Resources - Videos

How to Ensure Collaboration Security in Microsoft Teams – Webinar

Going Beyond Basic Native Governance with 3rd Party Specialty Tools

Speakers:

  • Brandon Long, Collaboration Security Solution Architect
  • Scott Gode, Chief Product Marketing Officer

Key Topics Covered:

  • Key analytics focus areas for collaboration security
  • Tips and tricks for breaking the reactive governance loop
  • Teams policies and use cases
  • Basic (native) governance vs advanced (3rd party tools) governance

 

 

TRANSCRIPT:

Sam: Hello, everyone, and welcome to Collab Cast with Sam and Pete. We’re really excited because today we have our partners from Unify Square talked to you a little bit more about security and enabling it and optimizing it within Microsoft Teams so we can go to the next slide here, how to ensure collaboration security in Microsoft Teams. So we’re going to talk a little bit about what we have already established within the Teams interface and then what Unify Square can offer to update that and optimize it for you. And here are our presenters, so we have Scott is the Chief Product Marketing Officer and we also have Brandon, who is the Collaboration Security Architect. So they’re going to take you through a little bit of the solution. But we want to make sure to keep it super interactive today. We are definitely here for you. So we want to go through a little bit of the guidelines around how to interact with us. If you can go to the next slide here. First of all, everything that we talk about today is going to be on the Health Care and Life Sciences blog. It’s aka.ms/HLSBlog. It will be there for you after this event, will post the recording in case you have some colleagues or friends that wanted to attend but didn’t get to make it today. The recording will be there.

Sam: But then anything we talk about, all the resources will also be on the blog. I’ll post it by the end of the day so you can always reference it there as well as any of the other webcast that we have coming up. So how do you interact with us? If you never use Teams, live events before the live event, Q&A is up on the upper right-hand corner where that arrow is pointing to the question mark. You can add in a question, add in a comment. Pete, Anello, and I are the Team’s technical specialists on the Microsoft side that run this, produce that, and are always moderating behind the scenes. So we might respond to you privately if it’s something if it’s a question that applies directly to something that you’re dealing with within your organization, if there are some themes around what everyone generally wants to cover, we will definitely pause the presenters and bring it up right then. If you have anything that you want to discuss with us afterward, you are also going to post all of our LinkedIn pages on the HLS blog as well so you can get in touch with myself, Pete, Brandon Scott, whoever you need. We’re all a team here representing together. So with that, on to the presentation. And first, we want to turn it over to Scott at Unify Square.

Scott Gode: And thanks. Well, I’m sure in my can hear me OK? Yeah, we can hear you perfectly. Let me pull up the presentation, And thank both you and Pete for allowing us to spend an hour with your customers, your colleagues. This is a great opportunity. We’ve enjoyed a long relationship with Microsoft, and this is just yet another great example of that. Here’s what we’re gonna take you through today, Brandon, myself, we’re going to give you a quick refresher about who is this company, Unify Square. Talk a little bit about what do we mean when we say security as it relates to Teams and collaboration security? And we’ve at Unify Square coined this term CSG, collaboration security and governance, as a way of really depicting not just security in the broad sense, but security as it relates to the Team’s environment and what is happening with that collaboration. So we’ll talk to you about trends and definitions, said we want to talk about sort of the basic versus advanced CSG. What do you get out of the box with Teams and Microsoft 365? And what do you have to do more to achieve in this advanced category? Brandon got some great thoughts about a governance framework. What is necessary for an enterprise working within this new SaS, within this new remote work environment. And how do you have to think about things even to a certain extent beyond just the definition of software? And then we’re going to sort of wrap up with three more use cases, really talking about this process of how do you monitor what’s going on with your security environment? How do you define how to manage and apply that governance framework? And then how do you actually manage it? How do you enforce it? How do you understand if you’re in compliance with that set of governance frameworks that you put in place?

Scott Gode: So let’s talk about Unify Square. A ton of customers. We really focused on the enterprise. We’re fully focused on security, as you can see there in the lower left in terms of our ISO twenty-seven hundred one certification. A lot of us come from Microsoft. Our founders are Microsoft personnel. I worked there for fifteen plus years. So we understand Microsoft, we understand the Microsoft customer. We’re very globally oriented. Our headquarters just happens to be here in Bellevue, Washington, but we’ve got sales and consulting and managed services and development all over the world, as you can see there, in terms of Europe and Asia, etc. And as I mentioned as well, we’ve got this long history of Microsoft in terms of Microsoft not only using us internally to help manage their internal environment for the employees. Microsoft is actually an investor in our company. And all of our software technology that Brandon and I talk about today is built on top of Azure. So we at Microsoft believe in many senses, not just Teams, but beyond that. Our company focuses on three core areas from a portfolio perspective: software and our product. There is PoweSuite, which is all about not just performance and operations, but also security for medium chats and calls. So we came from the link in the Skype for Business environment and now full on Teams, obviously consulting. We do a lot of work with companies sort of getting started in the space or migrating from Zoom to Teams or from Cisco to Teams or just trying to get a handle on, OK, I’m doing conferencing for Teams, how do I take that to the next level and add on phone and set up my SPC`s correctly and get my direct routing correctly configured. So a lot of consulting. And then we’ve got this managed services environment for companies that says that say, listen, I don’t have the right IT personnel to manage my Team’s environment or my legacy Skype environment.

Scott Gode: Can you guys just take it over? Can you run it? Can you be my admins and patch it, not fix it and then migrated and deal with my end users. So that’s a whole additional portion of our business that we use PowerSuite, our software, to help manage and to make those costs lower. But we have some large companies that you may recognize here that we do that for. So just briefly, to show that we’ve got a lot of companies all over the world that we do a tremendous amount of ongoing software and managed services work for. Finally, just to set the scene PowerSuite, I mentioned for a software perspective in the UC environment, here are some screenshots of dashboards that come within PowerSuite. Help Desk is probably our most popular dashboard that people can use to look at what’s happening with their call environments. Who’s been on the conference call? What connections are they using? Ethernet, Wi-Fi, etc. what devices use and who’s on the call and whose devices or headsets or networks are struggling as a result of the call. So this is all data that we pull out of Skype or Teams and visualize in a way that’s very helpful for the Help Desk support personnel or the IT administrator. And then even another popular dashboard is what we call our Insight Centre. And this is a Trello like roll-up of all the issues that IT is going to be concerned about the cloud-managed environment, you can see a couple there that have circled, which is all about our legacy, but ongoing UC orientation towards management conferences and calls. And I show the screen just so that you’ve got something to come back to when we start talking about deeper what we’re doing in the security framework. So with that as an introduction, let me flip it over to the Brandon and set the scene for what we talk about when we mean when you say collaboration, security, and governance.

Brandon Long: Thanks, Scott. Welcome, everyone. Super excited to talk to you today. So we’re going to be talking quite a bit about governance within Microsoft Teams, security within Microsoft Teams. But I think the thing to understand is that in order to truly realize your governance and security and regulatory objectives when it comes to Microsoft Teams, you have to take actions outside of the traditional Teams admin center. That’s going to mean that you’re employing the governance, compliance, and security solutions built into Microsoft 365. And that in some situations you’re also going outside of Microsoft to leverage additional governance capabilities, whether that’s workflows that you’re building in-house, whether that’s dashboards, training centers that you’re building in house, approval and request processes, or also third party solutions where you can kind of have a turnkey advanced governance solution. So we’re going to be talking about how we get there, how we really get to that advanced governance mindset. And I want to give you an idea of what that looks like once we’ve arrived, and then we’ll talk about how you get there. So I’ll kind of show you a postcard of the destination before we take off. So I’d just like to tell stories. So this is Tammy and Tammy is in Australia, which is really interesting because every different part of our organization has different requirements that they need to meet, whether that’s regulatory or from just a business standpoint. So, Tammy, she’s in Australia and she’s a user and she’s creating a Team using the native Microsoft Teams creation process.

Brandon Long: And I think that this is really important. One of the things that we’re seeing within many organizations is that Teams are being adopted very quickly across the organization. And there’s this need to put maybe some breaks or some speed bumps into the path of creating teams, because we don’t necessarily have the governance and the lifecycle management behind those teams so that we can just say, hey, people go create teams to your heart’s content. But in an advanced governance mindset, we’re really changing that. We’re saying, hey, Tammy has no barriers to entry when it comes to creating a team. She’s going to use that native team’s creation process, fully leveraging Microsoft 365 native governance features that so, so things like sensitivity labels to define the privacy and the access to that team and the content that’s stored within templates that are, that are available to Tammy while she’s creating that team so that she can create a very specific team built for her really specific health care use cases that’s constructed with the appropriate integrations and the appropriate channels and structure behind that team. Again, no barriers to entry, but Tammy has the full ability to move forward in creating that team.

Brandon Long: If you you go to the next slide, Scott. So Tammy’s a team owner or super excited for Tammy. The really interesting thing here is what do we do from that point forward? So a team has been created. What can we do to make sure that we’re governing that collaboration, experience, the communication, the files and really the work that that’s happening within that team? So from the PowerSuite and Power assist perspective, we are constantly monitoring when teams are created, when they are archived, when they’re deleted, and we’re triggering off that detection. And we’re checking not only against the configuration of that team and the policy definitions that’s happened within Microsoft 365, but also advanced policies that we’re defining as well, things like the minimum number of owners for a team, things like advanced naming conventions that are specific to Australia or maybe specific to the part of the business that the Tammy is a part of. It’s not a policy that’s defined for all teams, but it’s really specific to her role within the organization and detecting that there’s an issue with this team. Maybe it’s not compliant and it’s naming convention. Maybe there’s some other policy in terms of guest access that’s not in compliance, that we didn’t really have knobs and dials to configure within the Microsoft solution. So what we do is we just remove the end-users, remove Tammy from that team, and then we start to take some control over governing that team.

Brandon Long: So we have the ability to initiate a chat with Tammy. And you can go to the next slide here, Scott, to reach out into to really bring that team into compliance. And we get the ability within PowerSuite and as governance decision-makers to define what that is with full flexibility to reach out to the end-user. And this can be an automated process so that we can bring that team into compliance and then we can update the team automatically and we can move forward and add Tammy back in is the owner of that team letting her and her colleagues collaborate and whatever their use cases are. But we don’t necessarily need to worry about how many teams are created because we know that they’re aligned with our governance and policy framework. So I think the big question for many organizations is how do we actually define that framework? What do we do? How do we understand what the security landscape is? If you only go to the next slide? That is a question for many organizations, and I think that’s always going to be a difficult question to answer. Scott, talk a little bit about our consulting services.

Brandon Long: And that’s something that we do for many organizations, is just to understand what their risk exposure is and what the features are that they have to mitigate that risk. Also to understand what their business use cases are so that they can help support those business use cases as they move forward. And that’s really the thing that we’re always trying to balance. And we’re talking about governance. We’re trying to balance the needs of the business and our end users to collaborate, but also the regulatory objectives, security objectives, and business objectives of our company and keep those two things in balance. So this is just an example of some of the questions that we have to answer when we’re talking about governance. This list goes on and on, but we’re going to talk about these questions in particular and then what it looks like to answer these from a basic governance perspective, which is where many of us probably are today or we’re trying to get to. But then we’ll also talk about later in the call today what it looks like to answer these questions from a more advanced governance perspective, where we have more granular control, more business, appropriate policies for the different use cases that we have.

Sam: Thank you so much. We actually have a question around getting started. Someone wrote in that there at the beginning of their Team’s governance journey and they need help just figuring out the best place to even start.

Brandon Long: Yeah, so that’s a really good question. So one of the things that I’m excited that Microsoft announced recently is a kind of a new Team’s feature within the Team’s experience, where you are essentially following this, this guy that Microsoft has created in terms of configuring your tenant and for Teams and Teams UC in collaboration. I think that’s one of the areas to really get your first exposure to what we can do in terms of governance is to go towards that Microsoft solution and to see how, gosh, you know, what Teams were really easy for me to enable. Maybe I signed some licenses and I, I turned on the solution within my platform. But there are all of these other areas in terms of managing Azure 80 groups and the security and compliance center that I might be able to tap into. And there’s some low hanging fruit there. Advisor, I think it’s called. Right. Yeah. Thank you.

Sam:  Yeah. Yeah. That is.

Brandon Long: Yes. That’s a really good place to start. And then beyond that, there’s a depth of documentation that you can reference or bring in, talk to talk to your Microsoft account team, talk to third-party security vendors like us, and we can really point you in the right direction.

Sam: Thanks, that’s awesome. I know there’s a lot of health care customers that have had similar questions and it can be overwhelming to start. So it’s good to know that we’re here for them.

Scott Gode: Yeah, I’ll add to that Brad was talking about all this. How do you come up with your policy and the government’s approach? And it’s interesting when we juxtapose the security focus that we have as a company against the UC and voice focus that we have as a company, which is where the Unify Square came from, Microsoft does a great job saying, OK, here’s how we define a good call or bad call. There’s these parameters that are very clear from a jitter perspective that helps to define a good or bad call. And it’s sort of an industry oriented thing. When you come to security, it’s totally different for the person that asks the question can totally see why they struggle, because, you know, defining what is secure and not secure is totally not based on an industry standard. It’s based on a well, to a certain extent it is, but it’s based on you as a company. How important is security in certain areas and perhaps not in other areas? So it’s just a very personal thing because it’s so personal, knowing what the right questions to ask are, knowing how to interpret those answers, and then knowing how to apply those answers within the framework of Teams and Microsoft all up. It’s a convoluted and sometimes confusing process. So, you know, between Microsoft and partners like this, we’re here for you. Brendan, do you have more on the slide or you know,

Brandon Long: I think, Scott, if you want to jump in on the next section, that be great.

Sam: So, how do we get to where we are today and you’re going to rebrand and I purposefully repeat an overlap on some of the things we’re saying because we really want to drive home certain points. But if you look at the framework, if we look at the marketplace right now, here’s a number of things we’re seeing. This notion of blind spots, blind spots for IT. They crop up because end users are self-servicing themselves. Shadow IT initiatives are popping up. So you get new software going in. Even with Covid-19, there are new governance threats from a work from the home perspective are certain vectors of software and sort of the way people work is different than they used to be. Staffing is obviously continues to be an issue, but it’s perhaps even more of an issue when you look at Teams, because maybe in certain cases IT hasn’t quite caught up and really thought about Teams being a security exposure either folks, and have been focused on other areas. And there’s still maybe struggling to catch up on the staffing for the Teams area. They’ve all targets in terms of how do you define what you’re going after? How do you find the owner of these spaces, as Brandon`s talked about, out of box areas in terms of what’s the difference between native and sort of advanced complexities? And really how fast whether it’s Microsoft or some of the competitors for Teams, all these players are evolving their features so, so quickly, in part in large part driven by COVID-19.

Scott Gode: So just when you think you’ve got a handle on your governance and your policies, all of a sudden a new feature pops up and like, oh gosh, do I have a policy in place to cover that or do I have to add that and understand it first and then add it? It’s not just about detection. It’s very easy to monitor and, well, it’s relatively easy to monitor and figure out if something’s wrong. But then how do you respond to it? Going back to that limited staffing issue, you can’t really expect somebody to always be hovering there with their finger on a button to do some sort of manual remediation. You ideally need an automatic process. So there’s rules in place. When something is seen, it’s acted upon and that requires additional software complexity, but it also requires very purposeful and detailed governance rules. So you could put that policy in place, which brings us obviously to AIML. And that’s often overused set of phrases and technologies. But it’s absolutely critical in this space that between Microsoft and other third parties out there, they need to have this level of automation and machine smarts to make this come alive and that finally, that notion of speed, everything is real time right now. Everything is all about capturing data in real time and reacting to it in real time.

Scott Gode: And what we see often with some of our actually quite a few of our customers is they may have thought about this governance set of issues, how they put them in place once Teams goes live. But oftentimes there it’s too late. So the ideal is to have this sort of pre go live set of assessments, understand where your exposure is before you turn the system on so that you’re not left exposed for even a short period of time. From a security landscape perspective, you know, as a lot of you, I’m sure, do Unify Square itself, pays the piper quite often to our friends at Gartner to understand the Gartner worldview. And to Gartner’s credit, they talk to a lot of companies. They’ve got a global reach. But even Gartner is a bit schizophrenic these days in terms of how they think about SAS and how they think about cloud security. You can see they’re at the bottom. They’ve got a definition of a SAS management platform. They’ve got a cloud workload protection platform. They’ve got a SAS security posture management category. All of these areas are slowly bleeding together. But all these areas are slightly different ways to say, hey, we recognize that running SAS applications in the cloud is complex, has security loopholes, needs to blind spots, etc. A lot of stuff I just went through.

Scott Gode: There’s a ton of different opinions, ton of vendors out there. So it’s a very confusing space. But I guess one thing you could take away from this is that there is focus there and a lot of companies are drilling into not just Teams and not just office, not just Microsoft three sixty five, but other platforms out there as well, because they recognize that there’s exposure levels out there that need to be mitigated and customers such as yourselves who need assistance with that. So let’s bring it back to Teams, what’s the dilemma? Well, many of you have started to invest in some level of governance for Teams and the graph APIs and the Teams and Microsoft 365 admin centers have different levels, overlapping levels of often open whole levels of governance data options. But then you’ve got other issues that even given that you’ve got in-house tools and processes that don’t have slaves, don’t have enforceability, which I mentioned before, which is a tough area to get right. It’s not just about monitoring. Even a lot of third party tools that Gartner may talk about out there in the market. They lack either that enforceability, a way to really come up to parity with what you can do natively in Teams and Office 365, and then even within Microsoft is great as a job is, Microsoft is continuing to do with Teams and Microsoft 365.

Scott Gode: There’s a lot of complex and global enterprise scenarios that just given the relative maturity levels of Teams that even Microsoft hasn’t been able to invest in yet because they’re doing exactly what they should be doing, investing in usability from an end user basis and sort of letting some of those back in complexities catch up over time, either because Microsoft’s going to invest in it later or because, as they always do, Microsoft is looking to partners to fill those gaps. So a lot of this is what you need to be thinking about when you think about what do I need and how and where do I invest in these areas?

Scott Gode: One last question, I’ll turn it back over to Brandon. We often get the question, how do I think about what you guys in Unify Square are doing with your software and relate that to sort of other security? Is there a difference? Where’s the difference, etc.? So what we’re going to attempt to explain in the rest of this presentation is sort of call out some of those differences just by showing you what it is we do. We do a lot of this analytics. Let’s really understand and discover and get visibility about what’s going on in the environment in terms of the blind spots that might be occurring. Let’s help you with that lifecycle. As Brandon mentioned before thinking through the whole governance cycle and the security of your teams and your channels? And then most importantly, let’s help you enforce that in terms of policies and settings. Let’s help you enforce it at an enterprise level. But and this is important, but with granular control. So you could set up different policies to apply to different geographical regions, different departments, et cetera, because not for global corporations, not all things are like. And some of that security definition that you have to define for yourself may differ depending on if you’re in Germany or if you’re in the US, for example. Finally, there’s this notion of multiplatform. We’re talking about Teams here, but many of you may be purposefully or by default because of some nifty shadow IT is dealing with multiple platforms. You may be dealing with Teams and Zoom, Teams and Slack, et cetera. That may be a long term strategy for you. That may be a short term. And I’ve got to muddle through this until I can sort of marshal my forces and come up with a strategy to get everybody finally over to Teams. But that’s an issue. How do I think through these policies of that security across multiple platforms, not just for Teams? Related to that, then what is sort of not fall into this category, all this stuff? CASBY, Malware, e-discovery, Delp archiving, backup, encryption, identity access management. There’s some elements that flow over and purposely overlap. But if you’ve got a Casby solution, that doesn’t mean you’re covered for some of the Teams governance. If you’ve got a Delp solution from a software perspective, that doesn’t mean you’re covered. A lot of these traditional security vendors still haven’t caught up and or haven’t even said they’re going to catch up and focus on this Team’s governance and security space on this, as we call it, collaboration security and governance space. So really do your homework. I guess the take away from the slides, really do your homework. Understand if you already have security software, is there a short term roadmap that vendor of yours is going to get to CSG? And if there’s not, consider looking at other options. Brandon, back to you.

Sam: Really quickly before we get back to Brandon, Brandon feel free to comment, but we have a couple of questions I think would be useful. So one person wrote in and was confused around are we talking about a framework that we can use or is Unify Square third party tool that we would purchase? So I’ll let you elaborate from our perspective. On the Microsoft side, we talked about Teams adviser. We talk a lot about the Team’s administrative dashboard and the governance that you can do natively, right. And there is a lot there. Unify Square offers an advanced level that we’re going into today. And then they also want to be here to help you think through that framework around security and making sure that your collaboration is secure and governed appropriately. So I’ll let you all clarify around that. And then we have a couple more questions as well.

Scott Gode: Well said. I think you summarize it well said. But Brandon, I’m sure you got a few more comments to make.

Brandon Long: Yeah, absolutely. The platform that you use to govern Teams should be vendor partners, solution agnostic. So that’s what we’re going to talk about in this next section, is how do you evaluate your governance capabilities and apply those against the governance framework to make your decisions on how you govern Microsoft Teams. So with this slide, let me talk just a little bit about those questions that we came up with earlier and how we’re responding to those from a governance capability perspective and then and what we might aspire to in an advanced governance mindset. If you notice in that advanced side, there are so many parts of that that aren’t PowerSuite. And that might be a solution that you currently have and that Microsoft provides. But it’s really that next level of integration into the full Microsoft 365 governance, compliance and security stack. So from who can create teams, we’re getting into this idea of Microsoft 365 groups and the actual provisioning engine behind Microsoft Teams. Teams wasn’t built in and it’s kind of by itself next to the previous capabilities of Office 365, but Teams was built as an expansion on so many of the features collaboration capabilities inside of Office 365 and Microsoft 365 groups or Outlook groups and some people will think about it is really at the core of that. So many of the lifecycle management and governance decisions that we make around Teams in terms of how long does a team exist, who has the ability to create that team can guest be invited to Team A versus can guests be invited to Team B? All of these are functions of governing Microsoft 365 groups. And for many organizations from a basic standpoint, they have kind of taken that first step to say, hey, we’ve disabled who can create teams. We have a subset of people in our environment who can create teams, maybe administrators or those who have been trained and we do that via Microsoft 365 group governance. And then as we kind of work our way down the template definition, oftentimes this is, this is a little bit like the Wild West, and so you just might have people within specific that business groups or different offices who are really coming up with their own workflows and templates and maybe they’re just copying from existing Microsoft 365 groups and uplifting those into a team. Or maybe they’re, they’re copying other teams so that they can kind of drive a general structure across the business. But it’s very decentralized and it’s parts of the business that are really defining that for themselves. Sensitivity, content, what should be shared in a team, how should we be protecting our data, and the PII that’s contained within Teams? A lot of times this is just left down to security training and maybe GDPR training to say here’s how you should be processing your data, but we don’t have any actual governance in place.

Brandon Long: And then as we move down, we’re talking again about Microsoft 365 group naming conventions. How are we protecting against data loss while training and awareness of how our files retained. Maybe we’re just archiving Teams. Who has access to my team? Maybe from an organizational perspective maybe we’ve whitelisted or blacklisted or allowed or denied specific domains within to have access from a B2B collaboration perspective. But we haven’t really taken control of this on a per team level. Who’s responsible? What are the first party integrations? There’s that there’s a lack of governance over all of this. And again, kind of that Wild West people are exploring the capabilities of Teams and we’re really in this basic governance standpoint. And I think it’s up to each of us to really understand what are the questions that we have, what are the actual governance concerns, security concerns that we have, and then to evaluate our own deployment against those solutions. So I would never recommend that an organization take a look at every single security and compliance control that’s available and use that is the marker for an appropriate governance framework or for success, right. Scott talked about those KPIs. What should we aspire to? You shouldn’t look at every solution that’s out there and say that’s what we need to get to. You should look at the needs of your business and the pain points and questions that you have from a data and a usage standpoint and then evaluate what you’ve done up to that point. As we move towards a more advanced governance perspective. What you’ll see here and you can read down the list there is that you’re seeing more of an embrace of the native capabilities that Microsoft has and then an extension of that into some custom development, maybe where you have a custom creation portal that you’ve built inside of Teams where you’re governing the creation of a team. And Microsoft has some great resources out there for you to get spun up really quickly with power apps and to have a really low code deployment of a custom creation portal. You’re leveraging more of the Office 365 compliance and security, things like sensitivity labels. You’re defining templates from an administrative perspective for your business so you can drive similar collaboration spaces across the entire organization. Maybe you’re reaching out to third-party solutions like PowerSuite to drive more advanced naming convention and ownership policies and really just embracing the collaboration capabilities of Teams and bringing in all of the stakeholders to do that. So let’s talk a little bit about how we get from basic to advanced or get from nothing to advanced. So one of the things that I like to think about is what do we need to do to implement Teams collaboration? And this is from a collaboration security perspective. And I think most organizations if I talk to them today, are in this deployment phase.

Brandon Long: So they’re really a step three in this graph where they have said, hey, we’re going to roll out Teams, maybe because of COVID, maybe because of the ease of deployment. And there they have active users within their organization. And what they really need to do is maybe take a few steps back and get into the discovery phase and then to the governance design phase where we actually come up with that framework. When you’re looking at discovery, I think one of the big things is what are UC requirements from an organization? How do we actually need to collaborate? What are the actual business workflows? Right. So we’re not just pushing out a toolbox to end-users, but we’re actually giving them a design for how they can collaborate and how they can build something that’s a business appropriate for them. And then what are the operational implications of Microsoft Teams as well? Right. What is this doing to my directory? How many different identities am I going to have to truly discover and understand what the requirements are? And then we can start to work to build that governance framework where we’re looking at all of the Teams policies that are native of the lifecycle management capabilities that we have within Microsoft 365 designing those and in response to what our security and compliance objectives are, to make sure that we are meeting our HEPA regulations or whatever those end up being. And then what are those third party solutions like PowerSuite that we need to fully plug the gap. And then we move into our deployment phase where we actually implement our governance framework and then the ongoing development as well.

Brandon Long: If you’ve been tracking recent features from Microsoft, there’s this incredible new capability that Microsoft is releasing where we have the transcription of the meetings and that are happening within Microsoft Teams, which is amazing from so many perspectives, from an accessibility perspective, from a language translation, as you know, client and health care interactions in different languages. There are so many reasons why this is amazing in terms of transcribing the spoken collaboration that we’re doing, but also from a security and governance perspective that is incredibly alarming to think, oh, gosh, every conversation that’s had with a client or with a customer or a vendor is potentially transcribed and searchable within my Microsoft 365 environment. How do I balance those two things? I’ve got security concerns, but I also I want to make sure that I’m providing those capabilities to my own users. And so part of a mature governance framework is making sure that you are constantly monitoring those responses, these new features that are coming in from Microsoft, these new governance capabilities that are coming into the Microsoft stack, and also what other third-party solutions are doing to help address those because Teams is not static, Teams is going to change every single day. So we need to make sure that our framework matures as quickly as Microsoft Teams does.

Sam: It’s definitely true, I think, Brandon, we have one question in the chat, but I love that you’re highlighting all the future changes. I know even post Ignite, we have just had so many, especially health care customers reach regarding those futures, were super excited about them. So definitely, if you are interested in learning more on the future, updates always post and that Health Care and Life Sciences blog, we can do other webcasts like this. We can give you resources, whatever you need. But Brandon and Scott, we have a question on external parties. This is something I get a lot from my customers. How do I balance allowing external parties to collaborate with my users, but still making sure that my internal users are secure in their collaboration?

Brandon Long: Yeah, really good question and honestly, one of the first challenges that I think many organizations face when it comes to governing Teams. I think in order to answer that question, you have to understand what the reality of collaboration is. If we can all agree that people will collaborate regardless of the solutions that we give them to collaborate with, then we can start to answer that question. I think from the right mindset, if there is a business use case to collaborate externally, I think most organizations should be in control of the solution in the workspace that’s used to do that collaboration. And then I think if we have a more secure stance, then maybe the organization that we’re collaborating with, then we should default to the more secure security organization being the organization that hosts that collaboration environment. So from a practical standpoint, if I am collaborating with Qantas and Qantas as a mom and pop shop down the street, they probably have a far less mature and regulated security environment than I do. So I should be hosting that collaboration space. I should have the most restrictive set of collaboration policies. From that perspective, then we’re looking at from a kind of are we going to track the identity of that user or are we going to track that differently than anonymous users? So Azure and Microsoft Teams both do a great job of letting us define domains where we can actually we have allowed lists for collaboration.

Brandon Long: So many organizations will have an internal process to say, hey, if we need to collaborate with Qantas.com, we might go through a data privacy review with that organization to understand how they are configured and then from that will decide who owns those collaboration spaces. And we might add them to the allow list so that we can actually build maybe a guest access relationship with that organization. So the first point to look at is from a tenant perspective inside of Azure, what organizations do I actually have in my allow or deny lists or do I have that completely open so that I can invite guests from any part of the organization? And then we can actually in a more advanced governance mindset, we can look at individual teams and say, hey, within this particular team, do I want to have guest access allowed or do not. Maybe I have a sensitivity label for a team where I say, hey, this is proprietary information that’s stored within that team. And as Tammy creates that team, she has to pick to say, yes, this is a proprietary team with sensitive information and so automatically triggered based off that using Microsoft governance, that guest access is turned off for that team. But there could also be, you know, a sales team or more of an open team where we can say, yes, this team is allowed for guest access and we’re going to filter what guests can be there through the end Microsoft 365 Azure allow or deny list. And then finally, in a more advanced governance model, you can also take a look at third-party solutions as well to say, hey, maybe I want to say for this particular team, I’m only going to allow in guests from this one domain. The rest of the domains that I have on my list shouldn’t be granted access to this specific team. So that’s kind of the way that I would go from a team perspective. And then when you’re talking about meetings and collaboration, it’s all about do these organizations are they joining our meetings and our calls and sending us emails from organizations that we trust and we know are secure or are they doing it from maybe a free solution within Teams or joining our meetings is an anonymous user. Maybe if they’re a, you know, a client who doesn’t actually have access to a Team’s account and how can I can figure my policies to match those different use cases, which there is a ton of control that we have in terms of our Teams policies and how those people get connected to us from a UC perspective.

Sam: Awesome. Thanks, Brandon. And you covered a lot of it. I added in a resource around just communicating with users from other organizations. So if you want to check out more on external access versus just access, what that means, feel free to look there and we’ll post that afterward as well. So we can keep going for now. And I’ll keep looking for questions. Keep them coming, guys. This is great.

Brandon Long: Yeah, thanks, everyone. OK, so I’m going to go quickly through the next several slides. And if this is something that you’d like to talk more about, please reach out. You’ll have our details and how we how we can really get that governance framework built within your organization. But the first thing is to understand, the stakeholders that are involved in. A good governance framework for Teams is not made from just the collaboration team. It’s not just the legal team who’s coming up with the framework. It’s not just the needs of our end-users, but it’s all of these aligned to say really govern Teams and to make decisions about the individual solutions that are required to fully adopt Microsoft’s native governance capabilities. So put your team together is step one in putting your framework together. When I go to the next slide. The next is to understand the real value behind doing this, I think one of the things that we’ll see most often in is putting that team together is saying, hey, there’s really no security pain right now. Maybe we haven’t had a recent data breach. So we’re having a hard time getting a hold of our legal team to put a stamp of approval. Maybe the SharePoint team is so focused on what they’re doing that we that we we’re not getting the time of day.

Brandon Long: And the reason and I think some ammunition that you can go to in terms of building that coalition of stakeholders, the reason that we’re there, we’re doing this from a really mature framework position and so that we can break through reactive governance loop, right. The thing I talked about is governance is the balance between our end user requirements and our in our organizations objectives. And what you’ll see oftentimes, and I think many organizations find themselves, is that they have deployed Teams there in maybe the deployment phase. They haven’t put a governance framework in place. They don’t know what all the knobs and dials are and they haven’t made a decision on those. And then they invest in adoption and change management, right. They train their end-users how to use it. They start to pivot some of their business practices into Microsoft Teams. And then all of a sudden there’s a concern that comes that somebody sends a jitter that is inappropriate, somebody is deleting messages that they shouldn’t be deleting, and we don’t have a good understanding of kind of what the conversation was. We all of a sudden realized that we have to flip off recording for meetings because we don’t know where those recordings are being saved as streamers that SharePoint or is at one drive.

Brandon Long:  And so there’s this reactive policy and governance decision making that’s happening as a result of issues that come up within the environment, which means that we have to then reinvest in adoption and change management, let our users know that we’ve disabled the future. We have to feel the angst of our end-user community is, is they are responding to that and they’re saying, hey, you know what?  I had built a process on having recording and now it’s not there. What am I going to do now? So breaking out of that and getting into a framework idea where we’re saying, hey, this is going to be our framework, this is how Teams will be governed for the next 12, 24, 36 months. We know how it’s going to work. We know what features will be available. We’re talking to Microsoft about the roadmap and tracking that and making decisions proactively on new features that are coming out. And we’re communicating that once a decision has been made to our end users, we’re investing in adoption and change management. So this is the way, right? We’ve talked about the who, the stakeholders. This is why we build the governance framework. And then we’ll talk about the how, how do we actually get that established?

Brandon Long: All right, so the first thing is to evaluate the solution capabilities and then we’ll evaluate our business requirements, will build that governance model, and then we’ll go towards stakeholder approval. So in order to govern Teams, you really need to know where those knobs and dials are if you don’t know them, we’ve talked about some great Microsoft resources. You can also reach out to us and we’ll point you in the right direction. But what control can I have over Microsoft Teams? And I think it’s valuable for you to know whether or not you end up reaching out to us about PowerSuite or any other solutions that you look at in terms of what you’ve already have inside of your security portfolio. A lot of partners are leveraging Microsoft APIs and the hooks that they’re giving us to really build out that additional governance. So just because you say, hey, you know what, Teams doesn’t do X, so we can’t move towards teams, look towards that third party solution and say, actually, you know what, with Teams and PowerSuite, I can actually move forward and deploy. So don’t let the native capabilities be a blocker for you, understand the requirements and then evaluate your business needs, right. Talk to your end-users. Talk to your collaboration champions. Talk to your business decision-makers and say, hey, here’s what Teams can do. What do you need? How can we align these two things to truly govern the solution? And then we start to build our governance model. We make decisions about policies. We make decisions about integrations and the additional governance capability of security and compliance with an Microsoft 365. And we come up with our architecture for how Teams is governed. We’re actually making decisions on how all of these areas are configured. And I think one of the really interesting things is also uncovering what the preexisting governance decisions are that impact Teams. Right? Maybe we already have retention policies that have been put out there for SharePoint. How is that impacting my team’s sites? So understanding what those interdependencies are and that’s the importance of having all stakeholders involved in this conversation and then we move that towards approval. We say, hey, Azure Active Directory team, these are the things that you cannot change, right? These are you can’t turn off this guest access invitation capability because that has a dependency on Teams, which is now a part of our, you know, our more mature change management practices from an ITSM standpoint. And once we have that, we push it out to our end-users and we invest in our adoption and our training.

Brandon Long: All right, and just to just let you know, that is a lot of work and operationally that’s a lot of work as well to evaluate new features. So as we kind of build this slide out, you’ll see that from a third party vendor, this is really how we are positioned to help deploy that as well. Whether it’s understanding what those capabilities, knobs and dials are, building the framework, talking to the stakeholders, getting legal approval to actually deploying the solution, deploying unified labeling within your environment, setting up those policies within you and the environment, retention, all of the complexity of that, and then tracking, racking end-user requests for new templates, tracking new capabilities from Microsoft, making sure that that’s incorporated into the governance framework. That’s really what we’re doing from consulting our PowerSuite software and then our cloud managed services offering for Microsoft Teams.

Scott Gode: Sam, I’m going to you a few more slides to play out a few of our use cases, but any more questions we want to throw in here?

Sam: Yeah, I do have one question from Ulysses he was asking about he has a customer, that super risk-averse, and has security concerns with Teams. So I responded back in the chat and feel free to elaborate. But I would love to answer the specific question or on that concern. I think I added a resource and that Pete and I always share because we really pride ourselves on the security and compliance capabilities of Teams, especially in comparison to our competitors in the space. So would love to hear more on that, but feel free to elaborate on that. That’s the last question I have for now. But keep it coming audience We’ve had a really engaged time with you guys and we want to make sure you get the most out of this time. So we have about 10 minutes left. And Scott, take it over.

Scott Gode: Did you I reply to that one, Brandon?

Brandon Long: Yeah, if you want to keep moving forward, let me read the question here and then I’ll respond.

Scott Gode: The last two slides, everybody, Brandon is going to take you through three sort of use cases just to sort of bring home. There’s some practical examples like we did at the beginning, how some of this works, both in many cases using our PowerSuite solution, but also talking about some of these native capabilities. So the first one is the first step. In order to fix it, you have to know what it is. You have to be able to monitor it and get those analytics, those collaboration’s security analytics visualized. So, you know, we like Tammy. She’s living in Australia, PowerSuite is connected to Tami’s teams tenants. So we pull the graph data, we combine it with PowerSuite machine learning, custom data, and then we visualize security analytics. So here you can see one of the dashboards the PowerSuite makes available, looking at a number of things, number of guests per user platform. And I was smiling when that question came up about external access and guest access. The guest access set of policies is the first one we implemented in PowerSuite because of their importance. And it was even funny when we were piloting this over a year ago and looking at our own internal data, I was surprised in my department to find out that I had guests who are external vendors and former employees who are still actually part of Teams. And I didn’t realize it. And it’s so easy that little things like that can slip through the cracks because you don’t naturally, I mean, Teams as great or any of these collaboration platforms are great because they’re so easy to use, but that that ease of use is also part of the danger of them because, yes, crop up and you don’t realize they’re there. So we can monitor the guests, we can monitor guess based on domains. There’s a ton of very useful information. And we’ve even come up with this notion that you can see in the bottom left of an of a risk profile based on the sensitivity labels and Teams and what that risk, that risk index indicates in terms of how at what type of action you might want to take.

Scott Gode: Furthermore, let’s not just be Australia centric. Let’s bring in Europe, so here’s Louise. He’s located in Madrid and he’s IT director of Tammy’s company, but he wants to drill down in particular on team ownership. So there’s another security factor about, OK, what happens if teams are created and they have zero or only one owners? And what can happen to a team if there’s not somebody looking after that team on a regular basis? What kind of information can get sprawled through to those teams? But then if you lose track of them. So here you can track the specific teams that don’t have any owners of them left. You can even look from a departmental standpoint and say, OK, from the terms of these departments, what type of ownership do they take care of? So you can sort of slice and dice it any way you want. And this is invaluable information that you need to have just to get to the scene and understand what’s going on before, in many cases, before you even begin to create those policies that allow you to decide how you want to manage that issue. I promised I’d bring back this insight center that we have. Insight Center that really helps you look at not just phone-related, voice-related things, but as you can see from the circles here policy-related violations, just access related violations. So there are all kinds of different surface areas of Teams that any IT department wants to be able to cover and sort of keep top of mind in terms of where do they need to take action or what do they need to be aware of what’s going on in their environment. See, number one or use case number one is the monitoring. Brandon takes you through the sort of definition and enforcement side of things.

Brandon Long: Yeah, I think so. And we’re coming up on time here. So I’m going to go quickly through these. The first thing that I want to do, though, is just respond to that question that came in. Hey, we’ve got a big customer. They’re concerned with teams and data security and data privacy. How do we tip the scales towards Microsoft Teams? I think one of the big thing is to and I think that they’re kind of asked is to understand what their security concerns are. Is it that the data is encrypted? That’s easy. Yes, right. Data that’s stored in Teams if secured. Is that the location of that data? That’s really interesting. And if it’s if that’s the concern that we can talk about how we can store data in different parts of the world in order to maintain compliance there. But I think the big thing is in terms of kind of building the confidence in terms of Teams being a secure collaboration platform, is being able to articulate and communicate what your security stance is for Microsoft Teams. I think for most organizations I’m talking to you, if I said, hey, hand me the document that shows how your governing Teams and collaboration, hand me the document that shows at a glance how you secured collaboration within your environment. Most organizations would say, gosh, we can’t. This is something that the SharePoint team kind of owns and the clap team kind of owns. And our Skype to Teams project. We didn’t really make a ton of policy decisions. We don’t have a clear answer on that. We know it’s secure, but we can’t necessarily communicate how it’s secure. So I think one of one of the big takeaways from this governance, that activity that you go through, is that we have a document that we can then hand over and we can say, hey, here’s our governance stance for Microsoft Teams. Right here is how we’re treating external users. Here’s how we’re treating guest users right here. Here, the policies that we’ve put in place to make sure that every collaboration platform is secure. So when you’re invited to one of our meetings, here’s how you know that it’s going to be just you and us. Right. Here’s the policy. If we if you’re invited to join one of our teams or if you’ve invited us to join one of your teams, here’s how you can know that we’re doing multi-factor authentication so that our users are our users and we can we can guarantee that. So just having a true understanding of kind of how it’s been secured and then being able to clearly articulate that to an organization is key. Right. That lets us establish that kind of data privacy handshake between two organizations. All right. So moving forward, we’ve got a couple of different use cases here. So governance policies, how can we take a request, take a an insight that we’ve generated, whether that’s because we’re looking at Teams data or using PowerSuite to uncover some of these insights and turn that into a policy. That’s one of the things that we’re excited about is taking insights into direct advance governance policy. So Tina is Microsoft 365 admin, she got an alert that said you can think of a lot of things. Right. Teams had too many guests. We had a guest from both. I like to use the example of Nike’s and Adidas. We’re in the same team talking about shoe design and that we can’t have that right. So an alert that pops up and then Tammy’s able to click through that within PowerSuite to say, hey, I’m going to create a new policy to address this concern that they came up. Get on the next slide.

Brandon Long: From that, we start to see all of the different violations of that policy, and I think one of the really interesting things is that when you go about your policy management this way, we’re also checking against all of the preexisting policies sorry, all the pre-existing teams. So it’s not just, hey, for all new teams where we have Nike or it may be in our Teams request form, we’re not just adding this checkbox to say, hey, let’s address this concern that we had, but we’re going back and retroactively checking all of the existing teams against that new policy that was created so that we can bring those teams into compliance so that it’s not just our new teams that meet our most recent kind of compliance and regulatory stance, but it’s all teams within the organization, whether they were the first team that was created or the most recent team, they’re in compliance with our current set of policies. And then tracking that and making sure that we are actually enforcing those policies, so these dashboards that we have let you know where the issues are, but also it’s not just admins that can take action if we move forward here, Scott, we’ve got governance within PowerSuite as well. Right.

Brandon Long: So this idea of different regulatory concerns, if you’re at global organization, your regular regulations in Europe are going to be so much different than the U.S. And so you might need to apply a more granular approach in your governance to different teams and where that data is stored and then use a solution like PowerSuite to actually enforce. That’s PowerSuite reaching out to end-users, bringing those teams into compliance based on the policies that are being defined within that part of the business. And the nice thing about this, right, is this is completely low touch. And I like this screenshot – my wonderful budget for 2020. Yeah, we that’s not something that we want from a security standpoint. We probably don’t budget in the team name, especially if it’s a private team. And we can help end-users bring those teams into compliance. Because the reality is with Teams, your end-users and your team owners are empowered to be really the administrators of their own domain to a certain extent, the teams that they own, which is excellent in terms of collaboration. We want to make sure that we can put the security in place so that we don’t have any issues there. Over to you, Scott.

Scott Gode: My finicky mouse, we just got it, the 10 o’clock hour we’ve come in, perhaps a few seconds over time, we’ve listed here our website and our specific collaboration, security, and governance portion of our website, if you want to get more information. I know we’re over time out and if there are any questions or if you’re just going to call it a day.

Sam: So there actually are no last questions. We did a really good job of asking them throughout. And thank you so much to Scott and Brandon.

 

 

Check Out Our Additional Videos

Shopping Basket