No Jitter is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Revisiting Team Messaging Security

In my last No Jitter post, I discussed some of the challenges related to team messaging security, setting the stage for my session discussion last week at Enterprise Connect 2019 and foreshadowing Slack’s announcement that it now supports enterprise key management (EKM) to allow access control to team messaging data.

Slack EKM provides the same basic functionality already available from competitors including ArmorText, Cisco, and Symphony. Through EKM, customers manage their own encryption keys, meaning that they are in full control of their data and can lock data stores as necessary to address security issues such as breaches or data leakage. Slack customers, through the Amazon Web Services (AWS) key management server, are able to revoke access to individual channels, teams, or the entire customer instance of Enterprise Grid. Participants in our 2018-19 Team Collaboration study cited encryption and customer-held keys as important requirements in evaluating team collaboration platforms.

The move to cloud collaboration has been tempered in recent years over concerns that enterprises potentially lose or reduce control of their data as it moves into the cloud provider’s data center. That view toward security is evolving, with nearly half of participants in our 2017 UC study saying that they felt cloud security was better than what they could provide on their own, and 18% of participants in our 2018 study saying that security is a primary driver for moving to cloud unified communications and collaboration applications. As IT leaders struggle to keep up with constantly changing security threats, and as security spend continues to grow, cloud is increasingly seen as a means of protecting enterprise data cost effectively.

The ability to manage encryption keys should alleviate enterprise concerns related to potential loss of control over data stored on the cloud provider’s servers. By giving enterprise customers control over encryption, EKM arguably provides the same level of data security that an organization maintains when keeping its data within its own data centers on its own encrypted servers. EKM should especially appeal to companies within regulated industries that in many cases have been unable to move data to the cloud for fear of exposure of sensitive customer or corporate information.

The topic of key management was a big part of our “Securing Your Team Messaging Data” session last week at Enterprise Connect. Panelists from Cisco, Oracle, Ribbon, Slack, and Symphony noted that encryption was key to an effective security strategy. They also provided the following recommendations as part of a broad security strategy:

  • Determine a Governance Strategy -- Managing data within a large enterprise messaging system may require a mix of centralized and decentralized strategies, potentially implementing key management, data loss prevention, and single sign-on controls companywide, while leaving administration of specific workspaces, channels, and team members to department or workgroup administrators
  • Integrate Enterprise Mobility Management (EMM) -- With mobility being a major driver of interest in team collaboration applications, organizations should ensure that their team collaboration applications work in conjunction with their EMM providers, ensuring control of corporate data across mobile devices
  • Evaluate Security Certifications -- Nemertes research participants cite a vendor’s security certifications as the most important criteria they evaluate when selecting a team collaboration provider. Look for common certifications like SOX, ISO/IEC 27001, HIPAA, and FedRAMP, and ensure that your providers can support regional regulatory requirements like GDPR
  • Keep It Simple -- Security policies and approaches that make it difficult for people to use applications to collaborate will only drive workers to seek easier-to-use solutions, often that aren’t company-approved. It’s not easy balancing security needs and usability, however it’s imperative that buyers ensure that security controls don’t impact ease of use
  • Federate -- Guest accounts are still the norm for allowing outside people to participate in team spaces. However, guest accounts are difficult to manage, and when employees use guest accounts on outside services, they eliminate the ability of an organization to control file and data sharing. Instead, consider federation options, whether that be native capabilities provided by team collaboration vendors or third-party federation services like Mio, which won the 2019 Best of Enterprise Connect Award for innovation in collaboration, and NextPlane. If you must support guest accounts, consider whitelists to control access (e.g., only allowing guests from approved e-mail domains)

Team messaging security capabilities continue to evolve, and improve. Be sure to conduct regular review of your provider’s capabilities to ensure that it’s able to meet your present, and future, requirements.

Comments

Great article, Irwin! I wanted to add few quick notes the above regarding data security. First - thanks for the chance to speak at the panel at #EC19! Hope you found the time as useful as I did! I definitely want to echo what was said during the panel about 'Keeping it simple'. It's critical that as Collaboration products we provide as simple a management experience as possible. The fewer options and knobs that can be misconfigured, the better. With Cisco, we took this to heart by providing a tightly integrated solution for our on-prem KMS option, where we keep the server updated automatically for our customers (you can of course choose when the updates happen). Also, I wanted to put out there that I believe there to be multiple a critical dimensions to data security. The first, of course, is where the keys/secrets are kept. The second dimension is how the data is secured itself. We believe that it's critical to provide end-to-end encryption of content as well. The fewer points where data is unencrypted (and the fewer secrets that are used to encrypt any one piece of content), the less chance for compromise. This was a topic of discussion on the panel and bears repeating. The next question that follows of course is "doesn't that make other features like search harder?" - this too was raised on the panel. The answer is also: yes. But that doesn't mean we shouldn't do it. It is on us as collaboration products to offer both security and usability as features! Cisco Webex Teams has done just that. Implemented end-to-end encryption, and also built search to account for this encryption. Finally, I want to make sure I reiterate the importance of a set-and-monitor strategy. Like I said in my blog 2 weeks ago, the way users use tools change over time. Security should protect users, not hinder them. So having a strong monitoring story is critical to know what's going on, and determine whether something untoward is happening. Cheers! Jono Luk