Hot Topics
Cybersecurity Identity & Access Industry Spotlight Security Boulevard (Original) 

MS Teams: The Gateway Drug to Security Chaos

Avatar photo by Frank Trovato on October 30, 2020

We all know the COVID-19 pandemic forced organizations to rapidly accelerate their adoption of collaboration solutions. For organizations already using Office 365 or Microsoft 365, Microsoft Teams was a readily available answer to the remote workforce challenges IT departments faced as they shifted workers and workloads offsite.

But was the Teams explosion a blessing or a curse? Think about it: How much attention did most shops pay to governance and security planning during the initial transition? Or since? Your own organization’s experience might provide a clue: There simply wasn’t time.

Now that we’re more than half a year into the pandemic, it’s time to clean up the mess.

In this article, we’ll focus on three actions to take back control of MS Teams:

  1. Understand the data security chaos inherent in most MS Teams implementations.
  2. Lock down blatant security holes now, using existing O365 security settings.
  3. Implement governance to drive more granular control and security awareness.

Understand the Chaos

This challenge pre-dates the pandemic. Normal content management was flipped on its head long ago as SharePoint sites were often managed by designated business users to minimize friction, without the governance and security oversight normally provided by IT.

Starting a new project? Spin up a new SharePoint site without taking the time to manage access and data sensitivity. Just send a site link to the project team, and away you go. Sound familiar?

With MS Teams, unless you have applied appropriate controls, the risk is multiplied exponentially. For example:

  • Anyone can create a new Team within typical MS Teams implementations, which also creates a new SharePoint “team” site as well as an O365 group and sub-groups in Azure AD. If your organization has 40 Teams and growing, you have 40+ SharePoint sites to manage (plus the new O365 group and Azure AD subgroups), each with their own team owner (i.e., team administrator).
  • Team members can share files with non-Team members and even external parties without the team owner being aware of this. If the Team is set up as Private, there are some restrictions, but members can still share content depending on your settings.
  • Visibility is limited because traditional SharePoint admin tools fail to provide a single-pane-of-glass view across all of these layers. For example, Team members might be visible in Azure AD but not SharePoint. If a file is shared with someone outside the team, their access is visible in SharePoint but not Teams or Azure AD.
  • The lack of appropriate controls exposes sensitive data to significant risks, including potential mismanagement by users untrained in data governance and security, and elevated risk of exposure within and beyond the organization.

Don’t get me wrong. MS Teams is a fantastic asset and has helped organizations quickly overcome remote worker challenges, but now the governance and security layers need to catch up.

Lock Down Blatant Security Holes

You must balance security with business needs; otherwise, end users will circumvent restrictions by sharing content via email, setting up a Dropbox account or worse.

Use the tools already built into O365 to tighten up security:

  1. Through the SharePoint Admin Center, in the overall External sharing settings, eliminate the option to share with anyone. At most, allow sharing with “New and existing guests” which at least requires sign-in to access shared content. Also, eliminate the option for guests to share items they don’t own.
  2. Use the Classic Admin Center to apply additional restrictions such as requiring staff to be members of selected security groups before they can share content with external users. Requiring staff to complete security awareness training before being added to the relevant security groups is also recommended.
  3. Apply additional site and group restrictions where appropriate. For example, disable external sharing altogether for relevant HR-related sites. Use PowerShell commands for more granular settings.

To go a step further, take advantage of additional security and compliance features such as data loss prevention (DLP) capabilities that might be part of your existing license. Here’s an overview of features by plan: https://docs.microsoft.com/en-us/office365/servicedescriptions/office-365-platform-service-description/office-365-securitycompliance-center

Implement Governance

Ideally, governance comes first, but if your end users have already gone rogue, you’ve still got plenty of options:

  1. Have IT establish a Team for each department (or sub-department) for general collaboration, with a limited number of Team owners—ideally managers—to control sprawl.
  • Work with department leaders to understand typical Teams use so you can establish standards for appropriate use.
  • For departments such as HR and Finance that regularly deal with sensitive content, IT oversight is especially important for organizational security and to provide guidelines to keep it that way.

Keep in mind that MS Teams sprawl is annoying to business users, too, as it makes it challenging to know where to look for content and which channels to use for collaboration. So, IT should leverage the “convenience” factor to “sell” this new approach to the business—after all, it is doing much of the work to set up the new environment, including setting up the teams, members, channels and security.

Even with stakeholder backing, it will take time to transition toward a more-organized Teams structure. Start by archiving teams that have not been used recently and manage expectations accordingly.

  1. Educate all staff, but especially Team owners, on MS Teams integration with SharePoint and OneDrive so they understand how data sprawl occurs—and how they can help prevent it.
  2. Review data and categorize by sensitivity. A full-blown data classification project takes time, but in the short-term, address at least the obvious risks by reviewing the type of data your organization manages and what should be considered sensitive. Use that guidance to further restrict access or sharing where appropriate.

Summary

While a complete MS Teams and O365 lockdown is not practical, most implementations are messier—and riskier—than they should be. A balanced approach to security and governance won’t hinder collaboration, but it will keep end users from inadvertently breaching security or compliance requirements. The business will benefit from increased productivity, too.

Frank Trovato , , , , ,
Avatar photo

Frank Trovato

Frank Trovato is a Research Director at Info-Tech Research Group, and a certified business continuity professional with extensive experience in organizational resilience planning. At Info-Tech, Frank works with organizations in a range of industries to assess and improve their resilience capabilities, including their disaster recovery, business continuity, and ransomware security planning. Frank provides this assistance through workshops, phone advisory service, and the development of best practice guidelines, tools, and templates. Frank has appeared as a speaker at the Disaster Recovery Journal conference and the IBM COMMON Users Group conference.

frank-trovato has 1 posts and counting.See all posts by frank-trovato