Are Your Team Messages Secure?

The team messaging market continues to grow, with nearly 60% of the approximately 600 companies participating in Nemertes Research’s annual unified communications and collaboration study either already using or planning to deploy such apps by the end of 2019. As team collaboration evolves from simple chat into a digital workplace hub -- integrating chat, calling, meetings, documents, and application data -- cybersecurity and risk management professionals are beginning to pay close attention to how information contained within their team management environments is protected.

 

Nemertes’ data shows that security concerns are currently the biggest inhibitor to team collaboration adoption. As most market-leading services are cloud-based, some organizations -- especially those in regulated industries or those that deal with classified information -- are still reluctant to, or unable to leverage team collaboration due to internal prohibitions on the use of cloud-based services.

 

This creates a situation in which IT is the barrier to allowing employees to use team collaboration apps to improve internal and external collaboration. When IT finds itself in the role of “Dr. No,” users often go around IT and use the apps they want to use without IT consent or control. The nature of cloud applications, allowing anyone to register for a free or low-cost account via a Web or mobile app, makes it especially difficult for centralized IT teams to control non-authorized application use.

 

Of those organizations using team collaboration applications, only about one-quarter export messages to an external archive for classification and retention. The rest rely on controls provided by the team messaging vendor to enforce content access and retention policies. This approach often leads to concerns about how the team collaboration vendor manages encryption keys to control data access.

 

Over the last year we’ve seen significant efforts by vendors to differentiate themselves based on their security model, and their options for encryption key management. For example, Cisco and Symphony tout their end-to-end encryption models that provide customers with the ability to hold their own keys, or in the case of Symphony, place those keys into a third-party escrow. ArmorText focuses on high security applications, with flexibility to maintain access to message stores even if a single device is lost or compromised. More recently, Slack, at its 2018 Frontiers events, announced plans to allow Enterprise Grid customers to manage keys via AWS’s key management capabilities (see related coverage, “Slack and Zoom: Bottoms Up”). The ability for organizations to manage their own encryption keys means that in theory, the customer can restrict its application provider from accessing its team messaging data, alleviating a big enterprise concern around moving sensitive communications to the cloud.

 

Another security area worrying IT leaders is how to extend team collaboration workspaces across company boundaries. Today, most rely on supporting guest accounts. It may be possible to lock down guest access to ensure, for example, that no files are sent to a guest and that the guest access terminates after a set period of time. However, the more worrying aspect of guest access security is the opportunity for an enterprise’s own employees, using a guest account on another company’s service, to inadvertently share sensitive documents, bypassing well-constructed approaches for information protection. Replacing guest accounts with federation approaches, either natively offered by a team collaboration vendor or by using services like NextPlane and Mio, may offer a better means of controlling this potential security risk.

 

Beyond retention, encryption, and guest accounts comes the challenge of implementing integrations between business applications and team collaboration apps. Here, cybersecurity professionals are looking for approaches that not only control access, but can also identify potential hack attempts, both internally and externally.

 

At Enterprise Connect Orlando this month, we’ll dive more deeply into the challenges related to enterprise team messaging security. Please join me on Wednesday, March 20, in Osceola A at 3:00 p.m., for my session, “Securing Your Team Messaging Data.” The session will feature panelists from Cisco, Slack, Ribbon Communications, Symphony, and Oracle, who will talk about the risks, best practices for mitigating, and how team collaboration vendors are continuing to differentiate based on their security capabilities. I look forward to seeing you there!