Even before the shift to remote work with COVID-19, Microsoft Teams was top of mind for enterprise IT teams. With employees now mostly working remotely, Microsoft Teams rollouts were accelerated. Now, Microsoft Teams is business-essential for many organizations. In fact, data from Nemertes Research shows that almost a third of organizations rely on Microsoft Teams as their primary meeting solution. This is a higher number than choose other platforms like Zoom or Cisco Webex Teams. So, implementing security policies in Microsoft Teams is of the utmost importance.
Because of COVID-19, many enterprises rushed to deploy Microsoft Teams without considering collaboration governance or implementing security policies specific to the platform. This lack of forethought has resulted in a number of issues that continue to plague organizations. Left unchecked, teams proliferate, introducing a greater surface area of risk. With no lifecycle management, it’s difficult to take control of a collaboration environment run wild. Beyond team sprawl, collaboration security issues arise around guest access, unowned teams, and unconfigured security settings. Once Microsoft Teams is out there, this reactive approach to collaboration security and governance (CSG) just doesn’t cut it.
Microsoft Teams collaboration security poses a new set of complex issues for IT. While some might dismiss it as just the latest version of SharePoint, this oversimplification belies the unique, multi-faceted heavy hitter that is Microsoft Teams. Teams is a connection between a multitude of Microsoft products, from Office 365 Groups to OneDrive, creating a centralized hub for work for end-users. This integration is not always seamless, meaning IT must deal with many of the quirks of each of these products. This is all before you even touch on the chat and channel functionality. End-user collaboration creates a whole host of difficult decisions on the tradeoffs between productivity and security.
Beyond the platform itself, Microsoft Teams has thrown together IT teams who previously had separate responsibilities. IT professionals covering Unified Communications, networking, and content management, as well as InfoSec professionals focused on governance and security now must work closely to properly manage Microsoft Teams. With so much to think about, how do you even get started with collaboration security?
We’re here to help! Here’s everything you should do before you start security policy management and enforcement for Microsoft Teams.
Understand Usage Through Microsoft Teams Monitoring
If you’ve already deployed Teams without considering collaboration governance, you’re not alone. The silver lining to implementing collaboration security reactively is that you can use existing data to discover problems in your environment. There are a number of key metrics that Microsoft Teams monitoring and analytics can surface.
Some statistics to consider include how Microsoft Teams is typically used within your organization. If end-users use Teams primarily for meetings, you have an environment distinct from one where collaboration is the primary modality. Whether users tend toward one-on-one chats or channels is an indicator of the maturity level of your environment. One-on-one chats show that users primarily use Microsoft Teams as advanced instant messaging. On the other hand, channels indicate users are taking better advantage of the new way of working introduced by workstream collaboration.
A couple of early indicators of a need for automated governance for Microsoft Teams include the percent of inactive teams and the average number of teams per user. Inactive teams mean that the environment is experiencing team sprawl, which introduces the additional surface area of risk. The number of teams per user indicates membership sprawl, which can have end-user productivity consequences.
Tracking key usage metrics through Microsoft Teams monitoring tells you the maturity level of your environment. These discovery analytics also provide information on some of the collaboration security and governance issues you’ll need to address.
Involve Other Departments in Collaboration Security Decisions
Microsoft Teams impacts every department, and some of those departments will have particular needs. In the spirit of moving to a proactive approach, it’s important to involve these stakeholders in key decisions before implementing security policies for Microsoft Teams. For instance, you wouldn’t want to enact a policy to disallow guest access when the consulting department needs this capability for their ongoing projects.
Beyond getting buy–in from multiple departments, there are a few teams that should be more closely consulted. Engage UC, Information Security, HR, networking, and legal teams as you create your collaboration governance plan. Representatives from each of these groups can even come together to form a cross-functional team for creating and then subsequently managing Microsoft Teams governance.
Consider Unique End-User Personas
Before you start haphazardly creating and implementing security policies, consider unique sets of users. Having a clear understanding of departmental needs puts you on the right track to defining different policy personas. By creating user personas, you can ensure that policies make sense for the end-users to which they apply. This is important for ensuring a more secure collaboration environment, as well as giving end-users the capabilities they need to do their jobs.
There are a variety of possible groupings to consider. Department personas can be important where differing levels of security are required — for instance, not allowing guests on teams with finance employees. Some industries may also need to consider department-based ethical walls. These ethical walls purposely separate departments, preventing them from communicating with each other. For a collaborative platform like Microsoft Teams, this setup is no easy task. Similarly, geographical groupings can help for staggered feature rollouts and are in some cases necessary for responding to specific country regulations.
Other common sets of personas are VIPs, employees, and contractors. Certain features, like being able to post to an all-company team, should be reserved for VIPs. Employees may have a standard set of policies, while contractors may receive reduced permissions, like not being able to create a team. All of these persona decisions are worth considering when creating any collaboration security and governance policies for Microsoft Teams.
Take the Larger Office 365 and Azure Ecosystem into Account
Collaboration security is only one piece of the Office 365 security puzzle as it relates to Microsoft Teams. Beyond implementing, managing, and enforcing security policies for Microsoft Teams, there are plenty of other security decisions that must be made.
As Microsoft Teams is also a major content storage location, Data Loss Prevention (DLP) must be considered in the context of documents. One popular option, also in the Microsoft product suite, is Azure Information Protection (AIP), which is included with Office 365 E5 licenses. AIP automatically labels sensitive documents and can apply conditional encryption to ensure sensitive data remains safe. Because AIP works at the document level, you can rest assured that the files will be protected whether they’re stored in Microsoft Teams or elsewhere.
Identity and access management is another important security consideration. Microsoft Teams uses Azure Active Directory for identity management. We recommend creating a conditional access strategy, and of course enabling multifactor authentication.
Microsoft Teams is yet another cybersecurity attack vector that must be protected. The newly renamed Microsoft Defender (formerly Advanced Threat Protection) works across SharePoint, OneDrive, and Teams to block access to malicious content. The new packaging also includes incident response tools.
Make a Plan for Microsoft Teams Updates
As a SaaS platform, Microsoft Teams releases regular updates with new features and fixes. This is great for end-users, as their experience is constantly upgraded. However, this rapid release cycle makes it more challenging for IT to support Microsoft Teams. Unlike older on-premises platforms like Skype for Business, it’s much harder to sandbox new features and thoroughly test them before deploying to end-users.
Just because your carefully configured policies are right for your environment today doesn’t mean they will be after the next release. New features and settings can impact collaboration security if not properly configured. Come up with a plan early for how to discover new Microsoft Teams features and the security blind spots that the features may create. With this knowledge, implement policies to patch these blind spots as part of your ever–evolving governance structure. Part of this plan should involve careful monitoring of Microsoft Teams release bulletins and periodic policy audits.
Collaboration security and governance for Microsoft Teams can be overwhelming, and getting security policy management and enforcement for Microsoft Teams right is incredibly important. The platform represents a whole new surface area of risk, yet overstepping on security can drastically impact end-user productivity. With so many factors to consider, it’s difficult to ensure you’ve covered all the bases when implementing security policies in Microsoft Teams. That’s why we designed the Collaboration Security and Governance RightTrack™. Our expert consultants will guide you through all the steps to securing your Microsoft Teams environment.
Once you’re ready for security policy management and enforcement for Microsoft Teams, look no further than PowerSuite. Our industry-leading software introduces advanced governance capabilities, shifting your organization to a proactive approach. Take control of Microsoft Teams, Zoom, and other collaboration platforms with PowerSuite.