Remote working and COVID-19 have accelerated the use of Microsoft Teams over the last 12 months. As a collaboration and sharing platform, MS Teams has been a savior to many remote working teams. However, not unlike other collaboration and sharing platforms, MS Teams does have a number of security vulnerabilities that security and IT teams need to understand and address.
In this blog, we will go through what MS Teams is, the benefits and risks, a few ways you can use it, and (most importantly) how to use it securely.
What is Microsoft Teams?
Historically, there has been a great deal of confusion over exactly what MS Teams is and how it can be used. Some believe it to be just a chat tool, others just a more advanced version of Skype for Business. Microsoft Teams is far more powerful than this.
Microsoft Teams is essentially a competitor to Slack. Teams combines persistent workplace chat, video meetings, file storage and collaboration, and application integration. It has a whole host of features and integrations to enable remote teams (or even on-premise teams) to work closely together and collaborate more easily.
MS Teams is available for most licenses of Office 365, which makes it widely used in both business and corporate settings.
MS Teams is not a data store. Teams is the front end that sits on top of the critical Office 365 infrastructure and data stores and helps users easily communicate, access, and share data. When a new Team is created, a new security group is created in Azure AD with the Team members. A new hidden mailbox is created in Exchange Online, a new site is created in SharePoint Online, and files when shared through private chats are uploaded to OneDrive.
All of this is going on behind the scenes, unbeknownst to the user.
How to Use and Install Microsoft Teams
Using MS Teams requires getting to know some of the lingo. Social media users will be familiar with some of the terminology, including emojis, Stickers, and Gifs. Before we get into the nitty-gritty, though, we need to understand exactly how Teams works.
When you create a team in MS Teams, you also automatically create a SharePoint site, OneNote, and Office 365 group on the backend. Teams acts as a frontend for these backend processes.
When you open up the Teams interface, you should familiarize yourself with the app bar on the left-hand side.
Here you will find your notifications, chats, teams you are a member of, and the files you have access to. Meetings from your Outlook calendar are also synced with Teams to help you keep on top of your schedule.
When the Teams icon is selected, we can see which teams a particular user is a member of. Within a team, there could be multiple channels. Channels are dedicated sections within teams that you can organize chats and files within. Users can create new channels or hide channels they don’t want to see.
Within the channel, there are multiple tabs to select from, including conversations, files, notes, and more. Files is the directory for the SharePoint site where you can access files or add files yourself. Integrations are available so that you can add tabs from your other resources, such as a CRM.
You will need to have an Office 365 license to install MS Teams. Those with an Enterprise license can invite external users to their Teams channels through guest access. Teams can be installed on any device, so it is recommended that you have teams installed with all devices that you use to access corporate files.
If you are an Enterprise Teams customer and you need to roll it out throughout the entire organization, Microsoft does have guidelines that you can follow to do this successfully.
How to Set Permissions in Microsoft Teams
Ensuring that the right people have access to your resources is the most critical part of the deployment. Most security threats involving MS Teams exist due to misconfigurations or elevated privileges. If you’re a team owner, you have the ability to set permissions within your team. Here’s how:
- Go to “More options” – “Manage team”
- In the Settings tab, you can set the member permissions and the guest permissions, as well as a host of other permissions settings. You’ll want to limit the permissions as much as possible to avoid potential privilege abuse.
The Benefits and the Risks of Microsoft Teams
Microsoft Teams is incredibly easy to set up and get using, and it’s free for Office 365 users. The cross-collaboration and sharing capabilities make it a viable option for teams that are working remotely to stay on top of their work and up to date with joint projects and other team members. Users can share files with each other, schedule tasks, discuss work and more.
However, as with any sharing platform, it’s not without security risks. MS Teams can make use of the security and configuration of Azure AD through an integration, but this security is very complex and often easily exploited by attackers. Quite often, the complexity of the security and configuration settings can inhibit collaboration, which essentially takes away all the benefits of using Teams in the first place.
Mostly, the risks of MS teams can be overcome through consistent and proactive monitoring to ensure that users aren’t misbehaving and that permissions aren’t sprawling out of control.
Microsoft Teams Best Practices
Some general best practices are as follows:
- Create teams that represent your organizational structure, such as Marketing, Sales, Finance and so on.
- Within each team, create channels for different projects to help direct the conversation and keep everything focused.
- You should allow users to create teams as long as you monitor them.
- Integrate with your CRM and other technology that you use.
- Use chatbots for reminders about daily activities and upcoming tasks.
More specifically, here are some security best practices you can follow to reduce threat risk:
- Make use of multi-factor authentication to make signing on more secure.
- Implement a policy of least privilege or zero trust to limit access.
- Ensure you are able to discover and classify sensitive data being shared on Teams.
- Audit when files are shared outside of the organization.
- Ensure that files aren’t being downloaded onto unmanaged devices.
Microsoft Teams Security Tips
Fortunately, the Global security settings in Office 365 will cover most of Teams’ features. After all, file-sharing in Teams is done through SharePoint and email communication is sent via Exchange Online. OneDrive is used for storage, and authentication and authorization is handled by Azure AD. However, even if you have properly configured the relevant Office 365 security settings, there is still more work to do to ensure that your Teams implementation is secure.
1. Manage Applications
As mentioned, it is possible to extend the functionality of Teams by installing additional applications. Some of these apps are provided by Microsoft, some are provided by third-party vendors, and organizations can even build their own bespoke applications. Naturally, third-party applications pose the greatest security risk. Fortunately, administrators have the option to control which apps can be installed via the Manage apps page in the Teams admin center. They can also adjust the permissions to determine which apps can be used by which users.
2. Create Security Groups
By default, any user with an Exchange Online mailbox can create a team and become a team owner. It would be a good idea to place restrictions on who can and cannot create new teams. The simplest way to do this is to create an Office 365 group that has permissions to create new groups, and thus new teams. Any users who are permitted to create new teams can be assigned to these groups. From within these groups, you can specify whether users are able to communicate with individuals outside the organization, and which users can access and share files and meeting content. It would also be wise to ensure that all users know how to create private channels and limit the number of users in those channels, which will enable them to communicate and share confidential data in a more secure manner.
3. Limit Guest Access
In the Teams admin center, you can configure the Guest access settings to restrict the level of access granted to guest users. It is probably a good idea to either leave guest access disabled by default, or enable it, but ensure that they are granted the least privileges they need. Since guest access is typically granted to clients, you may want to limit their access to features such as video conferencing and screen sharing.
4. Enable/configure additional O365 security features
Office 365 provides a number of additional security features that can help to secure your Teams deployments, some of which include:
Advanced Threat Protection (ATP): ATP is an advanced email filtering solution that helps to protect your mailbox from malware. ATP Safe Links can detect potentially malicious URLs in emails, and ATP Safe Attachments can detect potentially malicious attachments.
Data Loss Prevention (DLP): The O365 DLP feature can help to identify sensitive data such as Social Security or credit card numbers to prevent unauthorized sharing of this data. As a part of O365’s built-in data classification feature, you can enable Automatic labeling to ensure that sensitive data is automatically classified, as and when it is found. It should also be worth noting that you can use a third-party data discovery and classification solution, which may be a preferred option if you are using a third-party auditing solution.
Automated backups: Office 365 provides automatic backups of your data to OneDrive, or a storage location of your choice.
5. Monitor User Activity
As with other Office 365 products, you can monitor all user activity within Teams, which includes user logins, permission changes, team membership changes, installation of apps, and any file-sharing that takes place across public and private channels. Again, it is entirely possible to use a third-party auditing solution, which will provide a number of additional features that might not be available with the native O365 auditing tools.
Microsoft Teams Security Solution
As we previously mentioned, the majority of security concerns with MS Teams come from rushed deployments resulting in misconfigured permissions. In order to use MS Teams securely, you need to ensure that you have visibility over when users are added or removed from teams, to maintain a principle of least privilege. You also need to make sure that you are aware of when sensitive data is being shared either publically or privately.
The security settings of Office 365 are confusing at best, and disruptive at worst. For enterprises, native security just isn’t going to cut it. The Lepide Data Security Platform enables you to get more visibility over how your users are interacting with Teams, including when sessions are started, when teams are created, when channels are created, and more. You can also receive real-time alerts and implement automated responses for when sensitive data is shared in teams, to help maintain a zero-trust policy.