Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Securing Microsoft TeamsA focus on data security
David Ferg
System Source Consultant
Chris Riley
Director
410-771-5544 x4331
Agenda
Introductions – Chris Riley
Dave Ferg
• Security concerns
• Identity securityA brief review from a previous webinar and critical for any security
• NIST passwords standards
• MFA and Passwordless login
• Teams data security• Teams data storage
• External access and storage
• DLP, Azure Information Protection, Retention policies
• Recycle bins and backups
Special Offers - Chris Riley
We Hope You are
Enjoying Your
Pizza!!
If you haven’t received your pizza,
then contact Mike Jones:
During the Webinar…
Audio – In presentation mode until end
Control Panel
View webinar in full screen mode
In Chat – Tell us what you hope to learn today?
In Questions – Feel free to submit written questions
Presentation & Webinar Recording will be emailed
Evaluation just after webinar finish – Drawing for $25
Amazon Gift Card!
Security ConcernsDave Ferg
The threats we face• The usual threats
• Account compromise and Phishing
• Viruses, malware, and ransomware
• Unauthorized access and use• Incorrect permissions
• Unsafe or unmanaged external sharing
• Not monitoring and controlling sensitive data
• Data loss• Data exfiltration, corruption, or deletion
What can you do?• Security is a shared responsibility
• Microsoft’s platform is robust, fault tolerant, and secure
• We must protect our identities and data
• Security features available depend on licensing• O365 E1 – Email filtering, Anti-malware, DKIM, basic MDM, archiving and
retention
• O365 E3 – Adds DLP, legal/litigation holds, eDiscovery exports
• O365 E5 – Adds O365 Cloud App Security and O365 ATP
• EMS – Enhances capabilities and adds additional services
• M365 plans = O365 + EMS + Win10
Protect Identities
Protect identities• Identity security is inseparable from data security
• In a previous webinar we discussed identity security
• Topics we discussed were:• NIST 800-63 password guidelines
• Azure AD password protection
• MFA
• Passwordless login
• Azure AD SSO (will not review in this webinar)
NIST simpler passwords direction for AD (AAL2)
• No password composition or expiration requirements
• 8 (required) minimum length (AD)
• At least 64 recommended maximum length (AD)
• 2FA without prompting questions (no “name of first pet”)
• Reauthentication every 12 hrs of session and 30 min inactivity (GPO)
• Password creation/reset >= 6 random characters
• Passwords checked against compromised, dictionary, repetitive/sequential and context sensitive words (P1)
• Rate limit failed authentication attempts (AD)
• Force password change if compromised (P2)
Azure AD Password Protection
• Enabled by default in Azure AD• Global banned password list
• Supports local Active Directory with Azure AD P1 licenses • Assumes every on-premises
account has an Azure AD account
Azure AD MFA• Security Defaults replace Baseline Conditional
Access policies• Multi-Factor authentication for administrators
and end-users, required within 14 days of the next sign-in after enablement
• Legacy authentication will be blocked, restricting access from older clients, like Office 2010, IMAP, POP3, SMTP, and ActiveSync clients that don’t support Modern Auth.
• Immediate MFA protection for “privileged” Azure AD actions via the Azure Resource Manager API (such as Azure Portal Access, Azure PowerShell and the Azure CLI).
Azure AD MFA• Office 365 MFA is setup by user for a more
controlled rollout.
• Accessed from Office 365 Admin portal
• Provides App Passwords for software not supporting Modern Authentication• An app password is a code giving an app or device
permission to access your Office 365 account.
• Supports SMS or mobile app for second factor
• Supports “remember for X days”
• Does not support conditional access, so this is an always on feature.
Azure AD MFA• Azure AD MFA with Premium licensing
provides Microsoft full feature set• Policy based
• Conditional access• Users and groups
• Cloud apps and actions
• Conditions
• Sign-in risk
• Device platforms
• Locations (Trusted IPs)
• Grant / Deny
• Trusted IPs
• MFA monitoring
• Support for hardware OATH tokens
Passwordless Login• Passwordless login is MFA that replaces passwords with biometric or PIN plus a second factor.
• Passwords are replaced with 2+ verification factors secured with a cryptographic key pair.
• The device creates a public and private key when registered
• The private key can only be unlocked using a local gesture such as a biometric or PIN (PIN is device specific)
Passwordless Login• Microsoft supports three
authentication methods• Windows Hello for Business
• Phone sign in with Microsoft Authenticator app
• Security key sign-in with FIDO2 Security keys
• No additional licensing other than what prerequisites require
Teams Data Security
Teams
• Teams provides a single interface for collaboration using ‘backend’ technologies to store data
• Now need to consider several data locations when planning security and data backup
• Easy to share data in Teams, so you need to be concerned about data leaving your control
• Locking down Teams too much may make the tool less productive when communicating with partners or other external entities
• Balance between productivity and security
Teams Data StorageTeams Item Additional Storage Location/Notes
Channel
conversations
A process also saves a copy in hidden Exchange group mailbox for compliance
purposes
Files shared during
channel
conversations
A SharePoint site is created for each team. A document library is created for
each channel and files are stored here
Emails sent to
channels
Any emails sent to the channel email are stored in a folder called “Email
Messages” within the channels document library
1:1 chat messagesIn a hidden folder within user mailbox, only accessible via eDiscovery; each user
maintains separate copy of chat transcript
Group chat
messages
In a hidden folder within user mailbox, only accessible via eDiscovery; each user
maintains separate copy of chat transcript
Files shared during
1:1 and group
chats
Users’ OneDrive for Business, in a folder called “Microsoft Teams Chat Files”
Images shared
during chatsStored in separate media store on Azure
Meeting
recordings
Stored in Stream, in meeting organizer’s account and content automatically
shared with all invited people; videos and meeting recordings in Stream are
stored within the Stream service, itself an Azure-based service on top of Azure
SQL, Blob, and Azure Media Services
Files shared during
a meeting chatUser’s OneDrive for Business, in a folder called “Microsoft Teams Chat Files”
Chat during a
meeting
Hidden folder within users’ mailboxes, only accessible via eDiscovery; each user
maintains separate copy of chat transcript
• Teams uses OneDrive, SharePoint, Exchange, and Stream to store data
• Data can be stored in third-party services such as Citrix files, DropBox, Box, Google Drive, and Egnyte.
• Each storage location has its own recovery capabilities and retention policies.
External and Guest users SharePoint / OneDrive external sharing
• External users receive link to the document or folder shared from a library
• Anyone
• New and existing guests
• Existing guests
• Only people in your organization
• A guest account is created in Azure AD for the external userNote the ability to limit external sharing to members of a specific group
• Inheritance from Org - can be modified at lower levels
External and Guest users Teams external access• Skype and Teams communication
• Open to all (default)
• Allow list / Block list restrictions
• No guest account created in Azure AD
External and Guest users Teams guest access• Allows external users to be members of your
Team
• Guests are invited. When the invitation is accepted, a guest account is created in AAD
External and Guest users Teams guest user permissions• Guest users are managed in Teams admin
center
• Limitations for Guests• OneDrive for Business
• People search outside of Teams
• Calendar, Scheduled Meetings, or Meeting Details
• PSTN
• Organization chart
• Create or revise a team
• Browse for a team
• Upload files to a person-to-person chat
• Currently, Teams supports only State 1 and State 2 types of guest users as defined by Azure B2B
• Team Owners also have some control over Guest access in the Team
Managing Team Creation• By default anyone can create a Team
• Without controls and training, the number of Teams in your organization can become difficult to manage
• Microsoft provides a way to limit who can create Teams. • Information found here:
https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-creation-of-groups?redirectSourcePath=%252fen-ie%252farticle%252fmanage-who-can-create-office-365-groups-4c46c8cb-17d0-44b5-9776-005fced8e618&view=o365-worldwide
• Azure AD Premium licensing required for users granted permissions to create Teams
• This affects group creation in other services as well
Managing Team Creation• Azure AD Portal can control:
• group naming
• expiration for inactive Teams
The Team Owners Role• Three roles
• Owner
• Member
• Guest
• Team Owners are primary day-to-day managers of their Teams
• Team Owners manage features and business purposes of the Team
• Permissions specific to Team Owners are…
Using DLP to protect data• Teams creates SharePoint site with
each new Team. Like any SharePoint site, DLP policies can be applied.• Microsoft 365 and Office 365 E3
includes DLP. DLP protection for Teams Chat requires E5.
• DLP policies monitor email, documents, and chats for defined data types (e.g. financial, PII) and applies pre-configured actions.
Using DLP to protect dataApplying a DLP policy to a Team
• From the Security Center select DLP and create a new policy
• Select all sites or choose the Team site by finding the URL in the SharePoint admin center.
• Test to verify
Using Retention Policies to protect data• Retention policies are for
compliance
• Use retention policies to keep data a minimum length of time or to remove older data
• Retention policies can be applied to specific locations (OneDrive or SharePoint sites) or you can choose Office 365 Groups and cover the group’s mailbox, site, files, OneNote, etc.
Using Azure Information Protection (AIP) to protect data• AIP attaches security metadata to
document
• Protection travels with data
• AIP is available with • EMS E3 & E5
• M365 E3 & E5
• AIP uses labels to classify data• Manually or by content
• Labels have security settings pre-defined
Using AIP to protect data• Labels classify data
• Labels can be assigned manually by the document creator or through policy
• A document’s classification determines protection
• Azure Rights Management applies the security
Note – The Azure Information Protection client software needs to be installed for labels to be visible for user selection.
X
Azure Information Protection
Teams Data Recovery
• Microsoft uses Recycle Bins for data recovery• SharePoint and OneDrive have 93-day retention
• Exchange Online has 14-day (up to 30-day) retention
• Stream has 30-day retention
• Recycle Bins are designed for single item recovery
• Recycle Bins do not protect active data
• Cloud backup solutions (i.e. Barracuda) protect active data
• Third-party storage needs backing up separately
What we discussed today
• Secure data by:• Using good identity security (use MFA!)
• Managing Teams membership (internal and guest users)
• Training Team owners to manage and monitor their Teams
• Controlling external sharing and use of third-party storage
• Using technologies such as DLP, AIP, and retention policies
• Using cloud backup services
Special OffersChris Riley
Governance within Microsoft Teams
Goal: To provide guidance for data management and security options and capabilities within Microsoft
Teams
Consultation: System Source will meet with your IT staff to review the various configuration and security
options within Microsoft Teams. The goal of the consultation is to provide guidance on where and how
Teams data can be managed and secured so you can create and maintain the settings and policies that best
fit your environment. This engagement does not provide training on how to use Teams, instead it is focused
on governing your Teams environment. Within this engagement, System Source will review and provide
guidance in the following areas:
Governance within Microsoft Teams Where Teams stores your data
o Microsoft and third-party storage Who can access your data
o Securing external and guest access Securing document sharing with policies, DLP, and/or AIP Using retention policies for compliance Who can create and manage Teams
o The role of the Team Ownero Archiving Teams
Policies controlling Team naming, expiration, and functionality Policies controlling Team meetings and Live events Use of Apps, Bots, and Connectors in Teams
o Who can add Apps, Bots, and Connectors to a Team or Channel Monitoring Teams activity, OneDrive and SharePoint Data backup
Fee: $1,348 for half-day session
Microsoft Teams Adoption TrainingUse Microsoft Teams to communicate and collaborate on teamwork
Step 1: Discovery: System Source will meet with you to understand your desired outcomes for your
implementation of Microsoft Teams. The goal of discovery is to understand your intended use of Teams
and internal policies that may dictate the topics we teach in class. We’ll review:
Policies for external and guest access
Where Teams stores your data
Document sharing policies
Calling capabilities
Policies regarding Team creation, Meetings and Live Events
Use of Apps, Bots, and connectors in Teams
Monitoring Teams activity, OneDrive and SharePoint
Step 2 Team Owner Training: System Source train Team Owners to:
Configure Teams and manage membership Set permissions Configure channels and tabs Use apps, bots, and connectors
Step 3 User Training: Using best practices, System Source will train your users to:
Keep everyone in the know with chat Tailor your workspace to include everyday content Access, collaborate on and post files Manage calls and meetings Communicate in the moment, comment and “like” posts Use the Wiki View individual and team activity
Microsoft Teams Adoption Training
Step 4 Administrator Training: System Source will train one administrator using 5-day course,
MS-700T00: Managing Microsoft Teams to:
Overview of Microsoft Teams
Overview of security and compliance in Teams
Implement Governance, Lifecycle Management, Security and Compliance
Upgrade from Skype for Business to Microsoft Teams
Plan and configure network settings
Deploy and Manage Teams endpoints
Create and manage teams including membership and access for external users
Manage chat, collaboration, live event and meetings experiences
Manage settings for Teams apps
Manage phone numbers and Phone System for Microsoft Teams
Troubleshoot audio, video, and client issues
Microsoft Teams Adoption Training
Steps 1-3: $2280 – Up to 25 Users, $4500 – Up to 100 Users
Optional Step 4: Administrator training: $2,476, a savings of $619
For registration or more information call 410.771.5544 x5
or email [email protected]
Microsoft Teams Adoption Training
Q & A
Kindly complete the survey at the end of this webinar. We will use your feedback to help us improve.
A random winner will be picked from the completed surveys to received a $25.00 Amazon gift card!
THANK YOU!