07 Jul Managing Access for External Users in Teams: Mitigate Data Chaos and Ensure a Zero-Trust Security Model
Managing Access for External Users in Teams:
Mitigate Data Chaos and
Ensure a Zero-Trust Security Model
07 July 2021 · 4 min read
With more than 145 million daily active users, Microsoft Teams has become the go-to collaboration platform for organizations moving to hybrid work. Teams allows organizations to collaborate on projects, engagements, matters – whatever you may call them – by organizing them into Teams and Channels. Teams’ features extend beyond facilitating internal collaboration, enabling organizations to invite external users and leverage Teams as an extranet.
Microsoft Teams is home to four types of users: Internal, Anonymous, External, and Guest users, with a fifth option – Teams Connect – on the way. These titles allow for varying levels of access and collaboration abilities both within and between organizations.
To optimize external collaboration, organizations should understand the access these users have and how to best manage them through Zero-Trust security.
Understanding the Types of Teams Users
Understanding the capabilities of the several types of Teams Users can help your organization designate specific levels of appropriate access to end-users.
Internal Users are employees of the organization. These users can access and edit documents across the organization. Administrators can assign different levels of access to Teams, Channels, and documents so that Internal Users have access on a need-to-know basis only.
Anonymous Users can access Teams Calls & Meetings without a Teams account. They show up in a call with the “Anonymous User” tag and can participate in the meeting just as any other user. But they cannot edit or access content. Anonymous User access is automatically enabled for Teams meetings — a potential security concern if an anonymous user drops in on a call that is meant to be private.
External Users are Teams users that exist on a separate license/domain than that of your own. External Users can set up calls, join meetings, and chat with each other. But they may not view, share, or access files across Teams domains.
Users with Guest Access maintain many of the same attributes as External Users, but also gain the ability to view & share files, and join group chats. Guest Users don’t need to have a Teams license because your organization’s license can allow an unlimited number of available Guest Access Users.
Teams Connect is an upcoming feature that allows users to not only share, but collaborate on and edit documents with other users, and share entire Channels, regardless of which organization they belong. Users that access these Channels through Connect gain all the abilities available to the native users.
Mitigating Data Chaos & Enabling Zero-Trust Security for External Users
Although Teams is enabling virtual collaboration for hybrid workplaces internally and externally, there are some limitations. These limitations affect adoption and governance, increasing data chaos and risks related to privacy and cybersecurity.
Complexity = Chaos
When initially deploying Teams, organization should take great care in ensuring that end users cannot create Teams. Otherwise, there will be many Teams for the same project or engagement with different folder structures and naming conventions. As projects grow in complexity and number, so too does the potential for chaos. Users will be confused as to where to save their content and chaos will spread throughout the entire system.
A potential solution is enabling consistent provisioning for Teams and other collaboration systems. When organizations provision Teams, Channels, tabs, and more, with folder templates and naming conventions, users will know where to place files. Adding rich custom metadata will make it easier to search and locate content and will enable risk management teams to understand context so they can apply the right security policies and add the right external users to the right Teams and Channels.
The Risk of Inappropriate Permissions
When data is chaotic and there is no metadata to provide context or content location, the risk of inappropriate permissions is high. Administrators could add external or guest users to Teams and Channels that they do not belong to, exposing sensitive company information. Hackers could then use this vulnerability to gain access to the company’s Teams tenant, copying and stealing data, causing financial and reputational damage to the organization.
Using private channels and role-based permissions could tackle this issue. When organizations provision Teams and Channels, they could create private channels where internal information could be shared and collaborated on. These channels could be for financial information or internal organizational collaboration. External and guest users could be added to the Team, but would not have access to sensitive information.
Additionally, when provisioning users, administrators could assign role-based permissions with expiration dates and engage in recertifying access. If a user only needs to edit a document for one day and no longer needs access to the Team or Channel, then they could be granted access as editor with an expiration date of only one day. Later on, administrators could also audit access and generate reports to check whether there is any inappropriate access.
Private channels, role-based permissions, and recertification of access strengthen governance and allow organizations to move towards a Zero-Trust security model for internal and external users.
How We Help: Prosperoware CAM
Prosperoware CAM is a Software-as-a-Service platform (SaaS) for adoption and governance of collaboration systems. It allows organizations to provision, classify, protect, move, and minimize data, mitigating data chaos and reducing risks related to privacy & cybersecurity.
CAM enables organizations to create logical locations for users to place data and provides rich custom metadata capabilities to empower users to locate data and risk management teams to understand context so they can apply the right security and minimization policies.
CAM integrates with Microsoft 365 (Microsoft Teams, SharePoint Online, OneDrive, OneNote, Planner, Lists), iManage, NetDocuments, HighQ, and more to come.
Here is what CAM can do for you:
- Provisioning of workspaces, Teams, Channels, Lists, Users & Groups, and folders from Project Portfolio Management, CRM etc., or through a human workflow using readily available templates.
- Rich, custom metadata for project or document context.
- Unified project directory for content location for end users and risk management teams.
- Provision automatically or on-demand internal & external users, manage permissions across collaboration systems, and integrate with leading ethical wall systems.
- Data Loss Prevention (DLP) with activity monitoring and bulk security & metadata changes.
- Data protection by creating a separate archive of documents to access in case of incidents.
- Minimize data by setting automatic data disposition policies or apply litigation hold.