Digging In to Team Collaboration App Security

Organizations, especially those in regulated industries, have spent a great deal of time, money, and effort to build security strategies for their documents, email, and instant messages. But as team collaboration apps become the primary means of internal and even external collaboration, these apps represent a new challenge for security and risk management.

Nemertes Research's recently released study on team collaboration found that security concerns are the biggest inhibitor to team collaboration adoption. IT leaders expressed worry that they don't yet have a solid strategy for governance, and that cloud-based storage of potentially sensitive communications is risky, especially when data is subject to compliance regulations like GDPR and HIPAA.

Vendors in the team collaboration space are increasingly using security as a competitive differentiator. In his keynote at Enterprise Connect in March, Cisco Collaboration VP and CTO Jonathan Rosenberg discussed the company's end-to-end security model (for then Spark, now Webex Teams) called Breach Lock, in which data stored in the Cisco cloud is always encrypted. Even if an attacker manages to obtain customer data, they would still have to decrypt the data for it to be usable. Cisco isn't alone in stressing the importance of end-to-end encryption. Competitors like Keybase and Symphony also provide end-to-end encryption, touting it as a means of overcoming concerns related to storage of corporate communications in the cloud.

portable

End-to-end encryption may assuage the concerns of placing sensitive data in the cloud, but it doesn't eliminate them. Company data residing inside a cloud-based team collaboration provider's servers may still be vulnerable if the provider has the ability to decrypt the data on its own. To address these challenges, vendors like Cisco and Symphony provide customers with the ability to hold their own encryption keys within their own data center, or potentially with an escrow provider. In this scenario, the team collaboration provider would need the permission of the customer to decrypt data.

Most other team collaboration vendors only provide encryption at rest and encryption in motion, meaning that data stored in local clients or in the vendor's message repository is encrypted, and encryption schemes like TLS are used when exchanging data between the client and cloud. But these providers may decrypt customer data to process it (e.g. to support search, export to a third-party compliance service, to layer in additional functionality like application integrations, or to serve relevant ads for free customers). Vendors who do support end-to-end encryption either have limited search capabilities, or in the case of Cisco, have engineered a search mechanism that does not require them to decrypt customer data. I expect over time vendors like Microsoft and Slack will too implement end-to-end encryption for their team collaboration products, but they aren't there yet.

For organizations that still cannot store data in the cloud, even if using end-to-end encryption while holding their own keys, the only option then for taking advantage of team collaboration applications is to run on-premises software, typically based on open source, from vendors like Matrix, Mattermost, Rocket.Chat, and Zulip. But going this route eliminates the ability to integrate team collaboration apps with UC platforms for calling and video conferencing, and of course requires administrative and server resources to manage and run the app.

Of course there's more to securing team collaboration than just encryption. In our study, IT leaders tell us the most important team collaboration security features to them are:

  • Support for industry security certifications like FedRAMP, HIPAA, ISO 27001, and SOX
  • Ability to integrate team collaboration apps into a single sign-on solution that is also integrated with the corporate directory. This enables centralized provisioning and revocation of access as individuals join and depart the organization
  • Ability to maintain data in the country of origin
  • Support for exporting conversations to third-party archiving services like Actiance, Merge1, and Smarsh

portable

Another security concern is management of data stored on mobile devices. While vendors typically support encryption at rest of conversations in mobile clients, many organizations prefer to use a mobile device management platform (MDM) to control distribution and access to all company-provided mobile apps. Here you'll want to evaluate the ability of team chat applications to work with MDM solutions from vendors like AirWatch, Cisco Meraki, Good Technology (now owned by BlackBerry), Microsoft InTune, MobileIron, etc.

Finally, the last area of security to address is external access to team spaces. Most services provide the ability for IT or team administrators to set up guest accounts. Some go further by enabling federation between team collaboration instances, which allows organizations to preserve security controls even when their own employees are participating in team spaces controlled by a partner organization. If your enterprise is supporting the guest access model, you'll want to ensure you have procedures in place that terminate access for those who leave the partner, no longer need access to the space, or when the project is complete. If you have employees participating in team collaboration spaces via guest access, you run the risk of conversations in those spaces happening outside of your security and governance control.

Team collaboration is rapidly replacing email and instant messaging for both internal and external collaboration. Paying attention to governance, security, and compliance is a must to ensure a successful implementation.

Related content:

Follow Irwin Lazar on Twitter!
@imlazar