Unsurprisingly, the world and its dog appear to be shifting large amounts of their collaboration activity (team chat, shared documents, meetings and telephony) into Microsoft Teams right now.
Here are our top 10 tips for rolling-out Teams securely. This is particularly important given the large number of people now working from home. Whilst some of these suggestions are really advice for Office 365, rather than specifically for Teams, they are all very important as you develop an increasing reliance on Teams across your institution.
1. Enable Multi-Factor Authentication (MFA) for as many users as possible. 99.9% of Office 365 compromises are due to the lack of MFA being enforced for the targeted end users. Enabling MFA is especially important for administrator or high-profile users (HR, Finance, senior leadership team). Don’t forget to create a break-glass account, a highly audited Global Admin Account which is exempt from all MFA & CA policies and which should only be used for emergency access in the event of an issue with Azure Active Directory (AAD) identity services.
https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-emergency-access
https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
2. Configure your basic Teams policies; configuration policies such as Meeting policies, live event policies & messaging policies allow granular control over the functionality of your Teams environment. Controls include options such as preventing external participants’ remote screen sharing controls, stopping users bypassing the lobby when dialing in, preventing actions such as deleting messages/files and also restricting what applications users can add into their Teams to avoid data leakage. Policy Packages exist which can help deploy settings on a large scale to all users (or groups) allowing administrators an easier approach to the overhead of managing multiple policy types across their environment.
https://docs.microsoft.com/en-us/microsoftteams/manage-policy-packages
3. When rolling out Teams, remember to use Teams Administrator, rather than Global Admin, permissions. RBAC should be used throughout your Office 365 environment in order to align with the principle of least privilege. Consider separate accounts for administrative purposes and make use of Conditional Access.
https://docs.microsoft.com/en-us/microsoftteams/using-admin-roles
4. By default, Teams is open to the world for collaboration. Consider which third-parties you want to allow into Teams and then enforce it, either by using whitelisting or, alternatively, blacklisting. As a minimum, review your OneDrive & SharePoint sharing settings: consider who can share files, should this be to external users, and should any file shares have a timeout? On a related theme, review your Guest User access. This should be disabled by default, but if this is not the case, consider whether the Guest User really needs all the access they currently have? Access can be restricted to remove features such as the ability to chat or delete messages. Furthermore, do your users really need to have the ability to connect with Skype users? Skype may not seem like a large risk but being selective with all settings during deployment will help to develop a ‘security by design’ mindset.
https://docs.microsoft.com/en-us/onedrive/manage-sharing
https://docs.microsoft.com/en-us/microsoftteams/manage-guests
5. Data Loss Prevention (DLP) is available with E3 subscriptions. DLP should be used to help meet the requirements set out in GDPR, preventing sensitive data leaving your institution. Make sure that you extend your DLP policies into your Teams environment (this doesn’t always happen by default) and configure appropriate alerting.
https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams?view=o365-worldwide
6. Azure Information Protection (AIP)/Unified Sensitivity Labelling should be enforced on SharePoint and Teams. This will help protect against business sensitive data being compromised, securing the data as opposed to the services and platforms hosting it. AIP can also be used to encrypt sensitive data, revoke it and/or stop people sharing/forwarding it, etc.
https://docs.microsoft.com/en-us/microsoft-365/compliance/protect-sharepoint-online-files-with-sensitivity-label?view=o365-worldwide
7. If you don’t have AAD P1 or above, consider security defaults (formally known as built-in Conditional Access Baseline Policies). These are groups of Microsoft-recommended configuration settings based on feedback from Microsoft security engineering teams, product groups, partners, and customers. Controls include enforcing controls for risky sign-ins and enforcing MFA. Remember that some security defaults may still be in preview.
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
8. If you are using Advanced Threat Protection (ATP) P1 (E5 or add-on) then make sure Anti-Phishing is enabled to prevent user and domain impersonation. Take care to protect likely targets such as members of your senior leadership team. Enable ATP Safe Links for your entire organization, both for internal comms and external comms. Have ATP Safe Attachments inspect everything: this should be extended to SharePoint and Teams.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide#configure-atp-policies
9. Enable Auditing and Alerting where possible. Be sure to enable auditing on all mailboxes, and all activity within Office 365. Teams is fully integrated into the Security & Compliance center, therefore take advantage of e-Discovery/Content Search, Reporting and Alerting -review your Secure Score weekly. Litigation Hold can also be used if required. Cloud App Security is worth investigating as this will help control your Shadow IT.
https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security
10. If you are using Enterprise Mobility & Security (EMS) or Intune, review your mobile device management (MDM) policies. In particular, fine tune devices with Internet connections. You can even use Conditional Access as a means of only permitting corporate devices, with granular exclusions based on individual circumstances: this can include a specific policy for Teams access. If MDM is not in use or not viable, then Mobile App Management (MAM) may be worth considering. This will protect access to your cloud applications regardless of the device which is accessing them.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-device-management
That’s our top 10 tips. There’s a lot of material here but it is worth working your way thru the list to protect your institution as you ramp up your reliance on Office 365 and Teams. I will provide more detail on many of these areas in future blog posts.
Good luck.
Did you know?
Jisc are now offering weekly drop-in clinics to help our members with technology issues related to dealing with the coronavirus outbreak. We can also make limited amounts of free consultancy available to you (typically up to 3 hours) to help with the crisis. Consultancy will be provided by one of our cloud consultants, solutions architects or engineers. In all cases, these offers are for help with Office 365, Azure, AWS, cloud security or cloud connectivity.
Want to know more? Please contact your Jisc Account Manager.