This article is contributed. See the original author and article here.
Interview with Nolene LaNeve, Teams Engineering Senior Technical PM around Security in Teams
This past summer was extremely busy for the Microsoft Teams Engineering team, especially in the US Government space. They helped customers with a record number of net new deployments in the M365 US Gov Clouds; GCC, GCC High and DoD. End users wanted to collaborate with outside agencies but in a way that meant their data was secure. IT Admins wanted to know which configuration options best fit their organization’s security posture. CIO‘s wanted to lean in and give their workforce the best in class technology, all while following US Government accreditation standards. The common theme in most questions asked by our customers was around security. We recently sat down with @NoleneSLaNeve , a Senior Technical Program Manager and all-around security expert from Microsoft Teams Engineering and asked her what are the top 5 security questions asked by our US Government customers for Microsoft Teams. After all, Nolene helped some of our larger Federal Agencies successfully deploy Teams and is known to many as the call quality expert. Interview by Rima Reyes.
1. File Sharing in a Team
Question: “How can I securely collaborate and share files with other trusted organizations inside of a Team?”
Answer: “The best and fullest collaboration experience in Teams is called Guest Access. Essentially, Guest Access allows your organization’s users to collaborate with trusted people outside of your organization on documents, tasks, channels, conversations, and other resources within a Team. When someone outside of your organization is added to a Team, this person is called a Guest. Guest users even have a richer experience in Teams chat! Before anyone can add a Guest to a Team, your IT Admins will need to configure a few things first in Azure Active Directory, the M365 Admin Center, the SharePoint Admin Center and finally the Teams Admin Center. (Everything for Guest Access is off by default.) What’s great about these configuration options is that it really gives IT Admins the power to ‘dial things up or down’ based upon how much you want (or don’t want) to share and with whom exactly your organization wants to share with. A great example of when Guest Access is appropriate is during mission focused activities, like coordinating with local authorities during a natural disaster or when multiple agencies need to be involved for a policy review. Another thing to note is that Guests in Teams are covered by the same compliance and auditing protection as the rest of Microsoft 365 and come with the added benefit of being centrally managed in Azure Active Directory.”
US Gov Cloud Caveats: “Guest Access for Azure AD and Teams is available in GCC. GCC High and DOD will have Azure AD and Teams Guest Access capabilities in the future (allowable only per the accreditation guidelines).
2. External Access with Whitelisted Domains
Question: What is the best way to chat with another trusted organization in Teams without having to share files?
Answer: “If your organization just wants to chat with people outside of the organization, then configuring External Access would be key. External access is a way for your users to find, call, chat, and set up meetings with external domains in Teams. You can also use External Access to communicate with outside users who are still using Skype for Business (online and on-premises). External Access is a great way to start figuring out what cross-government agency collaboration looks like. It’s so lightweight and easy since no file sharing is at play here. IT Admins have the power to configure who they want their organization to talk to (or not talk to) all through the Teams Admin Center. External Access is also useful for government agencies with a small subset of users who happen to be in a location that has extremely low bandwidth (think being in the middle of a forest somewhere) and must still use Skype on Prem. External Access allows for these two entities to talk to one another even while in the same organization.”
US Gov Cloud Caveats: “GCC & GCC High users can setup External Access with each other and with organizations in Commercial. DOD agencies can setup External Access with each other only.”
Question: How is content encrypted in Teams?
Answer: “Teams data is encrypted in transit and at rest. Microsoft also encrypts all of the data going between a user’s device and when it finally lands in a Microsoft datacenter. (Even between datacenters too!) Compliance data is also encrypted at rest in Microsoft datacenters, but it is done so in a way that allows organizations to decrypt the content if needed for compliance reasons, like running an eDiscovery case. The type of encryption that Teams uses for all chat messages are TLS (Transport Layer Security) and MTLS (Mutual Transport Layer Security). FYI, TLS and MTLS protocols provide encrypted communications and endpoint authentication on the internet. Teams media content uses a type of network protocol used for delivering audio and video called RTP (Real-time Transport Protocol) and SRTP (Secure RTP) to encrypt media traffic. When it comes to how other content in Teams is encrypted, remember that files are stored in SharePoint and are backed by SharePoint encryption. Notes are stored in OneNote and are backed by OneNote encryption. The OneNote data is stored in the team’s SharePoint site. IT Admins should become really comfortable with managing the other services in M365 as well since Teams works in partnership with SharePoint, OneNote, Exchange, and more…”
4. VPN Split Tunneling
Question: Why is VPN split tunneling important for just Teams media traffic? How can US Gov organizations champion for this change?
Answer: “This is the question asked the most by our US Government customers. Most organizations we talk to think that they have to be the ones encrypting all traffic and content over the VPN but in actuality that’s not the case, especially when Microsoft is already encrypting the content for you. (There is no value in double encrypting each packet of data.) In fact, many organizations run their Teams media traffic over the VPN as well causing it to crumble and all but ensuring a poor user experience. Let’s envision an example of how VPN tunnels work. Imagine a 2-lane road. Rush hour has just started so more and more cars are occupying this 2-lane road. The more cars, the slower everyone will move along the road. Cars represent packets of data. If there are too many cars on the road, other important traffic can’t get through. That’s why it’s important for traffic that doesn’t have to be encrypted by the customer’s network be moved off the VPN, like Teams media traffic since it’s encrypted anyway. Split tunneling VPN traffic enables segmenting traffic to be egressed to Office 365 via a direct Internet connection. My team always recommends that at a minimum, organizations enable split-tunnel VPN for Teams media traffic to reduce VPN load. This ensures a high-quality experience for all media scenarios within Teams (and much happier end users with less help desk tickets). Teams Engineering made sure it was easier for customers to implement this since Teams only uses 4 UDP ports and 3 IP ranges for media traffic. In other words, its much easier to split out media traffic and take Teams media traffic off the VPN! Remember, we aren’t saying to remove all M365 traffic off the VPN, just Teams media traffic.”
5. Meeting Security
Question: How can customers be assured they know who is in their meetings and not have any ‘uninvited guests’?
Answer: “Ever host an event where unexpected folks showed up and no one was checking their invites at the door? Sam‘s 3rd cousin Vinny happened to hear about your party from his great aunt Myra. How did that even happen, right?! Teams can help you check a guest’s invite at the door before they come into the party! The Teams Admin Center has configuration controls that allow organizations to match meeting security to their specific needs.
We recommend the following configuration settings for Teams Meetings with external participants:
- In the Teams Admin Center, turn on the toggle for Anonymous Join. With this setting on, anyone can join the meeting as an outside user by clicking the link in the meeting invitation. Enabling anonymous join is only for Teams meetings and does not allow the sharing of files during a meeting with those outside of your organization.
- Outside Users without a Teams Account:
- Must enter a name before joining the meeting.
- Meeting chat is limited to text only.
- Can join via the Teams mobile app, even without an already existing account (the app just needs to be installed on the phone before clicking the meeting link).
- Cannot create or join a meeting as a presenter, but can be promoted to presenter after they join a meeting.
- Outside users with a Teams Account:
- Can choose to sign in before joining the meeting for a richer meeting experience. These users, if promoted to do so, can act as presenters.
- Outside Users without a Teams Account:
- Think about using Azure Information Protection Labels in Outlook as an option for meeting organizers to apply classifications that do not allow forwarding of meeting invites.
- In the Teams Admin Center under the Meeting Policies Section, most US Gov agencies use these configuration settings…”
US Gov Cloud Caveats: GCC and GCC High organizations can enable anonymous join to allow outside users join their meetings. DOD hosted meetings cannot be joined by users outside of the DOD.
Deploying Teams Quickly and Securely
Bonus Question: What is the fastest way I can deploy Teams in my organization without missing anything important, all while focusing on security?
Answer: “We know these are trying times and want to make sure everyone has the best experience when working from home or in a remote environment. We know Teams can help with that better user experience. That’s why we have catered the ‘must do’ list for deploying Microsoft Teams in your US Gov organization! Check out the resource below!
About the Author
Senior Technical Program Manager, Teams Customer Engineering
Nolene LaNeve is currently a Senior Technical Program Manager in Microsoft’s Teams Engineering Product Group. Nolene is a subject matter expert on media quality and reliability and specializes in ensuring organizations in highly-regulated industries can deploy and/or upgrade to Microsoft Teams and achieve superior media quality and reliability while maintaining necessary security requirements.
Prior to her role in Teams Engineering, Nolene was a Solutions Architect in the Skype Circle of Excellence, where she built the “Optimize Enterprise Communications” engagement and helped customers optimize their Skype for Business deployments, as well as migrate to Office 365.
Nolene came to Microsoft as a Premier Field Engineer, where she supported financial services and defense technology organizations, after being on the customer side as a lead application engineer at Raymond James Financial Services, as well as a mobility engineer at AVI-SPL.
You also might enjoy:
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.