Microsoft Teams is a fast-growing communication and collaboration platform for businesses. By the end of 2018, Microsoft Teams surpassed Slack and became the market leader. Today, more than 329,000 businesses use it.
Microsoft Teams is an open platform offering a wide range of collaboration options from any device. This inevitably leads managers IT (CISO, CIO, ...) to ask questions about compliance and security issues.
Organizations deploying Teams should ensure that they are as protected as possible when moving to Microsoft Teams.
Loss of sensitive data
The highly collaborative benefits that employees enjoy can be a major headache for security and compliance teams. Sure, fingertip file sharing is great for workflows, but how do you ensure that sensitive data isn't shared? Preventing data leakage or loss is key to controlling risk with teams.
Although Microsoft Office 365 offers rudimentary features DLP (Data Loss Prevention), they are often not effective enough. Content is usually inspected after it is sent, not in real time. Content cannot be blocked or masked by policies or across the organisation. If you want to detect and protect sensitive data from leakage, you may want to look for a third-party solution, such as SphereShield.
Advanced DLP tools typically offer built-in rule templates that prevent the sharing of data such as social security numbers, credit card numbers, and identification numbers. Additional rules specific to your organization (such as a secret project name) can also always be added. You may want to invest in a solution such as SphereShield, which is tailored to Microsoft teams and can inspect content for specific features at Teams or integrate with an organization's existing DLP solutions that may not cover teams.
External users
Working with external business partners can be a dangerous proposition if left unchecked. Knowing who can join these messaging applications is essential to avoid data loss and to remain compliant with regulations.
Microsoft Teams allows users outside your company to communicate with your employees. You have control over which domains can communicate with users in your company, but that's about it. You don't have granular control.
These email policies are not sufficient. They are applied per user (not per group) and are not context sensitive. They do not change based on participants or scope. For example, if settings are made to block a user's file sharing capabilities, they will not be able to share files either internally or externally. This means that you cannot prevent an employee from communicating with external users in a specific and tailored way.
When federating with external companies, you can control two aspects
Who can communicate with whom?
Who can communicate with whom?How can they communicate?
The SphereShield Ethical Wall can be used for this purpose. Policies can be applied on users, groups or domains (this solves the "who" part). In addition, granular modality policies can be used to control communication features such as instant messaging, file transfer, teleconferencing, audio, video, etc. Ethical wall strategies can be created to control both intra-organisational communication and inter-organisational communication.
Offline eDiscovery archiving
Most companies today are faced with compliance regulations that require them to archive information in an accessible manner. This can be even more challenging for international organizations. Different data laws and consent requirements impact cross-border e-discovery management. Like some of the security and compliance issues, which we've already described in this article, Microsoft offers an e-discovery module for O365, which also inspects Microsoft Teams. However, advanced e-discovery is not free and requires the E5 license.
In addition, even if you invest in the license, you may want to consider archiving the data on site and not at cloud. This decision should depend on the sensitivity of the information your company processes. If you want to store eDiscovery archives on site, you need to invest in an alternative solution to Microsoft.
Need expertise?
Would you like to delegate this task to us or do you have a simple question or suggestion? We will be happy to answer them by email or telephone.
