How to Approach Security and Compliance in Microsoft Teams the Right Way

By BDO Digital | September 25, 2019

In the modern workplace, teamwork is how work gets done. There’s been a 50% increase in collaborative work compared to two years ago. Businesses that invest in collaboration and teamwork are five times more likely to be high performing. The modern team is increasingly diverse and likely has both internal and external members that are geographically distributed.

For the first time in the workforce, there are five different generations working side by side, each with their own set of preferences and expectations. With all this teamwork happening, organizations need the right tools and technology to enable secure collaboration.

Microsoft Teams is the hub for teamwork that brings together chat, meetings, video conferencing, calling, Office 365 apps, and third-party tools, all in one place. And it's built on enterprise-grade security and compliance capabilities that are crucial for modern businesses.

There’s a misconception that Teams is just for IT folks, but it can be used by any department org-wide. But it needs to be governed. Just because you can get started with the click of a button doesn’t mean you should. It needs to be rolled out properly across the organization and actively managed. You can’t have an open-door policy to let users roam with too many options.

What’s the order I should approach security and governance in Teams?

  1. Identity and Access Management – securing access to Teams and business applications based on a set of conditions.
  2. Information Protection – protecting and encrypting your data in Teams and wherever it travels, along with the devices accessing it.
  3. Threat Protection – safeguard Teams from advanced threats like phishing attempts and malware.
  4. Security and Compliance Management – staying compliant and having visibility and control over Teams and its data, including third-party applications.

Identity and access management

You need to make sure the right people have the right access to information they need while protecting sensitive data. Manage the identity and access life-cycle with access reviews. Think of access reviews as the keys to the castle – they determine who has access, when and for how long.

Enable your organization to grant or revoke access for new hires, users who change roles, or those who are leaving. Enforce on-demand, just-in-time access when needed.Microsoft Teams Lifecycle

Create access reviews for each user account and set duration and end dates that will show up in the governance portal, so you can see which access reviews are due. You can assign a time-frame to get notifications when an access review is due, such as quarterly or annually. Use audit logs to verify if users are using the access.

Securing Guest Access

Trust but verify guests accessing your proprietary IP in Teams using Multi-Factor Authentication (MFA) and Terms of Use. MFA provides extra layers of authentication and cuts down on 99.99% of attacks coming into your environment. Ensure your guests sign a Terms of Use (data usage and access policy) before entering.

Information Barriers (Ethical Walls)

You can restrict access to certain users from different parts of your organization. For example, we have a client who deals with insurance, banking, and wealth management but these sectors cannot solicit information from each other. They had to put an information barrier between each of the groups, so they can’t initiate chats, phone calls, etc. normally through Teams due to the barrier.

Conditional Access

Conditional Access is the tool used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity-driven control plane. Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. Example: A payroll manager wants to access the payroll application and is required to perform multi-factor authentication to access it.MSFT Teams Protection

Azure AD Identity Protection

People tend to use their work email AND password combinations to access social media sites, shopping, etc. It happens more than you think. Use Azure AD Identity Protection to find where the email and passwords are being used. No matter where people are, you need to protect your organization.

Information Protection

Classify and Encrypt Sensitive Data in teams

Automatically encrypt files downloaded and prevent cut/copy/paste using Windows Information Protection. Let’s say you have an employee attempting to leak the roadmap for a new product launch. The employee tries to copy and paste the text out of Teams and into a Gmail message but gets denied as shown below.MSFT Teams Email

You can track a file to see who viewed it, who was denied access and history of last activity. You can also revoke access to a file if you realize it was never supposed to get out.

eDiscovery in Teams

Use eDiscovery to find the history of calls, meetings, chats, etc. Let’s say you have two employees that your legal team asked to monitor interactions between, as they were flagged for suspicious activity. Find all IMs, calls, meetings, etc. to investigate the situation.

Preventing Data Leakage within Teams

Prevent data leakage by being able to identify potentially compromised user behavior and detect sensitive data in both native and third-party storage applications. Monitor suspicious activity regarding sensitive data, like seeing where a file was saved and the journey it went on.

Threat Protection

Are you protecting your end-users with safe links and attachments?

Teams by default protects users from malicious links from the backend – the same goes for attachments. If a malicious attachment or link makes its way into a Teams channel, advanced threat protection blocks it from opening. Admins will get alerted and be able to dig into why it was marked malicious, track the activity around it and observe analysis details.

MSFT Teams Alert

Security and Compliance Management

Securing Teams can take some time, but once you get a hang of all the controls that Microsoft provides, your users will have a secure environment to communicate and collaborate. Here are 10 questions to ask yourself when deploying teams:

  1. Who in your organization should be able to create teams?
  2. Do you want your teams to have a similar naming convention?
  3. How long do you want your Teams to exist?
  4. How long do you want to retain the data stored in a Team?
  5. How do you want to protect confidential or sensitive data in Teams?
  6. Do you want to allow Guests (non-employees) to be members of Teams?
  7. Do you need your users to chat with people outside your company?
  8. Do you need to keep Skype in your environment as you are rolling out Teams?
  9. Do you have current Distribution Lists that could benefit from the features of Teams?
  10. Do you have existing O365 Groups that want Teams functionality?

Compliance Manager

Use Compliance Manager to help you stay on top of your compliance management activities. Compliance Manager is essentially a dashboard that provides the Compliance Score and a summary of your data protection and compliance stature as well as recommendations to improve data protection and compliance.

Compliance Manager uses a role-based access control permission model. By default, everyone in your organization with Azure Active Directory (Azure AD) account has full access and can perform any action in Compliance Manager.

There are three key capabilities of compliance manager:

On-going risk assessment: an intelligent score that reflects your compliance posture against regulations and standards

Actionable insights: Recommended actions to improve your data protection capabilities

Simplified compliance: Streamlined workflow across teams and richly detailed reports for auditing preparation.

Achieving organizational compliance is a teamwork between compliance, privacy, IT, HR, marketing and other line-of-business teams. Compliance Manager provides built-in collaboration tools to enable organizations to assign, track, and record compliance and assessment-related activities, which can help organizations cross team barriers to achieve compliance goals.

Get compliant, stay compliant

Teams can help organizations tackle the challenge of harmoniously blending a multi-generational workforce, but it needs to be set up and governed the right way.

With over 200 compliance controls being released each day, how will you know if you’re compliant a month from now? How do you know which compliancies matter to your organization? In fact, 47% of business executives don’t know which compliancies they need to meet!You’d hope your bank or healthcare provider isn’t in that 47%.

Watch our demo on Compliance Manager to see the tool in action as we walk through how to access the portal, understand controls and assessment scoring, and assign tasks and assessments.