The last few months have been an interesting time for all, I am certain we have all experienced several changes as it relates to this new, accelerated (for some) working from home paradigm. When working from home, we are forced to use new ways to communicate and collaborate, tools which until now have been used in very different ways.
For example, take Microsoft Teams which lots of organisations saw Teams as a simple replacement for Skype for Business, somewhere to exchange instant messages and maybe have the odd conference call. Most however, had Teams on the roadmap at some point and possibly did not understand how it could be used to radically improve collaboration and increase productivity.
The numbers speak for themselves;
Quote – “During Microsoft’s Q3 2020 earnings call on Wednesday, CEO Satya Nadella dropped some impressive numbers concerning the company’s own workplace communication app Teams. Just six week after reaching 44 million daily active users in late March, Microsoft Teams is now being used by more than 75 million people each day.”
Which is insane right?
With this many new users on the platform, there are going to be teething problems or some things which are not fully understood when adopting technology to simply “enable” people to work remotely, and implemented at a rapid pace, or simply thrown out there.
It is fair to say, some organisations have had to rush to this new way of working and will likely revisit security as things start to settle down. However, it is unlikely things will go back to the way they were. We will see a ‘new normal’, where some businesses will have successfully made the requisite changes and adopted new, secure ways of working, others however, may have fallen victim to some kind of data breach or event and will now be scrambling to get controls in place.
Collaboration / Teams data challenges, sprawl, new locations, sharing, etc.
One of the biggest concerns is information security and governance. As more and more people collaborate, create and share, new storage locations are introduced, and the structure of information quickly gets messy. Think about a nicely structured SharePoint site on day one, and then as information is shared and moved around, it does not take long to lose control over where information is stored, and how it is being shared with who and why. Therefore, as things get more and more out of control risk is introduced into the business.
In Teams, as users create Teams, modify, and communicate, there are situations where users reside in Teams they should not be in, information (Links) or files are shared directly in a chat window or channel. When documents are uploaded in Teams, they are stored in SharePoint. When the document is uploaded, it is shared with the individuals in the included in the session, however, there is no way of capturing “why” the information is being shared, and/or the duration it should be shared for. The result of this action is the information remains in the chat history or channel including the link and is not removed. If additional people are invited to the channel, they will have access to the link and document. Can you be certain all members of the team “should” have access to this information? Or even worse, be able to access private or sensitive information which could be included in the link or document? This also leads to the randomness of stored files in SharePoint, which is a significant problem in itself. Now, if you assume each person in an organisation has around 15-20 interactions like this per day, you can see the scale of the problem and how quickly it all gets out of control
Solving the problem
Now we understand the magnitude of the problem and introduction to how modern collaboration paradigms are making information governance and security a headache, we can look to ways in which we can alleviate and reduce the risk of data loss, breach, or potential financial penalties. Gaining insight into who “has” access, “should” have access, and more importantly “why” they have access will help make decisions around team membership, which in turn will reduce exposure to sensitive information where it should not be allowed or granted.
When looking at information governance, you could consider a phased approach, from Average, through Good, to Best. Increasing governance maturity as you step through each phase would allow for gradual and controlled introduction of the required tools and policies. If we consider this approach, we could have the following three scenarios:
1. Average – Teams Governance & Retention Policies
To get a good hold on Teams sprawl and other issues, it is best to have a policy set up which users can reference. This could just be a one-page document which details what Teams should be used for, possibly a naming convention, and some guidance around external parties and data usage. This document is a good start, but you can go to the next level (assuming you have the licensing) and you can enforce some of these things. One of the best ones when you are starting out, is restricting who can create Office 365 Groups – note: this has implications beyond Teams, so it may be best to ease this restriction when you have the correct governance in place. The other point here is Retention, we prefer to just recommend all businesses run a Retention Policy in Office 365 which retains all data, forever. There are storage implications here, but it isn’t a big deal normally – the same can be done for chats as well.
Here are the ones we cover in our Teams Governance FastStart – note: specific licensing is required as above.
- Naming Conventions
- Office 365 Group Creation
- Approved Apps
- Expiration policies
- A Teams “Request” form
- Office 365 Group Classification
2. Good – Add Azure Information Protection
Adding Azure Information Protection (AIP) to the deployment gives you some extra controls – not just for the individual documents – but you can now classify Office 365 Groups, Teams and SharePoint sites (at time of writing, this feature is still in preview). By turning on this feature, setting up some sensitivity labels and applying them to Teams or SharePoint sites you can force a group to be Private or Public, prevent or allow guest access and limit or prevent access on unmanaged devices (Conditional Access is also required for this one). Pretty cool stuff.
Of course, you should also make classification available to users for individual documents or emails as classifying a Team or SharePoint site doesn’t classify the documents in the site, which adds more functionality. Adding Data Loss Prevention (DLP) and/or Azure Information Protection P2 (automatic labelling) adds additional capability around preventing data leakage. Rolling out AIP the correct way can be a reasonably detailed undertaking for which we have developed a methodology that could include Shadow IT assessments, taxonomy definition, scanning of environments and more.
3. Best – Add Torsion Information Governance
By adding Torsion to the mix and connecting it to your 365 tenancy, you can see how information is being accessed and who has access. See who has access to anything and why for any file, folder, library, or site. As information is created, Torsion captures reasons as you go, so wherever anyone has access to something, you can also see the business reason why they have access.
Further to this, Torsion (through machine learning) can automatically determine who “should” be the owner of data locations and content based on interaction and access. From there, Torsion can set data ownership and manage access on an ongoing basis.
If we apply this to Teams, very quickly, you can see how many people the team is shared with through a new tab in the team called “Sharing and Security”. You can also immediately see if security problems exist within any given team. For example, a user has access to the information contained in the team which they should not have access to. Once a security issue is identified, an alert is sent to the data owner for resolution.
An important and very powerful thing to note; Torsion understands and honours information protection classifications and labels – I referenced AIP earlier. When implemented, AIP classifications are adhered to when Torsion is looking at information access, if a user tries to share a file to a team which has a classification set, Torsion will prevent sharing the file to the team, and alert the team/data owner of the attempt to share. The combination of having visibility over who has access and why together with the power of information protection changes how collaborators view information and resulting behaviours dramatically reduce the potential for breach of compliance policy or data loss through misuse of sharing.
For more information, discover Insentra’s Modern Workplace.