Collaboration platforms like Microsoft Teams, Slack, and Workplace from Facebook promise end users a better way of working. These platforms offer a centralized hub, connecting people with content and capabilities. With many employees still working remotely, the importance of collaboration technology is greater than it has ever been before.
In the wake of COVID-19, we’ve seen many companies rapidly adopt new collaboration platforms, a process that normally takes months or even years for large enterprises. In fact, the usage share for Microsoft Teams grew from 11% in February to 34% in June. However, in the rush to deploy collaboration to enable remote work, security and governance have taken a backseat.
With the great power of these collaboration platforms comes great responsibility. Without proper governance, end-users are left to their own devices, and most simply don’t think about the security implications of many of their actions. They create new teams and channels, invite whomever they choose (including guests), share every manner of documents, and they rarely take any action to clean up the workspace at a later date.
At Unify Square, we’ve seen many governance challenges while helping our customers monitor, measure, and manage their collaboration environments. Here are some common issues you should consider, ideally before deploying a new collaboration platform.
Governance to Avoid Team and Channel Sprawl
While a large number of teams and channels may not seem that important, there are a couple ways sprawl can come back to create security threats and problems. End users confronted with too many similar workspaces lose productivity while trying to identify the correct one to use. Rather than spend time searching for the right team, they may instead create yet another, further proliferating the number of workspaces.
While teams or channels may often become abandoned or orphaned, that doesn’t mean the data on them disappears. Unused teams and channels create security headaches and risk issues—as that data is still accessible—even as group membership faces little oversight. There are a couple types of policies that can help IT get a handle on sprawl:
- Who should be allowed to create teams or channels? By limiting who in an organization can create these workspaces in the first place, fewer will come to exist. This nips your sprawl problem in the bud. Some organizations choose to add a step to request a new team from IT to limit unnecessary teams, as well as to ensure new teams are properly configured.
- Workspace Audits: Even if a channel starts out as necessary, there’s no guarantee it will continue to be needed six months down the line. Workspaces should be audited to ensure they’re still required. There are different ways to do this. Some organizations choose to have all teams and channels go through a periodic renewal process, while others look to focus on just those that are inactive. It’s also important to consider whether unused workspaces should be archived or deleted, and this may depend on your data retention policy.
Workspace Settings Governance
There are a number of policies worth considering that apply to workspace, team, or channel configuration. These configuration policies ensure consistent organization of workspaces as well as consistent security. Given these settings impact workspaces during the creation process, they’re important to consider early in a collaboration platform deployment.
- Workspace Naming Conventions: There are several types of naming conventions organizations may choose to put in place. Common examples include a prefix or suffix denoting an external-facing workspace. Location or department names can also be incorporated. Proper naming makes it easier for end-users to find the right workspace and ensures that team members are aware of the presence of guests in a workspace or chat.
- Minimum and Maximum Number of Owners: Each team has designated owners who typically control basic settings and workspace membership. Given the importance of this role, a workspace should always have at least one, if not two, owner(s). To ensure this, many companies set policies around the minimum number of owners. On the other hand, too many owners can also pose a security issue if not all of them require advanced permissions.
- Workspace Classification: Beyond whether a workspace is private or public, classification takes into account the sensitivity level of the team, based on team membership, expected topics to be discussed, or expected content types to be shared. Ensuring these workspaces are properly classified upon creation is critical. These classifications can also affect which other policies should be applied to the workspace. For instance, no guests should be allowed on highly sensitive teams.
- Third-Party Apps: While we could write an entire post on managing third-party apps, the short of it is that you must consider carefully which apps to allow. Third-party app management involves continuous auditing as well as a process for end-users to request new applications.
Guest Access Policies and Protocols
One of the most complex collaboration security issues is guest access. Beyond choosing whether to enable or disable guest access, there are numerous decisions to be made around who should be allowed to be a guest, what they should be able to access, and the duration of their guest access privileges. While InfoSec teams’ gut reaction may be to disable guests entirely, this introduces further problems as guests are often critical collaborators.
- Who should be allowed as a guest? Many companies choose to whitelist or blacklist certain domains to promote guests from known contractors and avoid those from competitors. Also consider limiting guests from public domains, as these guests can still access your environment if they leave their current employer. Beyond the guest domain, it’s also important to think about the process for adding a guest: what approval steps are required and from whom?
- What can guests access? There are some workspaces or even types of workspaces where you’ll want to restrict guest access. For instance, these external users should not have access to highly sensitive teams. Carefully consider guest default settings and ensure granular policies are enacted. Third-party tools like PowerSuite can reduce the management burden for this type of policy.
- How long do guests receive access? One common issue with guest access is that a team will initially allow a guest because of a business need, but once the project ends, no one remembers to remove the guest. These guests can linger in workspaces indefinitely. To ensure security, consider an audit process for guests, reviewing the business need periodically. The review audit should typically be mapped to the sensitivity level of the workspace, and be conducted either monthly, quarterly, or biannually.
Collaboration security and governance involve the creation, management, and enforcement of complex policies. However, even before the step of creating and enforcing policies, IT must make several nuanced decisions. These decisions will impact the business for years to come as the collaboration environment continues to grow. That’s why we created the Collaboration Security & Governance Right Track. Our expert Unify Square security consultants will guide your team through important governance challenges, and our targeted approach ensures your collaboration environment is set up for success.