The growth of Microsoft Teams has been well documented during the “Work from Home” mode that a majority of corporations are in for the foreseeable future. As part of this fast adoption security & compliance concerns have arisen with enterprises in regulated industries. Last year, Craig Eidelman, with Microsoft, wrote a post “Getting Started with Securing Microsoft Teams” that establishes the security baseline that most organizations should be considering when adopting Microsoft Teams.
However, what if your organization has company policy or regulation requirement(s) that prohibit the posting/sharing of “sensitive information” in online tools. This can be a challenging requirement to meet for online collaboration tools but fortunately Microsoft 365 security tools allow organizations the flexibility to implement the needed control policies. Provided below are examples of different tools and policies that can be implemented to protect sensitive data from being posted in Microsoft Teams.
Let’s Start with Teams Chats
Within Microsoft Teams there are 2 types of chats: 1×1 chat and Channel Chat. In both of these scenarios it provides employees with the opportunity to post sensitive data for others to see. To tackle this scenario we will leverage O365 Data Loss Prevention functionality to build out a policy to prevent sensitive data from being posted. In my scenario, that I am keeping simple, I have built out a policy to prevent the posting of social security numbers.
More details on Microsoft Teams DLP can be found here.
But What About Uploading of Sensitive Documents….MCAS saves the Day
Just like the scenario above where employees may try to post sensitive text in a chat they may try to upload a document containing sensitive data. To help control this scenario I have built out a policy in Microsoft Cloud App Security (MCAS) that will quarantine the file from being shared with other employees due to the sensitive content.
More information on MCAS File Policies can be found here.
There you have it!!
A few simple policies to control sensitive data from being shared in Microsoft Teams if this is a requirement for your organization. While I kept the policies simple and straightforward for this post, you could build out additional polices or add to what are above to meet your organizations needs. As I wrap this up, I can think probably 5-6 other scenarios where I could create other policies to prevent the posting of sensitive data in Microsoft Teams.