kjkjb the ultimate guide to collaboration security

KJKJB

THE ULTIMATE GUIDE TO

COLLABORATION SECURITY & GOVERNANCE

An IT and Information Security Teams’ Guide to Collaboration Security in the Enterprise

www.unifysquare.com 2www.unifysquare.com 2

Introduction

What is Collaboration Security & GovernanceWhy Collaboration Security is Unique .......................................................Collaboration Security and the End-User ..................................................The Hidden Risk to Collaboration Security ...............................................What Isn’t Collaboration Security ...............................................................

Leaning Into Collaboration Security

Planning for Collaboration Security Policies .............................................Creating Alerts .......................................................................................................Analyzing for Policy Clues ...................................................................................Building a WSC Information Map ......................................................................

Evaluating the Digital Workplace for Policy Options ...............................Guest Access .........................................................................................................Workspace Ownership ........................................................................................Integrations and App Extensions .....................................................................Structure and Naming Conventions ................................................................Lifecycle Management ........................................................................................Classifications ........................................................................................................Training Users .......................................................................................................

Operationalizing Your Collaboration Security PoliciesImplement ....................................................................................................Inform ...........................................................................................................Investigate and Evaluate ............................................................................Operationalize .............................................................................................

The Three M’s of Collaboration SecurityMonitor .........................................................................................................Measure ........................................................................................................Manage .........................................................................................................Multiplatform Collaboration Security Preparedness ..............................

Conclusion

CONTENTS0304

08

18

21

24

5 667

1920 2021

22222223

888 9

1011 12 1314 1516 17

www.unifysquare.com 3INTRODUCTION

INTRODUCTIONEnterprise communication and collaboration is changing. In the past, IT teams tasked with managing a unified communications (UC) ecosystem were bridging the gap between messaging, telephony, and conferencing. Today, IT teams take that UC ecosystem and layer on a new collaboration model, one built on social networking constructs. By 2022, these workstream collaboration (WSC) applications will be mission-critical to 70% of teams who will rely upon them for persistent chat, file sharing, notifications, bots, and other features to get work done each day.

As team collaboration evolves from simple chat into a digital workplace hub — integrating chat, calling, video conferencing, documents, and application data — CISO’s,

cybersecurity personnel, and risk management professionals are struggling to protect information contained within these environments. The reality is collaboration security chaos already plagues far too many organizations.

Aggressive penetration of workstream collaboration platforms in the enterprise has shifted over 50% of team communications to these collaboration platforms. Yet nearly 33% of all organizations still lack the capability to prevent or deter an insider incident or attack related to workstream collaboration applications. As insider accidents and inadvertent data breaches increasingly become the norm, investing in strong collaboration security has never been more vital.

83% of security professionals believe that employees have accidentally exposed customer or business-

sensitive data at their organization, but 74% of C-level executives don’t think they’ve invested enough to mitigate the risk of insider threats.

www.unifysquare.com 4

WHAT IS COLLABORATION SECURITY & GOVERNANCE

Collaboration security boils down to managing risk across your workstream collaboration ecosystem. This covers a broad set of security-related areas: access and usage policies, app store management, user and channel management, and workflow automation. When collaboration security is done well, it will ensure lifecycle governance is in place across multiple collaboration and communication platforms – rather than only applying to a single platform. This collaboration security spotlight shines brightest on mainstream workstream collaboration platforms like Microsoft Teams, Slack, Cisco Webex Teams, and Workplace by Facebook, but can also periodically encompass parts of unified communications ecosystems as well.

Mitigating risk in the workstream collaboration space covers a large surface area because it goes beyond traditional file and email data loss prevention (DLP) to include newer data types like chat streams, comments, meeting transcripts, etc.

Addressing collaboration security isn’t just another information security checkbox: apply too lax of a policy, and your business data will be at risk, but if too strict of policy is used, your business data will be driven into shadow IT solutions. The end goal of collaboration security is the art of achieving the right balance of usability and security, a balance that varies from company to company.

In today’s digital workplace, information security paradigms have changed. The traditional castle and moat model of protecting data at the perimeter has given way to a cloud-centered model where the modern security perimeter starts and ends with the end-user. Because of your users, your data is alive, moving, and continually evolving. IT must develop in concert, actively engaging business units (and their end-users) to understand the risks and role users play in managing collaboration risk.

WHAT IS COLLABORATION SECURITY


Why Collaboration Security is UniqueWhen it comes to collaboration security, ignorance is not bliss. How can you adequately protect your data and your business if you’re never aware that a threat or vulnerability exists?

Preparing a framework and strategy is just the beginning. Collaboration and communication platforms pose constant risks that need to be monitored, measured, and managed efficiently. While it’s possible to apply a manual solution to this problem (e.g., address exposures through human intervention), such an approach is not sustainable or scalable. Approaching collaboration security effectively and efficiently requires intelligent software

TOO MANY APPS TO TRACK AND MANAGE

INADEQUATE PROTECTION FOR APPS AND DATA INSIDE MY PERIMETER

LACK OF SECURITY POLICIES ALIGNED TO MY APPS & DATA

COMPLEX POLICY CONTROLS DUE TO TOO MANY PRODUCTS

41%

32%

35%

37%

(whether you build it or license it), not only to manage problems as they occur but also to mitigate risk before an incident ever happens.



The goal of workstream collaboration platforms is end-user productivity, whereas the purpose of information security is to manage risk (unfortunately, often at the expense of usability). With these two goals seemingly at odds, what is the middle ground? The solution is to empower end-users to take the right actions with self-service security, which means IT must get comfortable moving away from a “command and control” approach to a “trust, but verify” model. This both reduces the burden on IT teams in the organization while allowing

users to remain compliant with policy that doesn’t inhibit day-to-day tasks.

With the proper planning, user training, and software tools, collaboration security can be adopted by an organization in a manner that lets users take advantage of new workstream collaboration features more efficiently — encouraging users to take ownership of managing the risk while reducing some of IT’s administrative responsibility. The net result is happy users with IT and security teams sleeping through the night.

Collaboration Security and the End-User

Risk can originate from several WSC platform starting points including files, chat streams, comments, and meeting transcripts. But the truth is that current and former employees are a massive high-risk area that is often overlooked.

24% of employees are unaware of their company security guidelines. Further, Millennials are twice as likely to install apps

not approved by IT. The result? 43% of data breaches (half of which are accidental) stem from employees.

As for former employees, 89% retain access to sensitive corporate apps like email, SharePoint, and Salesforce, and 49% of them access these ex-employer accounts after leaving the company.

The Hidden Risk of Collaboration

the biggest security threat comes from well-meaning but negligent end-users.

62% of IT workers say



What Isn’t Collaboration SecurityMost modern digital workplace organizations are already heavily invested in various sets of security software and services covering everything from identity and access management, phishing and malware protection, incident response, disaster recovery, and more. In other words, the security space is very well-trod ground for such long-standing, well-understood topics such as:

» Identification and access management

» Multi-factor authentication

» Denial of service attacks

» Defense against malicious hackers

» Incident response

While these areas and their software or hardware-based solutions likely have some overlap with securing pieces of the WSC platform equation, the platforms themselves actually create brand new threat vectors that need consideration. Think of collaboration security as filling critical gaps in the cloud security space to give an organization an extra layer of protection. Most of the current security solutions fortify the perimeter, but collaboration security mitigates insider threats (both malicious and accidental) by more closely monitoring end-user behavior, making it easy for end-users and IT to work together to ensure information is protected. The remainder of this guide focuses solely on collaboration security for workstream collaboration platforms.

95% of people using a CASB solution still feel vulnerable to insider threats.



In order to properly tackle collaboration security, the first thing to understand is the key difference between policies and procedures (or actions). Relatively speaking, the easy part of the collaboration security process is arriving at the policies. The hard part is getting buy-in from the various business units and end-users to adhere to these policies, thus making them ineffective.

Planning for Collaboration Security PoliciesThere are three different but highly combinable sets of preparation tasks that can be used to begin the process of arriving at collaboration security policies: alerts, analytics, and maps.

Creating AlertsSoftware tools can be set to trigger alerts based on when various thresholds are reached. For example, an alert set to fire whenever a workspace sits dormant

(unused) for more than 30 days could eventually be the precursor for a policy relating to workspace sprawl. Similarly, an alert regarding workspaces using similar words in the title could lead to a policy regarding naming conventions.

Analyzing for Policy Clues Extending the reliance on and complexity of software tools a step further is the concept of looking at more detailed analytics to help imagine policy needs. For example, a software tool that ran a regular risk assessment profile for workspaces based on a predetermined algorithm that evaluated current behaviors and configurations of the platform could help to highlight when or if a policy is required. This analysis can be amplified and made even more valuable to the entire organization if the software tool also assesses how a specific policy, if implemented, could work to either decrease or even eliminate the risk.

LEANING INTO COLLABORATION SECURITY



Building a WSC Information MapThe process of creating a workstream collaboration information map involves working with a team to come up with some examples of typical ways users collaborate. Many people struggle to answer this question, which highlights a significant problem: without some basic understanding of common WSC business scenarios, how can IT drive an informed strategy on managing collaboration security?

Once there is an understanding of how users work together, it’s essential to understand the complete set of entity relationships. To do this, create user entities and associated attributes, then create purposeful group entity/links, assessing the utility and risk. Finally, create dangerous group entity/links, and asses the risk and utility as well. This shouldn’t be an exhaustive process, but it’s a valuable exercise to align with business needs.


Example Business Alignment Exercise


Armed with your WSC Information Map and now knowing who, or what, may be behind the collaboration security risk, it’s easier to anticipate vulnerable areas. In arriving at policies it’s essential to evaluate not just the various collaboration application platforms, but how they are (or might be) being used for possible collaboration exposure so that you can understand the potential for risk in each area.

The following list is a good starting point for IT teams who are beginning to work through a set of initial collaboration security policies.

IT needs to have a general understanding of how to think about each of the following areas related to their applicability to the organization and the associated potential risk:

» Guest Access

» Workspace Ownership

» Integrations and app extensions

» Structure and naming conventions

» Lifecycle management

» Classifications

» End-user training

Evaluating the Digital Workplace for Policy Options


62% of business users report that they have access to company data that they probably shouldn’t see


Guest Access When it comes to potential data leaks, it’s essential to have a clear understanding of who has access to the workstream collaboration application platform. Discerning if there are guest users in a channel or team is significant not only for IT personnel but for everyone that is part of that workspace. Access visibility can help users know what to share and who they are sharing with.

Understanding the collaboration patterns and tendencies of an organization will help clarify who should genuinely have access to what, and who should be responsible and accountable for owning and monitoring that space.

In general, Microsoft is missing an overall permissions model (including guest access) between Teams, Office365 Groups, SharePoint, OneDrive, etc. IT teams should take extra precautions to properly configure guests in Azure AD, as well as remind their organization about shared files.

Understanding the collaboration patterns and tendencies of an organization will help clarify who should genuinely have access to what, and who should be responsible and accountable for owning and monitoring that space.

In general, Microsoft is missing an overall permissions model (including guest access) between Teams, Office365 Groups, SharePoint, OneDrive, etc. IT teams should take extra precautions to properly configure guests in Azure AD, as well as remind their organization about shared files.


Guest users may remain inactive for no more than three months.

Guest Access Policy Example:


Workspace OwnershipUsers (beyond just IT) with “owner” and “admin” roles have significant power within any given WSC platform system — often more than most administrators realize. For example, in Slack workspaces, admins and owners can create and manage user groups. However, any admin can change those settings, suddenly making it possible for every user within a workspace to create, modify, or disable user groups. Besides the obvious potential for abuse, allowing users to manage these permissions increases the odds of user error resulting in unintentional deletion of important groups. Finding the right balance between too many and

too few owners for creating, moderating, and managing user groups is a nuanced task. Evaluating data loss risk by having an individual cover the ongoing and consistent participation tracking can turn into an arduous and overwhelming task when it comes to large group-membership within a workspace. Assigning at least two owners to each workspace to assist with moderator responsibilities can help security teams stay on top of participation tracking. This approach can also be beneficial to prevent lapses and orphaned workspaces should a single owner leave the company or go on a lengthy and unexpected leave.


Workspaces must contain at least two owners.

Workspace Ownership Policy Example:


It’s important to evaluate applications and integrations and what role the app store should and will play in the productivity of end-users. Some apps read and edit data, while others are simply bots that provide updates from another application. IT should work with information security (InfoSec) teams to answer three key questions:

1. Is this app something end-users want?

2. Is the app trusted with the level of permissions it requests?

3. Does the app help end-users accomplish their work?

With the answers to these three questions in hand, it’s time to consider actually managing integrations and app extensions. Be aware, though, application management can be a massive headache to administer.

Each workstream collaboration platform has its own guidelines for integrations and third-party apps. Slack, for example, makes it incredibly easy for users to access and install the hundreds of applications available in their App Directory. Workplace by Facebook, on the other hand, only has a small fraction of integrations compared to Slack (at the time of publication) while the Microsoft Teams app count falls somewhere in the middle.


Integrations and app extensionsImplementation of an app store within an enterprise can often manifest two different potential organizational security strategies:

1. Create 100% free access to encourage usage and adoption, while potentially accepting damaging security risks.

2. Adopt an aggressive lockdown approach to prevent security breaches or data loss while creating end-user frustrations.

Third-party applications must be approved for business use.

Integration Policy Example:


Structure and Naming ConventionsIt is, by design, straightforward to create and name teams and groups within Microsoft Teams. A person who sees the glass as half-full likes this approach to help facilitate and drive user adoption. The glass-half-empty IT person may fear this tactic because sprawl and duplication (as well as GAL/AD confusion) can lead to extra policies and additional headcount to govern (and then

enforce) these policies. One best practice is to consider creating naming conventions for Teams and Channels. For example, large-scale Slack deployments often have naming conventions in place (and enforced by champions). In either case, IT teams should do the heavy lifting early on to help users understand best practices for team vs. channel creation.


All workspaces must abide by the WSC naming conventions.

Naming Convention Policy Example:


Lifecycle ManagementIn the above sections on access and ownership, we touched on the importance of having owners assigned to workspaces to help in the event someone leaves the company. This is only one small consideration in overarching lifecycle management. IT teams need to be prepared for lifecycle management as it is a key building block for end-user productivity. Many channels and teams will be project-based — there will be a beginning, middle, and end. That means the team or channel will experience a similar ebb and flow for how it is used, who uses it, and when it is no longer needed.

Having a plan for how to handle each part of a channel’s life is critical and helps prevent sprawl, unowned channels, oversharing, and more. Some companies struggle to put policies in place and end up not deciding on how to approach policies — not deciding

is still a decision. A concrete policy will be composed of a wide range of core governance policies which protect your company, while at the same time matching the culture and end-user enablement needs of the organization.

Lifecycle management policies can range from workspace expiration policies, user provisioning and deprovisioning, and more. Putting these policies in place will help guide users on how to interact with their workstream collaboration platforms while also serving to prevent security and compliance concerns.

As an example, to ensure that an organization does not have any “leave-behinds” who might be able to take advantage of company information shared on Workplace by Facebook after they have left the company, it’s a good idea to plan ahead for user provisioning and deprovisioning. In fact, this should be built into onboarding and offboarding processes for employees, just like it would be for email or any other company asset.

LEANING INTO COLLABORATION SECURITY 15www.unifysquare.com

Workspace creation only allowed by full-time employees.

Lifecycle Management Policy Example:


ClassificationsBringing together access and lifecycle management, the concept of classifications focuses on having a clear policy regarding how to classify teams/channels/workspaces in order to help steer people toward certain behaviors. Without clear classification policies in place, it may not be clear how

users should interact or who they’re interacting with. For example, if a workspace has confidential information and should therefore not contain guest users, specific naming and classification policies can guide users to avoid adding guest members.


Workspaces marked confidential shall not contain guest users.

Classifications Policy Example:


Training UsersWhen approaching collaboration security, IT teams should avoid making the mistake of assuming their users do not need any training or education. WSC applications are engineered to be approachable and easy to jumpstart with end-users. However, this initial simplicity belies the veiled threat of downstream danger. Without proper training, end-users may not know how to interpret policies in place, or more importantly, what those policies even are.

Training end-users can help cut down on accidental data leakage and oversharing.

Statistics point out that users are one of the biggest causes for concern, yet in a recent Teamwork and Collaboration research report, only 49% of IT teams reported providing training on WSC apps to their end-users. Conversely, the study also underscored that end-users crave more support from IT, with less than 4% declining training offered by IT.


Users are required to complete a WSC online training within the first two weeks of their onboarding to the new platform.

Training Policy Example:

www.unifysquare.com 18OPERATIONALIZING YOUR COLLABORATION SECURITY POLICIES

OPERATIONALIZING YOUR COLLABORATION SECURITY POLICIESAfter tackling how to think about collaboration security strategically, how to create a WSC Information Map, and the process of thinking through and creating your collaboration security policies, it’s important to take the next step. This next step covers how to create an effective collaboration security strategy that goes beyond policy definition and encompasses enforcement. When piloting collaboration platforms, it’s important to regularly tweak and adjust the policies that have been defined to make sure they are doing what they were designed to do, without being

too restrictive or too vague. But for many policies, once they’re dialed up and fine-tuned, automated scripting and enforcement can drastically reduce the burden on IT.

There are four key steps typically followed for policy implementation:

1. Implement

2. Inform

3. Investigate and evaluate

4. Operationalize


ImplementThere are many ways to go about making sure people adhere to policies, and there isn’t a one approach fits all scenario. Companies will need to consider whether to enable/disable, communicate, empower, enforce, or penalize at different levels depending on the type of policy.

OPERATIONALIZING YOUR COLLABORATION SECURITY POLICIES

Enable/Disable: Enabling and disabling a policy works well when IT teams may not be ready to work on the nitty-gritty of a particular problem, need additional time to create a more granular strategy, or know as a whole that something is too much of a security risk to enable for all end-users.

Implementation Example: Block all third-party applications at a tenant level.

Enforce: This is an option that allows a user to enforce a policy that has been put in place by IT. While similar to empowering a user, it may not necessarily include an elegant workflow but rather be the first line of defense in collaboration security. Sometimes, policies like this are better served through automation with third-party software.

Implementation Example: Forcibly remove an inactive guest from a workspace.

Communicate: Are users even aware of the policies created? Are managers and department heads aware that this particular usage is going on? Using communication to help clarify what policies are and why they are in place can be useful, especially early on in a platform’s internal use history.

Implementation Example: Inform workspace owners that the workplace lacks a second owner.

Empower: Does everything have to go through IT? In some instances, a user or a manager can be part of the workflow to offload some of the IT responsibility while also letting a user take direct action.

Implementation Example: Notify a manager to approve/deny a workspace creation request.

Penalize: If an end-user continues to do things outside of policy, there may need be to consequences. This can be useful when users are continuously increasing risk. Getting the user’s manager involved could be beneficial before a serious problem arises.

Implementation Example: Notify department head when policy compliance requires IT enforcement.


InformThe process of informing or notifying can be instituted after or even before the policies are implemented. The choice of order depends on IT’s decision regarding how tightly they want to maintain control in the implementation process. Notifications are sometimes built directly into a software tool or might take place simply via a series of IT originated emails. One key aspect of notifications is that they are directed both to the users affected as well as to the various owners of the WSC platform workspaces.

Investigate and EvaluateAs is the case with all good processes, there needs to be a break-in period created, after which the new policies can be individually

evaluated. Are they too strict, too vague, too open, etc.? Is compliance being achieved? Are they actually reducing the risk profile of the various WSC application platforms? Are they perhaps working, but also giving rise to a new shadow IT application which has been adopted by end-users to circumvent what are deemed to be too many (or too onerous) policies? Paying careful and diligent attention to the evaluation process will yield huge dividends when progressing into the fourth and final operationalize step. It is equally important to examine and revisit these policies not just during the break-in step, but regularly to ensure they’re necessary and doing what they were intended to do.



The traditional model of controlling user and application policies, as well as permissions, have been found to be too cumbersome or over-reaching in the modern digital workplace. The normal IT top-down governance approach can sometimes cause users to shift to some level of shadow IT solution as a workaround.

One new InfoSec approach being advocated encourages enterprises to be much more forgiving regarding how they allow user behavior to initially dictate policy, and to then subsequently manage and remediate collaboration issues after the fact.


THE THREE M’S OF COLLABORATION SECURITY

OperationalizeThe final step is to put everything into motion beyond just the pilot or start-up phase. This involves first adjusting the policy (or related policies) to ensure their effectiveness and to validate that they are constantly relevant. As part of this adjustment, there may need to be some exceptions approved for the policies. Once adjustments are made, IT teams should strive to automate the process completely.

Naturally for some companies or specific policies, IT may prefer to maintain the policy as a manual action. However, this is usually only applicable for very small organizations or for organizations who are piloting their collaboration security initiatives and looking to apply an initial high touch approach to how the policies are implemented.


This is what Unify Square calls the Three M approach (monitor, measure, and then finally manage) to collaboration security, which introduces a much more cooperative process for creating and implementing collaboration security policies. The model is a “trust, but verify” approach used to monitor and measure behavior, first watch how users are using the WSC platform, and then decide if the usage pattern fits comfortably within the InfoSec framework for the organization. Certainly, there will always be a minimum level of common-sense policies that get put in place from Day 1 to protect the organization. However, for grey areas which quite often arise with new technologies (such as workstream collaboration), this Three M approach is proving to be effective in applying gentle manipulations to steer and coax employees toward a set of IT decisions and policies, rather than pushing users towards the adoption of unapproved platforms and applications.

Monitor: Rather than just quickly

jump to a fix, IT first uses software tools

to observe what is occurring in the multi-

platform collaboration environment carefully.

Measure: Based on the analytics provided

by the software tools, IT can compare the

risk exposure profile that it sees with the

pre-defined Workstream Collaboration

policy. This then allows IT to measure and

report on whether any corporate policies

are being violated.

Manage: Both IT and end-users can jump

into action to either remediate or to create

a new policy if governance standards

are being exceeded. In many cases, with

proactive systems, either pre-defined

workflows or AI workflows from software

tools will be initiated well before any

human touch or intervention is necessary.

OPERATIONALIZING YOUR COLLABORATION SECURITY POLICIES www.unifysquare.com 22

Track and benchmark guest activity and measure the percentage of inactive guests.

Three M Implementation Example:


Multiplatform Collaboration Security PreparednessAs organizations move increasingly toward a portfolio approach for workstream collaboration platforms, it is not uncommon for two to three different WSC and UC platforms to be strategically in use at a given time in an enterprise. (For example, Microsoft Teams for internal collaboration and Zoom for external communication.) Not only are cloud solutions driving multi-vendor environments, but they are also usually simultaneously leading to reduced IT resourcing. IT is then left with increasing technology diversity being managed by fewer resources in the face of an increasingly independent and technically astute set of end-users. The result: IT management complexity and increased collaboration security exposure.

One obvious solution to this complexity and exposure is a software tool that offers consolidated solution management. Thus,

collaboration security policies created at a high-level can be pushed “down” to be applied at each individual platform level. At the same time, the process of monitoring and measuring can be implemented concurrently, looking at all app platforms in the entire environment. IT’s analysis of the organization will be able to verify collaboration security compliance at certain macro levels and then dive down into platform-specific breaches (and be able to identify where and why).

The advantages are obvious: It is significantly easier and more efficient to manage policies from a single console. Furthermore, enforcing security policies from a single control point ensures there is a single place to review and remediate all incidents, rather than a separate dashboard for each WSC platform. Lastly, many threats span multiple WSC platforms.



As IT and security teams battle an influx of unsanctioned tech, the manual work required to effectively manage users while mitigating risk is becoming increasingly complex and time consuming. With the traditional security perimeter growing increasingly porous, threats are no longer purely external — 91% of organizations feel vulnerable to insider threats.

Collaboration security is not just important — it’s paramount. In order to properly embrace collaboration security, IT and security teams should look to collaboration security tools that make it easier for users to take the right actions while streamlining the organization’s governance of workstream collaboration platforms as a whole.

CONCLUSION

CONCLUSION

91% of organizations feel vulnerable to insider threats

kjkjb the ultimate guide to collaboration security

Documents