no.

This example might seem obvious, but it also serves as a reminder of the importance of documenting information access and distribution policies.

Need help repairing the security and governance of your Microsoft Teams deployment?

Data#3 is the safe pair of hands when looking to implement Microsoft Teams across your organisation. We provide comprehensive strategies for Teams, as well as the broader Microsoft ecosystem.

Contact a Data#3 Modern Workplace Specialist  to set up a Teams Workshop for your organisation.