In the Post Pandemic World, the Usage of Teams has shot up. As per estimates in September 2021, there are more than 250 million daily active users of Teams Worldwide. While the initial Phase was all about deploying Teams to facilitate Collaboration, having achieved that, the Customers are now looking at ways to improve Security and Compliance within Teams.
General Considerations
All the Data is encrypted at rest and in transit. Files stored in SharePoint and OneDrive are encrypted. By design, for proper deployment, we need to provision Exchange, SharePoint, and OneDrive for Teams. When Teams is Created, a dedicated SharePoint Teams site is auto created to store content.
For every chat conversation, files are stored in sender’s OneDrive while text and images are stored in exchange.
Let us look at some of the ways in which we can make our Teams more secure.
Setup basic Multi Factor Authentication
External User Restriction: Block external users completely or only selected domains or allow only selected domains. Users in R and D may need strict control. But Sales and Marketing teams may need less controls.
Manage Meeting Policies: You can set various policies to ensure that Teams meeting comply with the Company rules and compliances.
Decide who can edit or delete Chat messages
Disallow Screen share and Private calls
Configure Teams with 3 Tiers of protection: Baseline Protection; Sensitive and Highly Sensitive
Safe Links and Safe Attachments for Teams. This requires Defender for Office 365:
Safe Links helps protect your business against malicious sites when people click links in Office apps. Safe attachments prevent malicious docs from being used.
Shared device sign-out:
Many Firstline Workers use a single tablet or mobile device that is shared between shifts. This can pose unique security challenges to the organization when different employees who have access to different types of data use the same device over the course of a day. With shared device sign-out, Firstline Workers will be able to log out of all their Microsoft 365 and custom applications and browser sessions with one click at the end of their shift—preventing their data as well as any access to customer data from being accessible to the next user of that device.
Off-shift access controls for Teams app:
IT administrators can now configure Teams to limit employee access to the app on their personal device outside of working hours. This feature helps ensure employees are not involuntarily working while not on shift and helps employers to comply with labor regulations.
Apply Data Loss Prevention Policies via Channel Conversations
Content Search allows you to do audit of Teams Data
In place Hold to facilitate legal investigation
E discovery for files, meeting, calls, chats including Private Channels
Chat retention policies (data preservation and deletion):
By Default Content is retained forever. But this can be changed with policies; 1 day delete; one month delete; one year delete; 7 years delete.
Use Sensitivity Labels in Teams for Data Classification:
Monitor Offensive Language if used in Chats.
Compliance
SharePoint DLP using Intune and Azure AD Premium
Unmanaged devices. Restrict access from devices that are not compliant or joined to a domain.
Idle session out. Automatically sign out users from inactive browser sessions.
Network location. Allow access only from specific IP addresses.
Block access from Office 2010 and other apps that cannot enforce device-based restrictions.
Remote Wipe. Wipe Corporate Data from system if it gets lost leaving personal data intact.
Information barriers created using power shells will prevent some groups to communicate from each other (in higher plans).
Block Internal Teams to access with each other.
Communication Compliance to prevent inappropriate language (in higher plans).
Protect data through restricting the copy/ paste of corporate data within Office 365 apps only in Mobile and PCs.
Block printing organization data.
Block screen capture.
Conditional Access
