Microsoft Teams is a fantastic collaboration tool allowing people to share data effortlessly within the same organization and even across organizations. Unfortunately, because it was built with collaboration as the primary driver, it can be easy to ‘overshare’ data you don’t want to share. Case in point last month’s security incident at the Army Futures Command (AFC) due to a misconfiguration issue in Microsoft Teams that marked some teams as public; potentially making sensitive data, specifically PII, within those public channels available to all Defense Department personnel with Teams access. Here’s 5 common pitfalls to avoid in order to ensure your users can reap the productivity benefits of Teams without inadvertently causing a data security incident or breach.
1. Governance & Training
According to the 2021 Data Breach Investigations Report, misconfiguration issues continue to be a significant source of breaches for organizations, most often caused by insiders such as system admins. In cases like this the blame usually lies on a lack of internal policies and user training. To harden security in Teams or any other tool, clear governance policies are needed as well as ensuring users are trained to set the correct permissions at the correct times. In this case, the creators of those Teams could have created ‘Private’ Teams instead of ‘Public’ Teams to begin with and that is now the policy for AFC moving forward. However, we’ve all seen how Teams that were created for one purpose often seem to morph into a different role with different members than were originally intended. Manually assigning the correct users (and follow up by removing them) introduces its own set of difficulties.
2. Permissions Creep
This transitions right into another big issue I see often in Teams and other applications – permissions creep. If you’ve ever added someone to a Team and forgotten they were part of that team or chat until you dropped something in the chat and someone unexpectedly replied, then you know what I mean. You may need to add someone to a Team, but as their role changes, they may no longer need to be a part of that team. It’s the same issue that IT has struggled with for years on File shares. With Teams the issue is more widespread because it’s very easy for a team member to give another user access to a Teams channel without any admin oversight.
3. Human Error
Then there are just good old-fashioned user mistakes. It can be really easy to drop a comment into a chat or channel that you did not intend to. I see this often during meetings when someone drops a comment in the chat that was clearly not meant for that meeting or for that group of people. What if you followed it up with a sensitive file or files? You can chalk that up partially to trying to multi-task, especially while you are on a meeting that doesn’t exactly hold your interest but, this is not a new issue.
4. Guest Access
One policy that I often see organizations struggling with is whether or not to implement external user access or not. Business users often need to collaborate with people outside of the organization and allowing users to easily share files and channels to external users has some obvious benefits and limits the need for IT to get involved. The way some organizations have dealt with this issue while trying to maintain a higher level of security is to force users to have IT create all external Guest accounts and then allow users to share resources out only to those approved accounts. That certainly lowers the likelihood that you’re going to share with a user or organization that you don’t want to by mistake, but it’s still relatively easy to give those external users access to sensitive data by mistake once IT has created those accounts. The other big downside is that it shifts the burden back to IT.
5. Accidental Data Leaks are Not Limited to Teams Use
The Army’s new directive to not place sensitive PII data into Teams is a good one, but again this relies on user training and users doing what they’re supposed to do 100% of the time. Sharing personal data is a requirement for some people, such as Human Resources and the issue certainly isn’t confined to Teams usage. Who hasn’t heard of someone in their organization emailing the salaries of all employees to the wrong people by mistake? Who hasn’t received email that was clearly meant for someone else? I’ve gotten plenty of emails meant for another Jeff, some of which were related to sensitive HR matters.
So, what is the solution? Like any cyber security issue, I don’t think anyone will seriously tell you that there is a single silver bullet for this. Well thought out governance and IT policies that strike a balance between security and business use, user training, Auditing, Attribute-Based Access Control and probably more user (and even admin) training are all good places to start.
How can Attribute-Based Access Control or ABAC help to solve Teams security?
ABAC is not a replacement for your traditional Role based or Container based security methodologies but rather as an additional layer of security over what you already have. ABAC can serve as a ‘lens’ between the users and the data, focusing users on data that they should have access to and obfuscating data that they should not have access to based on the attribute combinations of the users and the data.
ABAC is dynamic, so its possible to automatically adjust the access that a user has to the same files based on different circumstances such as the browser or Operating System (OS) that they’re using or their location. A common request we see at archTIS is to allow full access if the user is accessing the data from inside the network versus limited, read-only access if outside of the network, or no to very limited access from a foreign country. Because not all browsers and OSs are the same and some have additional risks, an ABAC enabled data security can perform the same level of permission filtering if accessing it from a Mac or mobile OS or from a non-approved browser.
If the data is marked as sensitive, it is very easy to make sure that only certain types of users have access to it. This decision could be based on user Nationality or Clearance level (for government customers) or Department, Group or even Title for Commercial Customers. Even if the end user has full access to the container the data is sitting in, we can limit the access or completely prevent the users from seeing the files.
What makes a document sensitive? That depends on the organization’s definition of sensitive. It could be credit card data, Personal data (PII), healthcare information (PHI), HR files, Financials, M&A or even Intellectual Property. For the Defense industry it could include classified data, Controlled Unclassified Information (CUI), Federal Contract Information (FCI) and Export Controlled Information under ITAR and EAR.
With NC Protect, this determination can be based on a variety of factors such as MIP sensitivity labels, third party meta data labels or using the product’s built-in scan engine to look for and tag sensitive information. Based on a document’s sensitivity level and user attributes and the associated access and security policies you build in NC Protect, it can dynamically prevent unauthorized users from seeing sensitive information. NC Protect’s policies and protections can be applied to content that’s been emailed, placed in a File Share, SharePoint Site Collection, Team or even a chat that a user has access to.
How NC Protect Enhances Teams Security
Imagine dropping sensitive data into a Team. In the example below, John Smith (on the left) has asked Megan (on the right) to verify her personal information. Unfortunately, John dropped the file into the Teams chat rather than a personal chat and further, he dropped another user’s personal data (Ivan’s) into the chat rather than Megan’s.
In the screenshot below, NC Protect policies determined that the file was sensitive and prevented Megan from even receiving the file as she is not a member of the Management Team or HR and shouldn’t be able to see those files.
With the explosion of users and organizations taking to Teams in the last two years, M365 security in general and Teams Security in particular have all come under much greater scrutiny. Many organizations were in a rush to implement a mobile workforce and as a result had to implement technology that in some cases they didn’t fully understand. Many organizations that I speak with only have Teams partially implemented because they still don’t have a full handle on the potential security issues inherent with any collaboration platform. This incident emphasizes why IT and Security Professionals have had to go back and really take a hard look at their current security posture and policies in the Teams environment.
Learn more about how NC Protect can help you leverage ABAC to secure your Teams data.
