The move to remote working and working has raised new issues in Cyber Security and meant new Cyber Security Solutions need to be found and implemented.
One particular issue is that of collaborative communications software like Microsoft Teams and Zoom opening up new security loopholes.
One of the known issues of working from home is that remote users don’t feel part of the corporate team. This leads to losses in productivity and feelings of alienation. Businesses want to use collaboration tools to implement advanced communications, such as video conferencing, shared workspaces, and instant messaging in the hope of overcoming these issues.
The problem is that these tools can potentially give access to sensitive corporate information to people not authorised to have access.
Here are three known issues, and potential Cyber Security Solutions. While this note concentrates on Microsoft teams, the general principles will apply to other tools like Zoom and Google Meet.
Microsoft Teams enables Guest Access to non-staff members such as suppliers, customers, and external consultants. This allows them to access and share internal files and carry out other admin tasks including making calls, updating project timetables, and creating online and live meetings. This has the potential to be a major gap in security.
A guest only needs a valid email address, and automatically receives guest access privileges. This raises obvious security concerns around the leakage of sensitive or proprietary information.
The Microsoft Teams model is designed to promote agile, self-organising teams for collaboration between users, whatever their functional area. The default Teams security model is an open-access model:
- There is no restriction on who can become a team owner. Anyone can create a team and invite other users to join.
- The is no restriction on team members accessing any information on the team public channels. Chats, calendars, shared files, anything is open access; and
- Internal and external guests have full creation rights. They can share files and create new team channels.
A significant issue here is the ability to create and add apps to a channel. An open invitation to information leakage. Other users have reported concerns with Guest Access and compliance. The possibility of information leakage and compromised data lifecycle management can breach compliance standards.
However, Guest Access is an all-or-nothing option right now. You either allow it or don’t allow it.
The issue is that it is not a trivial task to manage access rights across an enterprise.
Microsoft Teams is powered by SharePoint and Exchange, and in a cloud environment by Azure. File-sharing security is controlled by SharePoint, chat conversations by Exchange and Azure Active Directory manages team membership and user authentication.
One simple solution is to disable guest access and require all users to be registered prior to joining a meeting, with their privileges managed and controlled. This obviously prevents unregistered users from joining meetings, perhaps as an ad-hoc addition.
The alternative is to use the inherent features of AD, SharePoint and related apps to apply the desired level of control.
The IT Security team will need to audit user privileges in related applications like Office 365 to ensure access to apps like OneDrive is properly controlled.
A problem for IT is that they have no control over remote devices. They can be desktop computers, smart devices such as tablets and smartphones, or tablets. Their anti-malware software status is unknown, as are their other external links.
The issue is that users with unmanaged devices could steal potentially sensitive information or could introduce malware into the corporate network.
Again, it is not a trivial task to control all network-attached devices.
The first and obvious solution is to block all unmanaged devices, but this is generally not feasible.
Use a VPN, restrict logins to known IP and Mac addresses. In short, apply risk-based authentication to limit who can sign-on, from where, and using what devices.
A common theme in collaborative applications is the ability to share content by screen sharing. It can be a very useful feature to improve communications and enhance the value of an online meeting.
However, as with unmanaged devices, the user may inadvertently share sensitive information. As an example, an email system like Microsoft Mail could display a screen alert summarising an incoming email with restricted information. If the user screen is being shared, the alert will also be shared.
A further issue is allowing guest users to take control of a shared screen.
Control of screen sharing is closely linked to managing guest access and user rights. Proper management of user privileges will go a long way to controlling the risks associated with screen sharing.
Collaboration tools such as Microsoft Teams have gone a long way to easing the remote access and working from home environment. There are clear Cyber Security risks, but with careful planning and implementation, they can be managed.