How secure is the Microsoft Teams enterprise platform, what role does Office 365 and Azure Active Directory play here, and what Microsoft 365 services can complement the protection of the organization

How secure is Microsoft Teams?

How secure is the Microsoft Teams enterprise platform for your company, and how does its architecture protect internal business data? Is it safe to use Microsoft Teams, what role do Office 365 and Azure Active Directory play here, and what Microsoft 365 services can complement the protection of the organization – we will analyze all these questions below.

1. 7.1. Microsoft Secure Score
2. 7.2. Multi Factor Authentication
3. 7.3. Conditional Access
4. 7.4. Privileged Identity Management
5. 7.5. Guest Access
6. 7.6. Access Review
7. 7.7. Microsoft Cloud App Security
8. 7.8. Intune
9. 7.9. Microsoft Defender for Office 377
10. 7.10. Data Leak Prevention
11. 7.11. Communication Compliance
12. 7.12. Information Barriers
13. 7.13. eDiscovery
14. 7.14. legal hold
15. 7.15. Retention Policies
16. 7.16. Sensitivity Labels
17. 7.17. Compliance Recording

Introduction

Microsoft Teams is one of the core products in the Microsoft Office 365 cloud application portfolio and is tightly integrated with SharePoint Online, OneDrive for Business, and Exchange Online applications. This allows users to share files, instant messages and video conferences with up to 1000 participants.

In 2020, millions of organizations around the world have had to adapt the way they work and change their business architecture to enable the majority of employees to work remotely. This format in itself became a new challenge for everyone, and the tasks that had to be solved in the first place were the joint work and communication of employees. These two processes are the key to the success of the team: we communicate to share ideas, help colleagues and grow the business. From strategic sessions to cooler conversations.

All of this has fueled the explosive growth of collaboration and video conferencing tools. Microsoft currently leads the market, followed by Cisco, Google and Slack. Since its launch in 2017, Teams has become the fastest growing Microsoft app. Teams has 250 million daily users, up 72% since April 2021. Microsoft management shared this data as part of the company's fiscal 4Q 2021 earnings report.

So, Teams is the most popular collaboration and video conferencing app around the world, but how secure is it for your business? We'll take a look at how the Teams architecture provides security, why Office 365 and Azure Active Directory are the security platform where Teams data is stored, which Microsoft 365 services complement security, and how to use Teams securely.

Architectural Security

Microsoft Teams is built on top of Microsoft 365 and Office 365, enterprise-grade clouds. This provides extensive security and compliance options. Microsoft's compliance with regulatory requirements is continuously verified by external audits. This allows us to maintain the largest portfolio of audits on the market, both in terms of the number and volume of parameters assessed. Thus, Microsoft Teams has been confirmed to comply with global and local regulatory security standards: ISO 27001:2013, ISO 27017:2015, ISO 27018:2019, SSAE16 SOC 1, SOC 2 and SOC 3, NIST CSF, HIPAA, EU ENISA IAF, EU Model Regulations (EUMC) and others.

With these strict requirements, Microsoft 365 or Office 365 customers own and control their data.Microsoft corporation protects the confidentiality and secrecy of data and does not use it for any purpose other than providing services. It does not have access to uploaded files, and also does not analyze e -mail or users for advertising and other purposes, which is fixed by contractual obligations.

The Teams application is built in accordance with the life cycle of the development of secure information systems Microsoft. At the first stage, a model of threats is created, and in the future, each component is tested in accordance with this model as it is designed. Improvements associated with security are integrated into the process of source code development. Boofer overflowing and other security threats are found at the development stage before the code is added to the final version of the product.

The Teams at the architecture level contains a decrease in risks such as:

• Attacks using a compromised key.
• Attacks of the type “Refusal for maintenance” (DOS).
• Listening.
• Fents of the certificate (IP scupping).
• Attacks of the type introduced intermediary (man-in-the-most, mitm).
• Attacks with the reproduction of RTP (Real-Time Transport Protocol-a protocol for transmitting real time traffic).
• Unwanted messages.
• Malicious programs.

Of course, it is impossible to design protection from all threats. However, the approach to the development process, which initially laid down the principles of safe design, and the security standards adopted in the industry are the fundamental components of the Teams architecture.

Teams security platform

Teams uses integration with other Microsoft products to meet the requirements for security. So, two -factor authentication and a single entrance are provided by Azure Active Directory using the OAUTH 2.0 protocol. This means that the security of the account is not related to a specific device, which is especially important for employees using the application on mobile devices and laptops.

Teams encrypts all data when transferring and storage in order to protect them from unauthorized access.

The data transferred by customers to cloud services is protected by TLS 1.2, which checks the authenticity of the servers where the information is loaded. FIPS 140–2 algorithms are used to exchange keys. The compounds between the Microsoft 365 and Office 365 servers are based on the Mutual TLS protocol for mutual authentication. All this makes it almost impossible to decryption of the transmitted data.

Multimedia traffic (audio, video and screen demonstration) of meetings, in which three or more subscribers participate, is processed by cloud servers and encrypted using the SRTP protocol, which provides confidentiality, authentication verification and attacks against playing RTP packets. However, there is a significant difference between meetings and calls one on one, which are routed directly between the two end points.They do not go through cloud servers, which makes it difficult to control the keys. Now the cryptographic keys of such challenges are agreed on the proprietary call signaling protocol Teams, which uses the encrypted channel UDP/TCP TLS 1.2 and AES-256 (in GCM mode). In September 2021, it is expected to update Teams for PCs and mobile devices that will provide End-to-End Encryption (E2EE)-encrypting calls one on one on the basis of updated politicians.

Stored in SharePoint Online, OneDrive for business and OneNOTE FIETS are protected by encryption protocols of these applications. So, SharePoint and OneDrive for business use encryption at the volume level using Bitlocker, supplemented by service encryption using Distributed Key Manager (DKM). You can also use your own key (Customer Key) for additional protection from access to non -authorized systems or staff. Using the client’s key is encrypted:

• Teams chat messages (one on one, group chats, meetings and communication in the channels).
• Teams media messages (images, code fragments, videos and images of Vicki).
• Records of calls and meetings posted in the TEAMS storage.
• Teams chat notifications.
• Teametry Teams.

Alternatively, you can configure double key encryption for especially significant data.

And here we approach the next important aspect.

Data storage in Teams

Information is a key asset of any organization, therefore it is important that working tools ensure data security and protect their integrity.

All the data that you exchange are in Teams, whether it is a file or message, are stored in Office 365 cloud services, which in turn are part of the global Microsoft cloud. It is located in data processing centers in 63 global regions, which allows you to store Teams data depending on the location of your organization. The data of Russian organizations are located in Austria (Vienna), Finland (Helsinki), France (Paris, Marseille), Ireland (Dublin) or the Netherlands (Amsterdam). These states adopted the 108th Convention of the Council of Europe and, from the point of view of Russian legislation, provide adequate protection of personal data. This allows you to carry out a cross-border transfer of the latter to these countries, without violating the Federal Law On Personal Data No. 152-ФЗ.

So, the files are stored in SharePoint Online or OneDrive for business, recording meetings – in OneDrive for business or Stream, calendar and voice mail are stored in the user's mailbox, and messages in the teams and channels – in the Exchange Online group mailbox.

Table 1. Microsoft Teams data storage

Finally, Teams users are automatically assigned one of two levels of security, depending on their role in the team.

Teams in roles

Owners are users who create commands. The participants are everyone whom the owners add to their commands. By default, the owners can limit the actions of the participants: what content they are allowed to view, whether they can create channels or add new participants. This gives the owners a certain level of control over the organization of work and the exchange of data in the teams. By default, all users of the organization can create commands, becoming their owners. However, the IT administrators can delegate the rights to create and manage teams to certain users, which makes it possible to more rigorously control this process.

As we managed to verify, Teams has many built -in security functions that administrators can easily configure in accordance with the requirements of their organization. But, like any other complex software product, Teams is not protected from vulnerabilities by one hundred percent.

History of the exploitation of vulnerability in Teams

In March 2020, Cyberk discovered a vulnerability to Teams. Imagine the following scenario: the attacker sends the victim GIF and receives control over the account of the victim. This vulnerability could potentially lead to the capture of all Microsoft Teams accounts in the organization.

Researchers studied the implementation of the use of access to Teams tokens to provide users with the opportunity to view attached images. They managed to find that, having attached a specially created malicious GIF file to the message, they can capture the necessary tokens and perform various actions through the API Teams interfaces on behalf of the victim. At the same time, the victim will see the picture sent to her and will never know that she was attacked. The biggest danger of detected vulnerability was that it could spread automatically, like a cherry virus.

After Cyberark discovered vulnerability, Microsoft corrected her before the attackers were able to use it.

In March 2021, Microsoft launched the Microsoft Applications Bounty Program remuneration program, the purpose of which is to attract researchers from around the world to identify vulnerabilities that were previously known in recent versions of Microsoft Teams Desktop and Microsoft Teams Mobile. A reward for the discovered, described and demonstrated vulnerability can reach $ 30,000.

TEAMS protection products

Teams can have a lot of significant information from the company, both from the point of view of files that users exchange and in relation to confidential data in chats.Sometimes it is necessary to supplement the basic protection with point instruments. There are many products, so it is important to consider the needs of your organization when choosing them. To facilitate your work, we have collected Microsoft products that complement Teams.

Microsoft Secure Score

Safety assessment is continuous scoring your Tenant Microsoft 365 and prepares recommendations, following which you strengthen your organization’s protection from threats. From the Unified Panel of the Security Center, you can track digital assets such as accounts, applications and devices Microsoft 365.

Secure Score helps:

• Get an assessment of the current security state of the organization.
• Increase the level of security through the following recommendations.
• Determine the potential impact of the implementation of each recommendation in your infrastructure on users and processes.
• Compare your level of safety with reference indicators and set key performance indicators (KPI).

You can analyze current indicators and compare them with the results of similar organizations. Microsoft Secure Score integrates with Microsoft products and other manufacturers for the implementation of recommendations. Use these metrics to clearly demonstrate progress in improving protection. Separate security recommendations are available for Microsoft Teams, and administrators are recommended to track them.

Multi-Factor Authentication

Multifactoric authentication is a security protocol that requires the provision of two or more confirmations from the user before their account is allowed. The second factor can be something that the user knows (for example, a PIN code), something that the user has (for example, an authentication application) or any biometric data (such as fingerprint). This strategy is effective, Microsoft telemetry shows that 99.9 % of hacks of accounts may be stopped by the simple use of MFA.

MFA policies are a strict tool that can be inconvenient when legitimate users simply do their job. Conditional access Azure AD helps to configure the process of authentication in such a way as to avoid such problems.

Conditional Access

Conditional access policies are used to give users the opportunity to work productively anywhere and anywhere, without reducing the level of protection of the organization. They complement the process of checking authenticity with additional criteria so that you can use detailed information about the user without limiting yourself to a role model. In addition to whether the user is an administrator, you can take into account when making a decision the location of the user, its device, authentication protocol and other factors. For example, you can reject all requests from Nepal, resolve all requests from your office and demand MFA for everyone else.Moreover, you can create several politicians who work together to establish restrictions where they are needed.

Microsoft Teams is supported as a separate cloud application in Azure Active Directory conditional access. Conditional access policies apply to Microsoft Teams when the user is included in the system. However, without the correct politicians in other applications such as Exchange Online, SharePoint Online or OneDrive for business, users will maintain direct access to these application resources.

In some cases, even the listed measures may not be enough – for example, when the administrator with high privileges, having access to particularly significant systems, requests authentication.

Privileged Identity Management

This is why it is recommended to use Azure Ad Pim (Privileged Identity Management) for accounting records with a privileged role, such as Global Administrator Azure Admin. PIM helps to control privileged access to Azure AD, Azure resources and other Microsoft web services. An increase in privileges is carried out only after approving a request by a group of authorized users, limited by time (just-in-time) and applies to specific resources. In any case, all the activity of a change in privileges is recorded and subject to audit. Therefore, the requests and approval of privileged access can be promptly visible and provided for internal audits and investigations.

All of these tools ensure the safety of internal users. And what if it is necessary to interact with external users?

Guest Access

You can embed people who are not employees of your organization into your business processes. These can be consultants, suppliers or partners with whom you want to communicate in chats or work together on documents and other resources.

Previously, for such an interaction, you would need to create accounts for external users, identical to your employees. This approach complicates the control and management of a large number of various accounts, rights and politicians, which reduces the level of security.

Guest access allows users to invite anyone who has an email address to work together in Microsoft Teams teams. This is an ideal way to provide external users with the necessary level of interaction without the need for full team membership. Guests are limited compared to team members. They can only participate in joint activities, such as joining the existing chat or channel, posting messages, access to channels and sending files in chats. Limited functionality and a separate set of guest access policies guarantee that control over Teams and its resources will remain exclusively in the hands of administrators.

Access Review

Technically, guest users are separate accounts in your Azure AD, which are created when an employee provides access to the document to an external user or invites an external user to become a member of the Microsoft Teams team.After creating such an account, it can remain in your Azure AD for an unlimited long time. This is a potential threat to security in the case of a guest account for compromising, since guest users have access to your company data, albeit limited. Of course, you may require guest users to use two -factor authentication, and this is the best first step you can take.

Using the Access Review tool, you can build a process in which the employees themselves or the appointed reviewers periodically check the list of external users with guest access. As part of the audit, you can easily delete access for external users, if it is no longer needed.

We examined the main administrative protection tools, let's now see which Microsoft products complement Teams.

Microsoft Cloud App Security

With the distribution of the model “Software as a Service” (SAAS) a new problem arose. The infrastructure underlying such software is located outside the control of the IT services. The insufficient flexibility of access control and data creates additional risks, not to mention the opaque safety of SAAS applications.

One of the approaches is to solve problems individually for each application using available administrative elements. The problem of this approach is that the SAAS applications are not always controlled centrally. Here, a cloud access security broker (CASB) comes to the rescue. As the name implies, CASB brokers play the role of a gatekeeper, who in real time regulates user access to the organization to the cloud resources used, regardless of the location of users and the type of devices they used.

Microsoft Cloud App Security, being such a broker, collects data from the magazines of network devices and proxy servers, cloud services and providers of accounting data. This provides visibility and control of data movement, gives wide visualization opportunities and provides complex analytics for identifying and eliminating cyberosis in any cloud services, not only Microsoft.

CASB brokers help to solve the problems of security when using cloud services in the organization, ensuring the detection and control of the used applications and “shadow IT”, evaluating their security, monitoring of user actions and detecting anomalous behavior, monitoring access to resources, classifying confidential information and preventing its leaks, Protection against malicious objects.

In SaAS and IAAS models, CASB brokers control the use of cloud services at the API level and expand the possibilities of monitoring applications performed in these clouds.

Intune

Employees of the companies need free access to their working e -mail and documents from any place and from almost any device.In their work, they use a large number of various mobile devices. It can be personal or corporate smartphones, tablets, laptops and PCs.

Intune is a link between mobile devices, applications and data data. This service provides a set of tools for managing a complex mobile environment, even outside your corporate network. The combination of mobile devices control (MDM) and mobile applications (MAM) provides the flexibility necessary to ensure security without limiting user capabilities.

Intune provides administrators with full control over devices and applications, and also allows you to evaluate risks when accessing corporate information. By controlling corporate devices, such as mobile phones, tablets and laptops, you can also configure policies to manage applications. For example, you can use biometric data to access Outlook or prohibit sending emails to the addressees outside your organization. Intune also allows employees to use personal devices, providing corporate data control and protection, isolation of corporate data from personal and encrypting them if necessary.

Microsoft Defender for Office 365

In addition to using the vulnerabilities of software, the most common way to penetrate the attackers are attempts to directly interact with users in the hope of insufficient awareness and digital hygiene. This can be both mass mailing of phishing URLs or harmful investments, as well as attacks aimed at a particular user. Microsoft Defender for Office 365 provides protection against unknown threats to Microsoft Teams, Exchange, SharePoint and OneDrive.

Each investment in an email or uploaded file is checked in a cloud sandbox for malicious functions. Administrators can configure suspicious processing policies to prevent their distribution, opening and any other actions with them.

Each link is checked every time at the time of clicking on it, which allows you to protect against redirecting to other URLs or replacing the initially safe contents of harmful.

Fishing protection with the help of machine learning reveals attempts by attackers to impersonate the legitimate users or domains, and the attack simulator allows you to launch realistic scenarios (targeted phishing attacks or attacks with a password) in your organization to teach users and identify potential vulnerabilities.

Data Leak Prevention

DLP policies are available for the main services of Office 365: Exchange Online, OneDrive for business, SharePoint Online and Teams. They help to guarantee that your users will not transmit confidential data to outsiders. Data confidentiality can be determined by both regulatory acts (for example, if it is data on patient health) and internal regulations (say, for financial information or commercial secrets).

Each policy allows you to define the scope – in other words, which Office 365 applications it will apply to. Policy conditions determine what content will be discovered and under what circumstances. Actions, in turn, serve to respond to leaks. You can simply monitor all leak attempts or stop them while educating users with hints.

For Microsoft Teams, protection of information in messages and documents exchanged between users is available.

Communication Compliance

In continuation of the conversation about messaging policies, it is worth mentioning Compliance with communication requirements, or Communication Compliance. It is a set of controls designed to detect, analyze, and take action when employee communication requirements are violated. It controls incoming and outgoing Exchange Online email, Microsoft Teams and Skype for Business communications, and messages on third-party platforms (such as Facebook or Twitter). These policies allow you to not only stop violations of communication requirements, but also provide hints to users to correct inappropriate behavior.

Microsoft provides intelligent custom templates such as protection from harassment or profanity. Built-in or custom classifiers can be used to detect certain types of communication for any communication channels.

The review process takes place in the software client instead of the mailbox, which allows you to respond to a violation before the message is sent, as well as run Power Automate flows as a policy element (for example, automatically notify the offender's manager).

Sometimes there are not enough requirements for communication and it may be necessary to eliminate the possibility of communication between individual employees or departments.

Information Barriers

Sets of policies that restrict communication and interaction between groups of users to avoid conflicts of interest or protect information are called information barriers. This approach is dictated by the requirements of business (especially financial companies) and is known as the Ethics Wall. For example, companies do not allow line employees to communicate with top managers or set limits on file and information sharing for certain departments.

Also, information barriers allow you to set policies that delimit the areas of search and discovery of electronic data, eDiscovery.

eDiscovery

As we saw earlier, user data is hosted in various Microsoft 365 services. This is convenient for users, but when it comes to searching for electronic data in an internal investigation or compliance audit, this variety of sources and types of data creates difficulties.

Microsoft offers the eDiscovery tool to help you identify, collect, and process electronic data.EDISCOVERY possibilities include business management, search, analysis, conservation and export of data, including Microsoft Teams data. It can be chats, messages and files, as well as special reports fixing all the events that occurred at a meeting or call.

Legal Hold

In the course of an internal investigation or court proceedings, you may need that all the data related to the user or team be maintained unchanged for use as legal evidence. You can do this by placing a user's mailbox or Teams command in legal retention mode. This mode guarantees that even if the end users delete or edit messages, the source copies of this content will be preserved and will be available through the search for Ediscoovery.

Retention Policies

Each organization may have its own reasons why they need to store data for a certain time from them. These can be emails, documents, contracts and other information. Data storage looks a difficult task, since there are many contradictions: what data to store and how long, what to do with them after the expiration of the shelf life?

Take the financial reports for example. The government may oblige you to store all financial reporting for five years. Thus, you need to store all your client contracts and other financial documentation, as well as all receipts for stationery, documents and even coffee. Agree, you will not treat these data the same. Information on the purchase of the office and coffee can be automatically deleted after the deadline, and contracts with important financial data are best placed in the archive and determine who has the right to access these documents.

Microsoft Teams storage policies allow guaranteeing the conservation of data to comply with regulatory, legal, business or other requirements, as well as guaranteed to delete information if necessary. You can use storage policies to store data for a certain period of time, and after it, delete it.

Sensitivity Labels

For the use of storage policy, special inalienable data tags are used. The same marks can be used to protect access to confidential corporate information. The main reason for the appearance of margins of confidentiality is the need to freely exchange documents and work together on them, maintaining data safety. Marking and encryption of data are the main elements and determine what authorized users can do with contents.

You can give the name of the Office 365 confidentiality marks based on your own taxonomy or use a standard set of marks, such as private and publicly available data, confidential information, etc. The advantage of using simple terms is that users can understand with which type of significant information they work.

In addition to protecting files directly, sensitivity labels can be applied to data in containers, such as Teams. For example, labels that define team privacy control guest access, external access, and access from non-corporate devices.

Compliance Recording

Call recording is not only a tool for collecting information about customers and their purchases or analyzing the quality of a call center. Sometimes this technology is necessary to comply with regulatory requirements. Call recording ensures that you are prepared to comply with regulatory requirements and resolve legal issues to avoid potential claims.

Unfortunately, Teams' out-of-the-box calling and recording capabilities are limited. You can easily record meetings or broadcasts, and even auto-transcribe those recordings, but Teams doesn't have a built-in tool to automatically record all of your employees' conversations. However, Compliance Recording APIs have been developed and released for Teams, which will allow you to integrate with a third-party certified product. For example, it could be AudioCodes SmartTAP 360°, Verint or NICE.

How to use Microsoft Teams safely

Let's start with the basics. You need to ensure that only authorized users can access your organization's Teams platform. Namely users and not employees, because this rule applies to all guest users.

1. Make sure Teams multi-factor authentication is enabled through Azure Active Directory. Set up recommended security policies, including Conditional Access policies and access risk assessment.

Further, it is desirable to provide control over users' mobile devices and define criteria for trusting devices:

1. Register users' mobile devices in Azure AD and restrict access from unmanaged devices. This is especially important for organizations with a large number of remote workers who use personal devices. Unmanaged personal devices usually do not have the same strong security measures as company-owned ones. Therefore, if they are lost or stolen, an attacker can easily gain access to any data downloaded to the device.
2. Restrict access to Microsoft Teams from untrusted company-owned devices using Intune. Even stricter rules for corporate devices do not guarantee security if the device already has malware or has not been updated for a long time. Examples of trust criteria include the operating system and the presence of critical updates, the absence of active threats in the form of viruses, or access from permitted countries.

Protect your data from leaks and unauthorized access:

1. Set up DLP policies and sensitivity labels. In this way, you can educate your users on the careful handling of confidential information and at the same time protect information from targeted or accidental leaks.
2. Study the “shadow IT” of your organization and evaluate the risks using Microsoft Cloud App Security. Carry out a “thin configuration” for security policies in accordance with the requirements of your organization.

findings

Of all the Microsoft Teams joint applications, one of the safest ones is one of the safest. Attackers use more and more sophisticated means and methods for attacks even on the most protected systems, but Microsoft implements all possible measures to lead these threats. These measures include the search for vulnerabilities and continuous updating of products, increasing user awareness, as well as informing administrators about risk softening measures.

Teams accommodates the company's data, including confidential ones. To protect these data, it is extremely important to follow the advanced practices that we talked about in this article and consult with experts in the field of information security.

What is worth doing right now? Be sure to turn on the multifactor authentication of Teams users. Even if you use the free version of Azure AD, this will provide a basic level of security. Depending on the potential threats relevant to your organization, we recommend that you introduce spot safety tools described above to create additional protection where it is necessary. Interacting, these tools form a reliable digital protection of your organization.