How can you simultaneously enhance and secure Microsoft Teams?
The growth of Microsoft Teams has been beyond explosive. Today, over 270 million people use Teams every month, which is even more astounding considering in late 2019, it had 20 million users. But while Teams' initial jump resulted from the rapid adoption of video conferencing, collaboration fuels its ongoing appeal and staying power. Teams has emerged as another competitor alongside the likes of Slack, Workspace and Webex.
Teams' success has a lot to do with the larger Microsoft 365 ecosystem. Their synergy creates a popular collaboration experience, but also introduces security and data access problems for many companies.
"The interesting thing about Teams is that many people are under the mistaken impression that Teams itself is a product or offering, rather than a combination of other existing Microsoft services running underneath," says Jeff Melnick, archTIS' Global Director of Technical Solutions Management.
Microsoft is evolving into a cloud operating environment, and the combination of Microsoft 365 and Azure represents its foundation. Teams integrates with many of those areas. It can also connect to on-premises Microsoft environments. From SharePoint to OneDrive, Active Directory to Outlook, Teams can talk to them all – especially when it wears its collaboration colours.
The Teams burden
With great power comes great responsibility. Teams, though, gives users the power and saddles IT with the responsibility. Melnick explains: "If you look at what Teams can do, it's not unlike a file server that different people access. But the difference is that a file server would be set up to control access, separate different groups and manage the engagement. Teams works the opposite way – it is a very user-driven experience. Guest access is a good example. Many users want to add users outside of the organisation. But then IT teams have very little oversight or visibility into who actually has access to data: in some cases, sensitive data."
Other examples are how easy it can be for users to create new groups or share documents in chats. Users also want to use plugins from third-party services that help them do more. In a recent study conducted by AIIM, 63% of Microsoft 365 users said third-party plugins enhance functionality. In this sense, Teams is an ecosystem that reaches beyond even Microsoft's environment.
Yet administrators have limited control over such behaviour, and the typical response is to disable features such as guest access. But that contradicts the spirit of collaboration, and security again bumps heads with productivity. Furthermore, now IT has to indulge requests to add users or permissions around Teams.
"It's an ironic situation, because IT likes the idea of self-service. But Teams can take that almost too far, especially from a security and a governance perspective," says Melnick.
Microsoft invests tremendously in security. Last year, it quadrupled its cyber security investment to $20 billion over five years. But there is space to harden security features with relevant policy and third-party enhancements. To resolve the tension between security and collaboration, companies should consider two strategies: recognise the outsized role that Teams plays in an organisation and create policy, best practice and training to match.
"Most organisations don't have any clear best practices for dealing with Teams. Should employees be able to create groups? What is the policy on public or private groups? People making these decisions should take the time to see how their people use Teams, how it's productive, and also how, without guidance or training it could cause problems."
When deciding policy and guidelines around this dynamic collaboration platform, Melnick suggests five key considerations:
- Governance and training;
- Permissions creep;
- Human error;
- Guest access; and
- Accidental data leak.
Each company's outcome will differ. Some industries might do an enormous amount of collaboration with outsiders (marketing firms), while others might rarely have the need (manufacturing sites). There will be overlaps – human resources and legal typically don't need the same groups unless they collaborate over sensitive documents such as an employment contract. If they sit in the same Teams session, what happens to those documents they might share in the discussion?
This point raises a specific concern about company data. It is effortless to share and distribute documents and other pieces of data across Teams, using its reach to end up who knows where. Managing this can be very taxing, which is why attribute-based access control (ABAC) is emerging as a long-term solution.
ABAC determines access to a digital asset by weighing policies against attributes such as network, device, identity, time and location. So, even if someone has a right to a particular document, ABAC can determine if they have a right to share that information on a Teams call, or if the Teams call storage points to the appropriate repository. It may find that some people in the call don't have the right to access or copy the shared file.
"ABAC allows you to apply this additional layer of security. So, you can say: 'Hey, there's a bunch of data in here that we know needs to be accessible by a number of different groups. However, not all of them should have the same level of access to this data. If it's very sensitive information, maybe they should not be able to see that that data exists at all. But if it's semi-sensitive, maybe they can just view that data.'"
The Teams environment is about much more than video meetings. It's likely to become the central point for many engagements in hybrid and remote workplaces. To ensure Teams continues to deliver, don't leave it in the hands of users.