We’re waking up to a new world where the connection we had with others, once taken for granted, is now more critical than ever. Many of us live a digitally vicarious life through technology but still maintain our analogue connection with others. Right now, we’re being forced to keep away from others and can no longer move freely to maintain that personal link. The social hubs of coffee shops, restaurants, sporting clubs, and pubs are now our lounge rooms and kitchens. Technology is more important than we can understand.
One of the most common areas of our socialisation has been at schools and workplaces because, in addition to having our individual goals, the group objectives still need to be met. We still need to conduct business, give and receive an education, create content, and deliver services. We rely on business and individuals. Teachers and students, employees and customers, and everyone else must adopt a virtual presence.
For the past several weeks, we have been collectively scrambling to stay connected and doing so from places we may have never connected from before. Students once accustomed to attending class at K-12 facilities and Universities, only doing their assignments from the kitchen table, are now undertaking their entire education remotely. The office workers and service providers that saw a day working from home as a rare treat are currently setting up complete home offices to replicate their corporate workspaces.
Businesses and educational facilities have been heavily investing in solutions to connect their teams and students while maintaining some semblance of normalcy. Home and corporate networks are flooding with a surge of Internet traffic. Licenses on software are increasing, and hardware upgraded while others are starting from scratch since they only existed in a brick-and-mortar sense before. In the rush to get and stay connected, there is an oversight we’re making.
Thankfully, there are many security options built into the solutions we choose to stay connected, and one of the most popular ones has been Microsoft Teams. Even if these options, settings, and features are not always distinct, they’re working diligently in the background to protect you, your data, and your connections
But first things first
When working remotely, I like to take a page out of the Zero Trust model (and Microsoft can facilitate deployment of a Zero Trust model including teams). My view of the Zero Trust model has six steps, and you can apply this to your remote collaboration and communication solution of choice.
One – Secure the Environment
Now that we’re working outside of the secure boundaries of our offices and schools, we must consider the workspace in which we connect. Take a look around, and what do you see? Forget about kids and spouses; they probably don’t care (although we shouldn’t share too much of our work magic). Also, I don’t think we need to worry as much about nosy neighbours with binoculars (and I have seen this before). Is your workspace safe and secure and free of distractions and potential witnesses? This concern may apply if you work out in public, and you never know who may be looking over your shoulder.
Bonus Points: Be wary of “smart” devices like Alexa, Siri, Google, and the like that may always be listening. Your home office should be as secure as your regular work office, especially when using Teams!
Two – Secure the user
It is the responsibility of your business or school to ensure you have secure access to the network and remote resources. Multi-factor authentication solutions, accounts with least privilege, and the ability to securely connect and be authenticated. Ensure that only those that need access to Teams have access and limit who can invite and manage the individual and group teams.
Three – Secure the device
Whether a laptop, desktop (surprising how many of us still use desktops), tablet, or mobile phone, your devices must be secured. Don’t leave them unattended or else your toddler may start sending gibberish to the CEO (don’t laugh, it has happened). Worse, they could get stolen or damaged. After the physical security, the devices should conform to your company or school policy (or even be supplied by same). Secure hardware will support a protected user and facilitate a safe Teams environment.
Four – Secure the network
I can almost guarantee nobody is running corporate-grade home networking equipment (but I say “almost” because I know some of you are just that hardcore). That said, your home connection must be adequately secured. No open networks or weak (or default) passwords. Your connection to your home Wi-Fi likely won’t be secured by certificates, but if you’re secure enough to manage your finances at home, then your home network should suffice. If you have any questions, ask your IT team (or send me a message – I love to help people with their issues around security)
Five – Secure the application
Your work or school computer, when used remotely, should be minimally different than what you’d run in the office (minimally because you now need another layer of security and connectivity solutions you may not need otherwise). This consistency means the same sanctioned apps and cloud services; no wild and funky software or peripherals attached.
By rights, your IT team will probably have a Standard Operating Environment (SOE) configuration, and you can’t get away with anything silly. Consider the sites you visit. While you may not be on the company network (unless directly connected by VPN), the company still owns and controls your system (if they provided it) so usage policies apply!
Finally, Six – Secure the Data
The information you are working with remotely, regardless of format, must be afforded the same level of protection it would get at work or school. Be wary of where you use it, copy it to, and from where you download it. Only use sanctioned storage and systems for the data and ask your IT team and management if anything smells funny (you know, that funky data aroma.). With GDPR and Notifiable Data Breach legislation always lurking in the background, you are still responsible for data safety. In this regard, Microsoft does a great job of securing the information.
Now, for the good stuff. Secure collaboration tools
Your company may have several sanctioned applications for remote productivity, but the one I see the most is Microsoft Teams. It makes sense because many of us have Microsoft Active Directory as our source of truth, whether on-premise, in the cloud in Microsoft Azure or a hybrid combination of the two. Perhaps you’re already using other Microsoft systems like Exchange and Outlook, SharePoint, and OneDrive. Many of us use Word, Excel, PowerPoint, OneNote, Access and more so Teams is a natural choice.
Thankfully Microsoft invests an absolute metric ton of money into its security and takes cloud security very seriously. With Data Loss Prevention systems, Sentinel as its SIEM/SOAR system, Compliance Centre, Microsoft Cloud App Security (MCAS) you can rest assured that your adoption of Microsoft Teams receives the same level of security.
Microsoft Teams, you say? What is it?
Imagine a piece of software that combines instant messaging, the ability to jointly work on documents as a team, collaborate with people even outside of your environment. You can use video conferencing, voice calls, share files and folders with specific groups while participating in several groups, group chats, and have private conversations all at once. Organise meetings? Yes. Share content in meetings across several platforms and still allow simple dial-in users? Of course! You probably can do all of these things already, but it probably requires several “solutions” to do. Some people call it Skype on Steroids; we simply call it “Teams.”
While online collaboration tools have been around forever and most of us are already familiar with Skype, Teams is worth a look for your business or school. Perhaps it is even more important now with all of us working and learning from home. Those of you that know me, know I’m all about making things happen securely.
How does security apply to Microsoft Teams?
I’m glad you asked! Let’s break this down into a few areas, such as Security, Compliance, Architecture, Licensing, Data, and Standards. We’ll also throw in a few more points to consider along the way. Let’s start with Security.
When we connect to teams, we do so securely since Teams enforces umbrella Multi-Factor Authentication (MFA) and Single Sign-On (SSO) via the AD source-of-truth so that you can leverage your existing accounts. As for the data, it is encrypted both in transit and at the rear when used by Teams. Data accessible through SharePoint is secure via SharePoint encryption.
The same goes for OneNote secured through OneNote encryption (and for what it’s worth, OneNote data resides in the SharePoint presence of teams. Yes, I know – a lot of moving parts, but please understand they’re all adequately secured in the Microsoft ecosystem.
As for other notes, the Teams “Wiki” tab (which I use to share a lot of my notes) has its content stored within the team SharePoint site. As you’ll have guessed, since Teams integrates incredibly well with SharePoint, OneNote, Exchange, and more Microsoft services, you can manage the security in O365 in its entirety.
You should also know that Private Channels supports limited security and compliance features for now, but the full set of security and compliance features is coming soon.
Advanced Threat Protection (ATP)
One of my favourite security elements of Microsoft, Advanced Threat Protection (ATP), is integrated with Teams just like it is with many other applications in the Microsoft ecosystem for content management. ATP lets you ascertain if content in these applications is malicious and blocks it from user access. The settings you define in Office 365 will dictate how to manage this content after detection, so please ensure you include all connected applications in your planning.
Even though ATP safe links are not available in Teams (yet), at least they’re public preview via the Microsoft Technology Adoption Program (TAP). I don’t yet know of a release date (I’m hoping it will be very soon) so I’ll share as soon as I find out more. You can always read up on the existing documentation on Office 365 ATP Safe Links for other systems – I imagine they’ll align nicely.
Conditional Access Policies
Microsoft Teams integrates well with other Microsoft cloud services like Exchange, SharePoint, and Skype for Business. This powers productivity needs like meetings, calendars, chat, file sharing and more. Conditional Access Policies (CAP) configured for those cloud applications also apply to Microsoft Teams and does so when users directly log onto Teams regardless of the client and platform used. I like this because it reduces the number of places I have to manage policies!
Teams is a separate cloud app per Azure AD CAPs, and regardless of the user signing in to the cloud app or the local app, the CAPs apply. One thing I have noted is that when the incorrect application of CAPs occurs, a user may still be able to connect to other apps directly. Be mindful of this because even the best CAPs must be applied correctly. It’s like having a great access list on a firewall with the last rule being “ALLOW ANY – ANY”.
The local desktop apps support modern authentication methods, which was assumed since most apps do now anyway. These desktop apps are Windows and Mac and are part of the Azure Active Directory Authentication Library (ADAL) just like other Microsoft Office client applications. Another excellent integration is AppLocker which is one of my go-to applications for Application Whitelisting (and that is part of the ACSC Essential Eight!). It’s worth noting that CAPs are part of your overall Zero Trust modelling, so it’s nice to know Teams and its connections are covered.
Control Your Connections
Recently, it came to my attention that an organisation had users creating Teams sites and then invited people from other organisations to join. While this does happen and Teams is intended to facilitate this kind of collaboration, appropriate sanctioning is required. By allowing untrusted parties to join Teams sites uncontrolled, there is an increased risk of data loss and other security issues.
Interestingly, many users probably overlook that a lot of what they get up to in Teams that may not be company-sanctioned could be captured, recorded, and emerge in the future. Behave yourselves!
Teams can control this through “external collaboration settings”. This feature is in the client tenant Azure Active Directory > User Settings > External Users > “Manage external collaboration settings”. Here, you can disable the ability of “Guests Can Invite” and “Members Can Invite” and instead restrict it to Administrators and other users that have the “guest inviter” role.
To take this a step further, you can define which domains are allowed to receive invitations, and this could apply if you don’t want competitors or even webmail (like Yahoo, Google, or Outlook) accounts from getting invitations. This option is in the “deny invitations to the specified domains” settings.
Microsoft also allows you to set up tenant restrictions to add additional controls. In the end, this can quickly become a blog all on its own, so I would highly recommend discussing who should and should not be able to access your teams whether they are inside or outside of the organisation. Limiting who can invite others, who can accept invitations, and from where should be a critical part of your Teams security planning.
Compliance is front and centre in a lot of environments, and businesses and schools are no different. While different rules and regulations apply to each, the need to comply and the tools to enforce the rules are essential. Microsoft Teams addresses this with retention policies, Data Loss Protection (DLP), eDiscovery, and Legal Hold. These capabilities cover channels, chats, mobile app management (through InTune), audit log search, and files. Like many other areas of the Microsoft Ecosystem, these are centrally managed in the Office 365 Security & Compliance Centre. A quick summary of each follows:
In Teams, retention policies permit retention of the organisation’s essential data for regulatory, legal, business, forensic, and other reasons. Since storage and resource consumption in the cloud can be costly, you can define what not to keep as well, such as irrelevant content and communications. What I’ve found helpful that I’ve struggled with in other systems is that the retention policies allow me to keep data for a defined period and then delete it. An example is a document or memo that only has a limited shelf life, and I only had to keep a few versions of it. I’m sure you will appreciate this feature when your bills for cloud services comes in!
Data Loss Prevention (DLP)
Being able to safeguard your data in a remote working and learning environment is paramount. We’re now accessing more data from more places, so we expect it to be protected by the systems that carry, process, and store it. dlp in Microsoft Teams (as well as Office 365 itself) consider this to protect sensitive information. Regardless, if the confidential information is contained in documents or even in messages, the DLP policies ensure this confidential data is inaccessible to the wrong people. This exposure can be accidental or deliberate, but this control is a must-have for businesses and schools alike.
Imagine if teachers were having private conversations about a student with authorities and a parent receives it in error. What about a highly sensitive design document for a new prototype whizbang product that becomes pasted into a group chat, including a former employee that now works for the competition? DLP is a good thing, and I like having it available in Teams.
Face it: Our corporate and educational information systems are doing more and more and as a result, contain more data than ever before. How can we find and manage information when we need it? Electronic Discovery (also known as eDiscovery) allows us to identify, collect, and produce digital data when required. Scenarios, where this comes into play, include forensic investigations, report generation, and information classification to align with regulations.
In Teams, we can perform case management, implement data preservation, search the discovered data, perform analysis, and even export the data. Sources in Teams include chat and messaging, files and documents, and of course, meeting and call summaries (This could make a few people nervous, but I digress). Often in meetings and calls we’re so busy with the conference we lose track of what we did, so the summary created from these communications can be made available in eDiscovery.
It is worth noting there are two types of eDiscovery: “In-Place eDiscovery” and “Advanced eDiscovery”. In-Place eDiscovery is focused on mailboxes while Advanced eDiscovery focuses on Office 365 as a whole. Be sure to use the one that meets your requirements. Both include Case Management, Access Control, Constant Searches, Holds, and Export, but only the Advanced eDiscovery includes Duplication Detection, Searching with Machine Learning, and Unstructured Data Analysis.
When things go sideways, as they can when dealing with essential data and human nature, the Legal Hold feature is gold. When I’ve performed forensics, the critical component is the careful preservation of evidence like a record of actions, messages, and file transfers, and so on. In Teams, you can place a user (mailbox) or a Team on “Legal Hold”. For a Team legal hold (which can get complicated), the following types of holds are options:
In-Place Hold where a subset of the mailbox or site collection (by leveraging specific queries or filters) is on hold
Litigation Hold where the whole mailbox or site connection is on hold
Regardless of the hold used, once set it ensures that immutable copies of that content are maintained and available through eDiscovery search even if users delete or modify group mailbox channel messages. I’d highly recommend understanding this feature in-depth.
Compliance Content Search
The granular search capabilities and filtering in Teams come in handy, so when searching for compliance content, this feature is invaluable. You can search for and locate relevant content and then export it to a specific container for compliance (and litigation) purposes. You can even do this without an eDiscovery case, and compliance administrators can round up the data across all users in Teams for review and (if needed) export.
Bonus Points: This is a powerful feature, so using content search, you can filter to Teams-only content, like Chat and Channel Messages as well as Calls and Meetings. This option is especially helpful if you’re like me and have so many things on the got at a time and just can’t remember where everything is.
Auditing and Reporting
Even though auditing and reporting don’t get the attention of the flashy features like group chats and videoconferencing, from an information assurance perspective, this is critical. The Audit Log Search links directly into the Office 365 Security & Compliance Centre (one of my favourite features in the Microsoft Ecosystem).
Here, you can set alerts and generate reports on audit events. You can export data (workload-specific or generic) for administration and investigation if needed, and do so across an unlimited timeline. I’m sure you’d agree, trying to run an inquiry and missing data is immensely frustrating! This feature can become an article all on its own, but if this is your area of expertise, I’d recommend learning as much as you can about it or ask us to help.
The Teams architecture is integrated well within the Microsoft Ecosystem, so the workflows and data streams are seamless to the end-users. From Teams, the flow of files connects directly to SharePoint cloud (which also includes OneNote and OneDrive for Business). Messages follow a different path through the Chat Service and Office 365 substrate (what constitutes the “substrate” will be covered in a future article) and then into Exchange cloud. The Exchange cloud, from a Teams perspective, includes Email, 1-on-1 chats, groups chats, and channel messages.
From the opposite side, the Office 365 Information Protection tools look after the Teams data in the Exchange and SharePoint clouds with all the features we discussed above like eDiscovery, Legal Hold and more. While “architecture” may sound more like a functionality element than security, it’s worth knowing how the data flows and where it is managed and secured by the Teams security features.
That covers the flow of files and messages in Teams, so what about meetings and calling data? These are possibly the real reasons you’ve adopted Teams as one of your critical remote work solutions. If you’re working from home or attending class from home like many of us are in the current climate, the ability to talk to, visually share content, and see each other is more important than ever.
From the Teams clients, you connect via the Next Generation Core (NGC) Skype Calling/Meeting Services through to the Microsoft Cloud processing engine and into Exchange. In Exchange, the call and meeting summary becomes a part of the mailboxes for each participant. It’s then ingested into the Office 365 Information Protection Tools and accessible, just like the files and messages.
I should also mention this isn’t instantly available; it can take up to 24 hours to be adequately ingested and discoverable.
Licensing Teams information protection features ties into the broader conversation around Office 365 licenses. I would encourage you to speak with us because they can become quite complicated and you don’t need to pay for features you don’t want or need. If you can understand your objectives and requirements with regards to Teams, it becomes a straightforward exercise.
Once licensed for your required features and Teams, your business or school can go about setting it all up and getting everyone working and learning. I always encourage clients to ask the right questions and get the right people involved. If you’re not sure how to license and configure teams, reach out to us. You should know that two of the essential features, Content Search and eDiscovery, don’t need to be enabled in the Microsoft Security & Compliance Centre like a lot of other functions do.
So, where is my data located anyway when I’m using Teams? While we can’t give a specific location per se, the data resides in the geographic region of your Office 365 tenancy. Microsoft does make these regions available, so for those of us in Australia, the Datacentres are located in New South Wales and Victoria. In Canada, it’s Quebec City and Toronto. You can find this out for yourself in the Microsoft 365 Admin Centre – just go to Settings > Organisation Profile, and scroll down to “Data Location.”
For anyone concerned about data sovereignty, I’d recommend making sure the location of your data aligns with your policies and standards.
Speaking of standards, Microsoft Teams aligns well in this regard. Teams is “Tier D Compliant” which means verification with international, regional, and industry-specific standards and terms. This verification includes ISO 27001, ISO 27018, SSAE16 SOC 1 and SOC 2, HIPAA, and EU Model Clauses (EUMC). Not long ago, Teams was Tier C Compliant which lacks the industry-specific standards but has since achieved Tier D compliance (enabled by default).
For a bit of background in the Microsoft compliance framework, they classify Office 365 apps and services into four categories which align with specific compliance commitments. To be Tier-X Compliant, the service (and related services) must meet strict criteria.
Tier A, for example, is based on robust privacy and security commitments. Tier B takes this a step further and includes international standards like ISO 27001, ISO 27018, and EUMC. The controls with A and B can be enabled or disabled for the entire organisation. Tiers C and D features are enabled by default, providing a high degree of assurance to Teams customers.
This year we are faced with challenges we have not encountered before, but we also have tools and technologies to adapt, evolve, and thrive. Now forced out of our schools and businesses to take refuge in our homes, we need to communicate, collaborate, and stay productive. Microsoft Teams is the solution of choice for many educational, commercial, and government entities. Teams, fully integrated within the Microsoft ecosystem, gives us the power of meetings and calls as well as messaging and file sharing to create an “anywhere workspace”.
Microsoft has a wealth of security tools and solutions integrated within its Microsoft 365 environment and covers Teams within its protective sphere. Whether you are an experienced Teams user or a novice, I am happy to help you get and stay connected securely and realise the full potential of this incredible solution.
Stay safe out there.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through Shutterstock.