Archiving is seen as a procedure that only applies to companies that need to follow specific regulations and compliance requirements. The IT bluder in KPMG that deleted 145,000 users’ personal chats in Microsoft Teams gives the verdict to our case.
Are Microsoft Teams Default Security and Compliance Tools Good Enough?
Microsoft Teams is a fast-growing communication and collaboration platform for business use. As of the end of 2018, Teams has overtaken Slack and became the market leader and is now used by more than 329,000 organizations worldwide.
While Microsoft Teams is an open platform that offers a vast range of collaboration options from any device, allowing such an accessible platform comes with compliance and security challenges.
Companies deploying Teams need to make sure they are as protected as possible. We have covered in the past some of the security and compliance challenges that should be addressed when moving to Teams. Let’s dive deeper into this.
Sensitive Data Loss
The very collaborative benefits that employees love can be a major headache for security and compliance teams. Sure, sharing files at the tip of your finger is great for workflows, but how do you make sure sensitive data isn’t being shared? Preventing data leakage or loss is a must have when controlling risk with Teams.
While Microsoft Office 365 offers some rudimentary DLP (Data Loss Prevention) capabilities, they are often not sufficiently effective. Content is usually inspected after it is sent and not in real time. Content can’t be blocked or masked based or organization-wide policies. If you wish to detect and protect sensitive data from leakage you may want to look for a third-party solution, like SphereShield.
Advanced DLP tools usually offer build-in rule templates that prevent data such as Social Security numbers, credit card numbers and ID numbers from being shared. Additional rules that are specific for your organization (like a secret project name) can always be added as well. You may want to invest in a solution like SphereShield that is tailor-made for Microsoft Teams, and can inspect content according to specific Teams functionalities or integrate a company’s existing DLP solutions that may not cover Teams.
Collaboration with external business partners can be a dangerous proposition if left unchecked. Getting a handle on who can join these messaging applications is critical to preventing data loss and staying compliant with regulation.
Microsoft Teams allows users outside your organisation to communicate with your employees. You have control over which domains can communicate with users from your company but that’s about it. You don’t have granular control.
These messaging policies are not enough. They are applied per user (not per group) and are not context aware. They do not change based on participants or scopes. For example, if settings are set to block a user’s file sharing capabilities, he won’t be able to share files neither internally nor externally. That means you can’t limit an employee from communicating with external users in a specific, tailor-made way.
When federating with external companies, you may wish to control two aspects:
- Who can communicate with whom
- How they can communicate
SphereShield’s Ethical Wall can be used for this purpose. Policies can be applied on users, groups or domains (that solves the “who” part). In addition, granular modality policies help control communication capabilities such as IM, File transfer, Meeting, Audio, Video and more. Ethical Wall policies can be created to control both intra organisation communication as well is inter organisation communication.
Offline eDiscovery Archiving
Most companies today face compliance regulation requiring them to archive information in an accessible way. This is sometime even more challenging for international organizations. Different data laws and consent requirements impact cross-border eDiscovery management. Just as some of the security and compliance concerns, we already covered in this article, Microsoft does offer an eDiscovery module for O365, which inspects also Teams. However, the advanced eDiscovery is not free and requires the E5 license. Furthermore, even if you invest in the license, you may want to consider archiving data on-site and not in the cloud. That decision should depend on how sensitive the information your company handles is. If you wish to store eDiscovery archives on prem, you would need to invest in an alternative solution to Microsoft.
SphereShield’ eDiscovery. Can be implemented online or on-site.