Microsoft Teams security has come into the spotlight recently, as rapid adoption of the platform has highlighted some concerns. Microsoft Teams is an online collaboration platform that is a part of the Office 365 suite. Microsoft Teams enables employees, executives, and other relevant stakeholders to seamlessly communicate and collaborate on projects from any location, using virtually any device.
Private messages can be sent via the Chat feature, which uses OneDrive for Business to store file attachments. You can also make peer-to-peer voice and video calls using the Calls feature, which is built on top of the Skype framework. There is also a Calendar feature that can sync with users’ Outlook calendar, to help them plan projects and schedule meetings.
A team is essentially an Office 365 Group, which users can create or join via the Teams tab.
Microsoft Teams Security Concerns
The Teams ethos of open communications and file sharing runs counter to the data security best practices that we are used to, which are largely focused on restricting access to data based on the principle of “least privilege”.
Data protection regulations such as GDPR, HIPPA, and PCI-DSS require that organizations have strict protocols in place to ensure that sensitive data is collected, used, stored, and removed in a controlled and secure manner. All events involving sensitive data must be recorded in real-time, which includes a detailed log of who is accessing what data, and how the data is being treated.
This requires processes for classifying sensitive data, as well as ensuring that sensitive data is encrypted, both at rest and in transit.
As you can imagine, trying to adhere to these practices with large amounts of unstructured data circulating through a complex and distributed ecosystem like Teams, is a challenge, to say the least.
Teams Guest Access Security
Guest Access is perhaps the most notable Microsoft Teams security concern. The owner of a team channel is able to invite people from outside of their organization to participate in Teams activities.
The guest users will have full access to the team channels, chats, meetings, and any files that have been shared. To make matters more complicated, any user can become a team owner, and there is no formal vetting process to determine who can or can’t be invited.
In addition to the possibility of users deliberately or accidentally sharing confidential information with unauthorized recipients, there is also the possibility that attackers will intercept files in transit.
Users can also install third-party apps, which are often used to integrate other platforms such as Trello, Asana, Github, and YouTube into Teams. While the ability to extend the functionality of Teams through third-party apps is a useful feature, it comes with obvious security risks.
The most notable Microsoft Teams security concern is that some apps request or require access to users’ data. With so many apps available from a wide range of sources, your Teams administrator will inevitably struggle to keep track of what apps have been installed, and what data they have access to.
Microsoft Teams Security Tips
Since Teams is a part of the Office 365 suite, it is able to leverage the security features available to other Microsoft products. For example, Teams uses SharePoint for file-sharing, OneDrive for storage, Exchange Online for emails and Azure Active Directory (Azure AD) for user authentication, authorization and to store information about group membership.
However, MS Teams security can also be enhanced using its own built-in features, as well as third-party security solutions. Below are 5 tips to help you strengthen your Teams instance.
1. Set up App Management
There are three types of apps that can be used by Teams, which include: built-in apps (provided by Microsoft), third-party apps, and custom-built apps – built by the organization running the Teams instance.
On the Manage apps page in the Teams admin center, you can change the settings to restrict the usage of certain types of apps. For example, you can block specific third-party apps, restrict their permissions or only make them available to certain users.
2. Use the global Teams settings & Office 365 groups to restrict permissions
By default, any user with a mailbox in Exchange Online can create a team and become a team owner. If you want to limit the number of users who can create a team you can create an Office 365 group whose users have permission to create new groups and add users to this group accordingly.
You can also configure the global Teams settings to determine who can communicate and share data with individuals outside of your organization, as well as specify the authentication requirements for users accessing meeting content.
For employees wishing to collaborate on projects that involve sharing sensitive data, it is good practice for them to create a private channel, where access is restricted to the relevant team members.
3. Restrict Guest Access
In the Teams admin center there are settings that are specific to Guest Access. If you want to be extra-secure, you can leave guest access disabled by default. Alternatively, you can enable guest access and adjust the privileges to limit what guest users are allowed to do. In many cases, guest users only require access to certain features, such as screen sharing or voice/video calls.
4. Harness the built-in security tools that Office 365 provides
As mentioned, Teams benefits from the security features already available to other Office 365 products. Such features include; Electronic Discovery (eDiscovery), sensitivity labels, Multi-Factor Authentication (MFA), Mobile Device Management (MDM), Advanced Threat Protection (ATM), data retention policies, encrypted email, Data Loss Prevention (DLP), and more. Please note that a detailed description of each and every one of the Office 365 security features is beyond the scope of this article. I will instead focus on the most notable security features.
Electronic Discovery (eDiscovery) and Sensitivity Labels
The eDiscovery feature used in conjunction with sensitivity labels enables you to discover and classify your sensitive data.
While the eDiscovery tool is primarily used to identify information that can be used as evidence in legal cases, it helps to know what sensitive data you have and where it is located if you want to keep it secure.
The eDiscovery tool and sensitivity labels can discover and classify data across your whole Office 365 environment, including your Teams instance.
The Office 365 Content Search feature allows for advanced content filtering, which can help to locate data that is covered by the data privacy regulations that are relevant to your industry.
Advanced Threat Protection (ATP)
The Advanced Threat Protection (ATP) feature is an email filtering service that is able to detect and report on harmful links and attachments in real-time. ATP Safe Links uses signature-based malware protection, and also works with Office documents. When a user clicks on a link, it will be immediately flagged as safe, malicious, or blocked. Likewise, ATP Safe Attachments will use a signature-based approach to scan your inbox for malicious email attachments.
Data Loss Prevention (DLP)
The Office 365 Data Loss Prevention (DLP) tool allows administrators to create policies that determine how certain types of data should be treated. The main goal of any DLP solution is to prevent sensitive data from being shared with unauthorized parties. The Office 365 DLP tool is able to identify and classify sensitive data on-the-fly and automatically block/quarantine the data if it is being shared in a way that violates the policy conditions set by the administrator.
Using Lepide for Microsoft Teams Security
While Office 365 provides a number of useful security features that will help to keep your Teams data secure, it should be noted that there are also dedicated third-party solutions that can provide deeper insights into how your Teams data is being accessed.
The Lepide Data Security Platform enables security teams to discover and classify data that is being shared on MS Teams, identifies which users can access sensitive data, and uses machine learning techniques to identify anomalous user behavior. Any changes or interactions that you want to know about, can be delivered in real-time or viewed in completely customizable reports.
Unlike the native Office 365 security tools, they are able to aggregate and correlate event data across multiple cloud platforms, as well as on-premise and hybrid environments.