Information Governance - includes Industry Participants

What is Teams and What Should Information Governance and Security Be Concerned With the Initial Setup

By Leigh Isaacs posted 02-02-2021 11:26

  

It’s collaboration time! There’s a lot of buzz in legal tech about Microsoft Teams and its collaboration features. In recent years attorneys have been asking for more tools to enable collaboration, and the “new normal” remote workplace has reinforced the need for new, innovative tools for our attorneys.  As with all legal technology, there are many considerations to account for when working with client data.

In this first post of a multi-part series, we’re going to talk about the basics of what Teams is, and what it isn’t.  Other posts in the series will do deeper dives into considerations around provisioning Teams and integrating with your DMS. Since Teams is part of the M365 ecosystem and is always evolving, new posts will follow new features and the corresponding IG considerations.

Starting at the beginning, we first need to understand what Teams is.  At its center, Teams is a chat-based workspace that features group and private messaging, with threaded and persistent conversations. Within each team, users can create different channels to organize their communications by topic. Each channel can include a couple of users, or scale to thousands of users.  Microsoft Teams is a cloud-based collaboration software, and is part of the Office 365 suite of applications. The core capabilities in Microsoft Teams include business messaging, calling, video meetings and file sharing.

The most important step for a firm to take, before jumping in to Teams, is to make sure that you have modern policies and procedures approved and in place for the management of client and internal data.  Between governance and security requirements, your policies should include, at minimum, your firm’s stance on data loss prevention, electronic data sharing, what constitutes a client record, management of ethical walls and any secured inclusionary walls, and clear retention schedules.  The information is very important to have in place to provide a solid launching point for configuring your Teams environment.

As you begin your discovery phase of your project these are the top 5 concerns that you should address as your teams’ Information Governance or Security professional.

1)  Access Management

Whether your firm calls them Ethical Walls or Ethical Screens, it is extremely important to ensure that you have a system in place to manage user access to client or sensitive internal data. In addition to Ethical Walls, many clients are requiring firms to safeguard their data and restrict access to only those resources who are activity working on the matter.  While there is an ‘in-box’ solution in Microsoft Teams for setting up Information Barriers, it is very binary – groups of users are completely prevented from sharing or communicating with other groups. The concern with this all or nothing approach is that the latter is prone to accidental insider breaches and the former will very likely result in groups creating their own data repositories. Completely cutting off communication will force people to look for alternative tools, even if it is just to facilitate innocent interactions, resulting in increased compliance risk.

2) Data, Data Everywhere

By design, it’s very easy for a user to create a new Team, add members and start collaborating. This ease of use has helped to drive Microsoft Team’s viral adoption. However, just as we saw with SharePoint, organizations are concerned about wasting resources and other implications due to sprawl. Teams being created and then abandoned after a short period of time, duplicate Teams being created resulting in an abandoned repository once users gravitate towards one Team over the duplicate. As well as wasting resources, the redundant Teams create a scenario where the lack of oversight and life cycle management can result in valuable or sensitive information being at risk due to incorrect or outdated sharing settings that break information protection.  Later blog posts in this series will provide guidance on how to manage Teams content that may live outside a firm’s official repository.

3) Safeguarding Secure Collaboration

With all the new data protection polices from Outside Counsel Guidelines to California Consumer Privacy Act (CCPA) to GDPR, now more than ever, organizations must ensure that collaboration content including chat and files in Microsoft Teams are being shared in accordance with information handling policies. Organizations need to also ensure that information such as company confidential files are not accidentally shared with external guests or other unauthorized Teams users. While Microsoft Teams offers Private Channels, it is a “location based” approach which has several limitations as there is no technical enforcement of information protection beyond permissions access to the channel. Private Channels do nothing to address customer concerns about files or chat messages being accidentally posted in the wrong Team or channel. As Microsoft Teams adoption and use grows the accidental sharing risk increases as users may lose sight of Team membership and not realize that they are exposing confidential information.

4) Enabling Collaboration Content (Teams) Owners

The highly requested Private Channels capability in Microsoft Teams showed that Team Owners want to have more control over the granularity of protection that they apply within their Teams. Team owners are better positioned to know the specific sharing requirements, as they know their collaboration content the best. At the same time there must be balance between Team Owners and IT/IG to ensure that corporate-wide policies are being properly enforced. Typically, information protection policies and application access controls are defined and applied at the cloud tenant level. While this works for enforcing organization-wide policies, it often leaves a security gap in Microsoft Teams. The dynamic nature of the collaboration process requires Team Owners to be equipped with the right tools to ensure that any information security gaps within Teams are appropriately plugged. Without this capability the concerns about Ethical Walls, Secure Collaboration and Data Sprawl will remain and impact the success of any Microsoft Teams roll out.

5) Guest Accounts

The potential issue and concern here is that IT can’t really control whether (or when) the organization is sharing private information with external parties, without strict controls over who can create a team and add members. Further, in general, Teams is missing an overall permissions model (including guest access) between Teams, Office365 Groups, SharePoint, OneDrive, etc. IT teams should take extra precautions to properly configure guests in Azure AD, as well as remind their organization about shared files and your data management policies. Currently, Microsoft does not provide channel exclusivity, meaning that if you’d like to work on a project with a guest, but don’t want them to have access to other files in the Team, you’ll have to make a separate Team for this project.

While these concerns may seem alarming, all is not lost. With careful planning and collaboration with your IT or project team, you can help lessen the risks by reviewing all of the options and settings in the MS Compliance Center to customize your configuration.  There are also third-party software solutions that are available to help fill in some of the gaps. Evaluate what your needs are, set the scope to how you want to use Teams at your firm and go from there. 1-2-3 Collaborate!


#SecurityProfessionals
#ServerOperationsandSecurity
#Security
#VeryLarge(over500)
#Large(251-500)
#Medium(151-250)
#Small(under151)
#Firm
#InformationGovernanceorCompliance
#InformationGovernance
#DesktopandApplicationServices
1 comment
57 views

Permalink

Comments

17 days ago

Please enjoy the second part to this series:

https://www.iltanet.org/blogs/brynmor-bowen1/2021/02/19/a-deep-dive-into-provisioning-in-teams-with-3rd-pa