09 Sep, 2020

How Secure Is Microsoft Teams?

What is Microsoft Teams?

Microsoft Teams is a chat-based online work platform that allows team members to work together seamlessly and functionally. This workspace, which comes with Office 365, has started to be used frequently by corporate companies, education and health fields and official institutions, especially with the increase in remote working during the COVID-19 period.

Microsoft Teams includes the following main features and services;

  • Chat: This feature allows users to send private messages to each other and attach files within messages.
  • Teams: This tab allows users to create teams. Thanks to the channels you will create within the teams, you can start the negotiations. When a user creates a team, they actually create an Office 365 Group in the background.
  • Calendar: This service syncs with users' Outlook calendars so users can schedule meetings and projects with ease.
  • Calls: This tab allows users to initiate and receive audio and video communications between each other. Calls are built on the Skype framework.

The main concerns about Microsoft Teams security are;

Microsoft Teams is a tool that supports internal and inter-company conversations and collaboration. However, the fact that an unlimited number of files can be shared among an unlimited number of users also raises concerns. In particular, the following items are the points that IT professionals are most concerned about.

Guest Access : The guest access feature allows team owners to invite outside parties to team events. Guests have full access to team channels, chats, shared files and meetings. There are no restrictions on who can or cannot get guest access privileges. This is worrying that sensitive data can easily get out of the organization.

Permission Model: Microsoft designed Teams with the open permissions model to be a self-organizing structure. According to this;

  • Herhangi bir kullanıcı, bir ekip oluşturarak ve diğer kullanıcıları bu ekibe katılmaya davet ederek, bir ekip sahibi olabilir.
  • Every team member has full access to all data in the team's public channels, including chat messages, meeting content, and shared files. They can share files and create new channels.
  • Any guest from outside the organization can share files and even create new channels within the team.

Thanks to this permission model, the data sharing environment can be accessed very quickly. But it is a concern for IT professionals as it is difficult to monitor and control.

Application Management : Users can increase the capabilities of their team channels by adding applications. An app allows users in a channel to receive content and updates directly from third-party services. However, these apps often ask users to allow them to access their data. This may lead to improper transfer of company information to third parties. Since there are many business partners in the store, this situation creates a security problem for IT in terms of monitoring and management.

Data leak : Without adequate security enforcement, a Teams user could intentionally or accidentally share confidential information with unauthorized recipients, putting the company's intellectual property and reputation at risk. Additionally, since Teams is a SaaS platform that sends and receives packets via the cloud, there is a risk that malware or malicious individuals may capture files in transit and use them for other purposes.

Microsoft Teams Security Basics and Tips;

Teams leverages its integration with core elements of the Microsoft security framework. The main ones are:

  • The file sharing experience is powered by SharePoint.
  • Team conversations are stored in a special group mailbox in Exchange Online.
  • Azure Active Directory stores and manages team data and membership. It also manages user authentication for the Teams platform as a whole.

Some of the Teams security applications are;

  • You can use the settings on the Manage apps page in the Teams admin center to control which apps are blocked or made available for your organization. The disabled application seen in the picture below has been made as an example only.

You can also use app permission policies to prevent certain apps or make them available to certain user groups.

  • By default, a user with a mailbox in Exchange Online can create and own a team. If you want to limit the number of users with this privilege, you can create an Office 365 group with special permissions to create new teams.
  • You can configure general Teams settings. For example, you can select options such as whether users can communicate with people outside the organization, enable file sharing and cloud storage features, or authentication requirements for accessing meeting content.

You can use the "Guest Access" settings in the Teams admin center to configure the access level given to guest users. For maximum security, you can disable guest access by default. Or you can turn on guest access but disable certain privileges like screen sharing.

  • You can use Microsoft's Surveillance policies to monitor chats and team channels. You can also use the Usage section under Analytics and reports in the Microsoft Teams admin center or Reports in the Microsoft 365 admin center.

Compliance with legal regulations;

Complying with international, national and industry-specific regulations, Teams meets more than 90 legal standards and supports the requirements of security laws for the safety of all users, including corporate companies, those using it for personal purposes outside of the education and health sectors. The most important of these are KVKK, GDPR and Family Education Rights and Privacy Law.

Is Microsoft Teams Safe?

Conclusion;

As a result, applications such as Microsoft Identity and Access Management, Azure Security Center and Windows Defender, Azure Advanced Threat Protection create an integrated security shield when using Teams. With Windows Authentication, all remote employees of the company are identified and their file access is managed. Azure Information Protection and Azure Confidential computing platforms provide protection of shared files and information while working remotely.

Another security issue is internet infrastructure. The Azure Network Protection application controls the security features of the company database and home connection. Companies using Teams can see and manage all security applications, threats and user movements from a single panel.

As a result, Teams Tier D is a service and therefore complies with EU Model Clauses (EUMC), HIPAA, ISO27001, ISO27018 AND SSAE 16 SOC 1 AND SOC 2.

In addition to all these standards, companies and institutions using Teams should provide the necessary training to minimize the human factor, make the relevant configurations, take all the measures with the policies to be created for the institution, and keep the security measures at a high level.

For this, companies should evaluate the use of Teams in terms of the roof standards they are committed to comply with, especially the KVKK and ISO 27001 ISMS, and integrate it into their business processes correctly.


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram