Remember driving down to your local computer store and picking up a shiny new copy of the latest Microsoft Word? Sleek in its box, the neatly wrapped Microsoft product had both disc and license inside, but it also came with something you didn’t bargain for: responsibility for its successful, safe operation. As a physical offline copy, security issues in operating this relic of the past could be placed squarely on you. But now that Microsoft Word has gone through multiple cycles of product consolidation and emerged as a vital business pillar, security considerations surrounding the whole Office suite, and now Teams, deserve another look. Microsoft Teams allows collaboration and communication across the various services that are included in Office 365. Make no mistake, Teams users can be confident in the safety of their data, but when more weight lands on the solution as a productivity cornerstone, it’s smart for organizations to supplement Microsoft’s built-in safety mechanisms. From discs to on-demand software, the now fully-integrated nature of Teams makes it a powerful tool, but one that sits at the epicenter of a bustling cloud encapsulating both good and bad actors.
Exemplified primarily by Microsoft, products that were once sold separately eventually congeal into a single platform that offers them all as functions conveniently packaged together. This is what happened to Word, Excel, PowerPoint and other Microsoft software that turned into the Microsoft Office 365 “as a service” solution. With Teams, increasing sophistication and connectivity in the name of a good user experience has also created new ideas in the world of security, as most innovations do. Teams represents a single window into the virtual Office, where employees can discuss projects happening in real time, talk over chat, voice or video call, and work on shared documents together. This shiny front end doesn’t bely any backend complication, but it’s there. For each “team” you create, the backend gets a new SharePoint site, Office 365 group and other assets in places like OneNote and more. This doesn’t include other integrations that your organization might choose, such as ZenDesk, Salesforce, Mailchimp and other popular platforms. With an impressive level of integration comes an intricately complicated environment for security professionals, especially as companies expand and lean on Teams even more. Licenses are online, so much of the functionality that Teams offers is largely available when an organization is connected to the web. Moreover, since November 2019 Microsoft has allowed Enterprise customers to grant guest access to contractors and other non-licensed individuals who work with them. Suddenly, file sharing of sensitive documents and resources is happening outside the network and unfamiliar entrants are streaming in, so managing the chaos becomes necessary.
Both in how Teams is secured and used, and in the tools that IT security teams must enforce for users, care should be taken so that data inside Teams doesn’t sprawl outside of its boundaries, or alternatively, become concentrated and offer hackers a single ripe target. Much like Slack, Teams users can create different channels where they communicate about specific subjects or tasks related to this department or the other. While users should be encouraged to create new and different channels for their conversations, it’s crucial to maintain control and ensure that loose ends (dead, repeat, underused channels) don’t occur, and that sensitive information isn’t overly shared or replicated in multiple different places or with people who don’t need to see it. Integrations are crucial to any organization relying on Teams, and when implemented correctly they are amazing productivity boosters. However, one of the most underestimated issues that occurs in a highly integrated environment is configuration: Sometimes the integration may work well but the most minor settings might create a security gap that leaves the network exposed. When many third parties are a part of your Teams installation, whether they’re services or service providers, it’s recommended to layer an extra security blanket over the whole thing. Teams has built-in two-factor authentication, and IT should require it before users are able to log in. Don’t stop there, though, extra effort to track devices and endpoints should be taken as it will also help IT prevent downloads from Teams to unmanaged devices, or those that haven’t passed through the gates of “Zero Trust”. Because Teams is a nucleus of business activity and by definition holds assets that might spell trouble in the wrong hands, a strict least-privilege access model should be instituted. Another integrated solution is suitable, but one that simplifies the security functions that can plug into Teams, and with a purpose to remove trust from the equation, full stop.
In few organizations does each employee need access to the full list of functions and capabilities that Teams provides. Microsoft understands that not every employee will need access to SharePoint, for example, and supports Teams separately as a cloud app for Azure Active Directory and the conditional access policies it offers. To take advantage, however, administrators must ensure that the correct policies exist on all applications inside the Teams installation such as Exchange. This can take some maintenance and oversight, so it’s easier to find a more unified, seamless Zero Trust solution where all this is done from a single admin panel. Security providers pursuing the Network as a Service model are already being used for this purpose, and when integrated with Teams are able to better streamline the orchestration of necessary security tools. Network as a Service solutions reside on the network layer and therefore allow organizations to easily define custom access policies for segments of their local and cloud resources (like Teams, or parts of it). This way, IT controls which roles, devices, and locations are allowed into specific parts of Teams and other network areas with greater ease. Additional security tools can’t hurt, and add a safety net to Teams in a couple different ways. Though Microsoft has 2FA, Single Sign-On and the encryption of files, a wider array of options is helpful. Support for other MFA and SSO providers is nice, as is the option between SSL, IPSec, and WireGuard in terms of encryption, for instance. One idea which should surely not be forgotten is better network activity monitoring. This is one of the most important points for complex Teams installations: logging and monitoring is a lynchpin to proactive threat detection and compliance alike. Integrating these functions directly into Teams doesn’t complicate it. Why? Simply because they’re all offered under the umbrella of a single security provider which integrates directly into Teams and saves IT from fiddling around with different settings between Exchange, SharePoint, Word, Azure, and others. Teams is an amalgamation of multiple useful software tools, but there’s no question that productivity is the primary reason for its existence, and that third-party security services improve it is neither a surprise nor takes from its impressive reputation.