Who's Getting It Right?
Fortunately, team collaboration vendors seem to be on the mark with security, Lazar said.
As particularly good examples, he pointed to Cisco and Symphony for their end-to-end encryption models and because they let enterprises hold their own keys. These features are especially important for highly regulated organizations, he added.
UC analyst Zeus Kerravala, of ZK Research, agrees that Cisco's end-to-end encryption model, called Breach Lock, is a differentiator, as he explained in a recent No Jitter post. He wrote:
Almost every team collaboration vendor says it has end-to-end security, encrypting traffic in transit and at rest. But is that really end to end? The answer is, 'Not really.' The data coming in from the network may be encrypted, but then often needs to be unencrypted when it passes through servers, load balancers, and other infrastructure, and then is finally re-encrypted when it's at rest. Cisco's approach is to keep the encryption persistent across the entire path; this is why, should a breach occur, the data looks like garbage.
Cisco is able to take this approach because it allows its enterprise customers to hold their own encryption keys on premises. So a breach of the Cisco cloud would leave customer data unreadable.
For those who may be unfamiliar, Symphony, came to market in 2015 with a team collaboration solution aimed specifically at the financial industry. As such, security, privacy, and compliance have been top of mind since the get-go. "Our dedicated security team and independent third parties evaluate and test the security of our service," Symphony says on its website. "We conduct thorough vulnerability scanning and harden our systems with penetration testing."
Symphony not only lets customers hold their own keys as part of its end-to-end encryption model, but also boasts security policies informed by federal and international standards – i.e., from NIST and ISO -- and holds certifications such as SOC 3 Type II and SOC 2 Type II. In addition, it offers an administration and compliance portal for deploying and managing security capabilities like single sign-on, MDM, and two-factor authentication, as well as exporting content for archiving and e-discovery purposes.
Additionally, Symphony purports to have gotten around search difficulties that come into play with end-to-end encryption schemes with the development of its own "unique" encrypted search solution that keeps data encrypted while executing search queries.
The end-to-end encryption models developed by Cisco and Symphony represent a use case Richard Stiennon, chief research analyst for independent research firm IT-Harvest, spelled out in a 2016 whitepaper. While the world "woke up" to the necessity of encryption in 2013, with the discovery that many government intelligence agencies were intercepting nearly all network traffic, none of the initial encryption at rest/encryption in transit solutions came "close to guarantying end-to-end security, a system where the provider has no ability to see data in transit or at rest -- a customer-controlled security model," he wrote. "And perhaps the greatest shortcoming," he continued, have been "those services that do indeed encrypt everything but do so with little or no concern about who controls the encryption keys."
This is an issue with which Microsoft, with Teams, is still grappling. While it encrypts Teams data at rest and in transit, it doesn't provide full end-to-end encryption in the manner of Cisco and Symphony. The ability for customers to hold their own security keys is on the roadmap, however, and in the meantime, per Microsoft policy, no employee can access customer data, even when trying to resolve an issue, without a formal request, Mark Longton, principal group program manager at Microsoft, told me in an email exchange.
Outside of encryption, Microsoft boasts a long list of security features for Teams. The company lays claim to being a compliance leader with EUMC, HIPAA, ISO 27001, ISO 27018, SSAE16 SOC1 Type I and II, SOC2 Type I and II, FERPA, and GLBA global standards, Longton told me. In addition, it offers central management and automatic provisioning through Office 365, with single sign-on and multi-factor authentication.
Further, Teams integrates with Microsoft Intune for mobile device and app management, which has features for compliance and litigation support, Longton said. Customers can do things like set archive policies for content; use compliance content search, e-discovery, and legal hold for channels, chats, and files in Teams; audit and report on all relevant Teams activities; and access the complete set of information protection features within their existing Office 365 environments, he added.
If GCU is any example, enterprise organizations appreciate the attention Cisco, Microsoft, and others are paying to security for their team collaboration apps. As Smith said, "Otherwise, we have a harder time being able to adopt those kind of tools."
What Enterprises Want
In fact, one of the things that has Smith pushing to go with Webex Teams, is the company's attention to security. "I've been in the industry for over 25 years," he said, "so I'm very abreast of tech pertaining to on-prem solutions. But how do you go from spending millions on infrastructure to moving into a cloud-based infrastructure? The question is how do you get to the cloud and how do you deal with security [once there]? What happens to the level of control? How does it look?"
But in pitting Cisco against Microsoft in the team collaboration battle, it may not be security that's the ultimate decision factor at this point.
Related content:
Follow Michelle Burbick and No Jitter on Twitter!
@nojitter@MBurbick
