How secure is Microsoft Teams? – UC today
Today, Microsoft Teams is more than just a tool for productivity and collaboration in the modern workforce. Quickly, it becomes a complete solution for the future of hybrid working, bringing together teams from all over the world. However, before you can rely on Teams as your ultimate “work center”, you must first make sure it’s secure enough to meet your company’s standards.
Microsoft Teams is built on the enterprise-grade cloud environments of Microsoft and Office 365. It also promises complete control and management of all data shared within channels and conversations with the Microsoft Teams instance owner. Messages are not scanned or retained by Microsoft, and data backup policies may be established by individual users.
But how far does Teams security really go?
Microsoft Teams security standards
First and foremost, Microsoft Teams enforces organization-wide and team-wide two-factor authentication methods and single sign-on through Active Directory. You can also rest assured that your data will always be encrypted at rest and in transit within Teams.
Files shared within a Teams instance are stored in SharePoint and backed up by SharePoint encryption, while notes in OneNote are backed up by OneNote encryption. Wiki tab content is also backed by SharePoint security. To improve internal security policies, Microsoft users can take advantage of a range of defensive features within Teams.
Microsoft Defender, for example, is available for Microsoft Teams to determine if content shared within channels is malicious in nature at a glance. If content is found to be malicious, you can set policies on how it is handled and removed from the ecosystem.
Defender also provides access to “safe links” in Teams, to help define which links users can reliably click when shared by other users. The “Safe Attachments” feature works the same way, scanning attachments for malicious attachments. You can enable this feature in your Teams admin portal and set policies to deal with dangerous attachments.
As a bonus, “Secure Store” within the Microsoft 365 Security Center gives users access to a centralized dashboard to monitor app, device, and identity security. Recommendations are available from Secure Score for Microsoft Teams administrators.
Conditional Access Policies and Compliance
Microsoft Teams aligns with other tools in the Microsoft ecosystem for basic productivity scenarios, such as calendars, meetings, and file sharing. Conditional Access policies can be set for these cloud apps that also apply to Microsoft Teams. Teams is supported separately as a cloud app in Azure Active Directory, but without SharePoint, Exchange, and Skype policies in place, it may be possible for users to access resources they shouldn’t have permission to .
Microsoft Teams offers a range of “compliance” features to help manage employee access and usage. The “Compliance Center” is packed with tools for communications compliance (like reporting inappropriate messages), eDiscovery, and audit log searches.
Communications Compliance offered by Microsoft’s Purview Communications Center allows companies to add users to policies that review conversations for sensitive information and data related to regulatory standards, as well as offensive language.
Purview Information Barriers can also be implemented by Teams admins to prevent certain people from communicating with each other, or enforce policies around eDiscovery and search. The “Barrier” feature was deployed in January 2021.
For additional compliance purposes, companies can add “sensitivity labels” in Teams to regulate access to sensitive content created during a Teams collaboration session.
Policy management within teams
To give businesses the most control possible over their data shared within Teams, Microsoft offers a range of policy solutions. Data loss prevention solutions are available to securely preserve critical information. Companies can also access:
- Skill Customer Keys: Customer keys encrypt different types of customer information in Teams at the application level. This also encrypts files stored in SharePoint Online. You can set policies for what information to encrypt in each conversation.
- Retention policies: Users can define what data should be retained for regulatory, business and legal standards. You can also define the data to keep for a specific period of time.
- Electronic Discovery: eDiscovery features in Teams let you search through call summaries, files, and messages to find potential privacy and security issues. You can also control who on your team has access to search and content discovery features.
- Statutory Deduction: Throughout a dispute process, you may need all data associated with a certain team or user to be retained. You can place your Teams data on “in-place hold” or “litigation hold,” as appropriate. When suspensions are in place, even if users delete or edit messages in a group chat, immutable copies will still be available.
- Audit: Audit log search in Teams connects to Microsoft’s Purview compliance portal and allows users to set alerts and report audit events. This allows the export of various sets of specific or generic events for use and investigation by the administrator.
Data management within teams
As mentioned above, Microsoft is committed to keeping user and team data secure and compliant based on their needs. All data produced in Teams will reside in the geographic location associated with your Microsoft 365 organization.
Admins can define the regions that contain their tenant’s data in the “Organization profile” section of the Microsoft 365 admin center by scrolling down to “Data location”.
Notably, Microsoft Teams also follows the privacy and security guidelines implemented by leading policy makers and groups around the world. Teams complies with:
- SOC 1 and SOC 2
- ISO27001, ISO27018
- EU model clauses
Further information is available at Microsoft’s data protection resources on the Microsoft website. Teams also complies with Cloud Security Alliance guidelines.
All partners working with Microsoft Teams and approved to provide UCaaS and compliance registration functionality must also be tested against Teams standards. However, you will need to check the encryption and compliance policies provided by these providers for additional information.