19 Nov How Can You Collaborate Safely With External Parties in Microsoft Teams?
How Can You Collaborate Safely with External Parties in Microsoft Teams?
19 November 2021 · 4 min read
We are living in a time where productive collaboration in a hybrid work environment has become key. It also means that organizations need to think about different governance challenges when it comes to collaborating with external parties.
As Microsoft Teams has become the main platform for hybrid work, many organizations rely on it for external sharing as well. In Microsoft Teams, this is an easy and intuitive process. But it’s the security side of it that can present privacy challenges for organizations.
It doesn’t have to be this way. Here are some best practices from our end to ensure you have a safe and efficient collaboration process with external parties:
Get to Know Your Microsoft Teams Users
As you might have guessed it, Teams offers more than one way of sharing information with people outside your organization. Three to be more exact. That’s why understanding each one and being able to distinguish between is an important step in reaping the benefits of Teams collaboration.
- External Users are Teams users with very limited capabilities. They can set up calls, join meetings, and chat with each other. But they may not view, share, or access files across Teams domains.
- Guest Access users maintain many of the same attributes as External Users, but also gain the ability to view & share files and join group chats. These types of users are almost given the same Teams capabilities as native team members. One key limitation for users that fall under the Guest Access label is that they can only share content within the specific Team to which they’ve been added. This means they are restricted from joining and sharing in any other spaces.
- External sharing is used when you want users to have access to everything within your organization’s Microsoft 365 site. Using this feature, you can bypass Teams guest access and share files externally using SharePoint (if this is where your MS Teams files are stored)
All of this is great, but it lacks an important element: SECURITY.
The moment you allow guest users to collaborate with members of your teams, it automatically grants them access to all files that are shared within their Channels. That’s why it’s important to make sure that sensitive data is not stored in public teams.
Can Teams handle the potential security threats that come with external collaboration?
Well, while Microsoft 365 enables granular controls, they can be difficult to manage. Controls are spread out across different administration centers, making it difficult to set up proper security permissions for external sharing.
It becomes even more problematic when Teams, Channels, and projects or engagements cannot be properly tracked due to limited metadata. Because of this, projects and corresponding documents are not accurately secured for all internal and external users.
Currently the creation of a single team or Channel takes on average anywhere between 15 to 30 minutes. When this is done across thousands of projects or matters, it’s time consuming and prone to human error. On top of this, Teams also offers limited metadata for projects and matters. Imagine an organization with thousands of documents spread across departments, and risk teams unable to understand its business context.
With all this, users can end up having access to irrelevant, or even sensitive content, intensifying cyber risks. That’s why it’s important to implement a Zero-trust security model to ensure only the right individuals have access to content. As we like to say, the greater the extent of access, the greater the risk.
Track Guest Users & External Collaborators on Projects (Matters)
Document Management System (DMS) integration with Microsoft Teams provides easier access management capabilities. While Microsoft Teams does not offer the ability to properly track projects or associated matters, assigning custom metadata linked to a directory solves this problem. And automatic provisioning for Teams can result in consistent client and project (matter) IDs for easier content location and governance.
It also means that a Team or a Channel can be identified through its corresponding client or project/matter number. Tracking guest users to set up access controls and permissions becomes easier. It also limits inappropriate access for any guest user or external collaborator.
Private Channels to the Rescue
Using private channels and role-based permissions could tackle the challenges of guest users having access to sensitive files. When organizations provision Teams and Channels, they could create private channels where internal information could be shared and collaborated on. These channels could be for financial information or internal organizational collaboration. External and guest users could be added to the Team but would not have access to sensitive information.
Additionally, when provisioning users, administrators could assign role-based permissions with expiration dates and engage in recertifying access. If a user only needs to edit a document for one day and no longer needs access to the Team or Channel, then they could be granted access as editor with an expiration date of only one day. Administrators could also audit access and generate reports to check whether there is any inappropriate access.
Private channels, role-based permissions, and recertification of access strengthen governance and allow organizations to move towards a Zero-Trust security model for internal and external users.
Enforcing Information Barriers to Handle Sensitive Information
Dealing with sensitive data is a daily occurrence for most organizations. Although Microsoft 365 has powerful tools to enable Information Barriers for access to personal and other types of sensitive information, configuration of tenants for workspaces is still necessary.
IT administrators have the capability to add guest users at the tenant level. They can then use the Microsoft Teams admin center to manage access and permissions and obtain reports on guest user activity.
When organizations with multiple departments have different external sharing requirements and restrictions, the situation can get complicated pretty quickly. While these requirements and restrictions can be set up through the user interface, an organization’s IT team will find it quite difficult to keep track of all this. This can all be resolved through automating external collaboration access on a need-to-know basis.
To add to the challenge, enforcing such barriers requires complex PowerShell scripting. When scripting is required across hundreds or thousands of projects or matters, organizations will experience a surge in costs and inefficiency.
Every External Access has an “Expiration” Date
Once collaboration has ended with the guest or external user, organizations need to terminate Teams access. This needs to be carried out on time (upon project/matter ending) and across multiple projects (for all Teams & Channels in which access was provided).
The practice of de-provisioning access decreases liability for data shared and stored. It also increases overall content security whereby organizations control access on a need-to-know basis.
One last thing. If you’re thinking of doing all these manually in Teams, you’re already starting on the wrong foot. Addressing the security challenges of external sharing on Teams to its core, requires automating all the processes mentioned above. Something that can be easily done with Prosperoware CAM, the platform that will enable you to secure access for external collaboration while reducing cost & enhancing user efficiency.
How Prosperoware Helps
Prosperoware CAM is a Software-as-a-Service platform (SaaS) for adoption and governance of multiple collaboration systems. It allows organizations to provision, classify, protect, move, and govern data, mitigating data chaos and reducing risks related to privacy & cybersecurity.
CAM enables organizations to create logical locations for users to place data. It provides rich custom metadata, empowering users to locate documents, and risk management teams to understand business context in order to apply the right security & data minimization policies.
CAM integrates with Microsoft 365 (Microsoft Teams, SharePoint Online, OneDrive, OneNote, Planner, Lists,), iManage, NetDocuments, HighQ, files shares, and more to come.
Here is what CAM can do for you:
- Provisioning of workspaces, Teams, Channels, Lists, users & groups, and folders from Project Portfolio Management, CRM etc., or through a human workflow using readily available templates.
- Rich, custom metadata for project or document context.
- Unified project directory for content location for end users and risk management teams.
- Gain advanced templating ability to support complex business processes.
- Provision automatically or on-demand internal & external users, manage permissions across collaboration systems, and integrate with leading ethical wall systems.
- Data Loss Prevention (DLP) with activity monitoring and bulk security & metadata changes.
- Data protection by creating a separate archive of documents to access in case of incidents.
- Minimize data by setting automatic data disposition policies or apply litigation hold.