Blog Layout
Video Conferencing Showdown, Part 2: Microsoft Teams
Chelsea Sauder • May 08, 2020
In Part 2 of our Video Conferencing Showdown blog series, we’ll examine Microsoft Teams with respect to privacy, vulnerabilities, encryption, and user settings. Make sure to check out our first post
in the Showdown where we reviewed Zoom.
Privacy
Like other vendors in the video conferencing space lately, Microsoft has been proactive about publishing information
regarding privacy and its products. Their stance, specifically, is “At Microsoft, privacy and security are never an afterthought. It’s our commitment to you—not only during this challenging time, but always.”
They further elaborate on the privacy controls available within Teams:
Like other vendors in the video conferencing space lately, Microsoft has been proactive about publishing information
regarding privacy and its products. Their stance, specifically, is “At Microsoft, privacy and security are never an afterthought. It’s our commitment to you—not only during this challenging time, but always.”
They further elaborate on the privacy controls available within Teams:
- You decide who from outside your organization can join your meetings directly, and who should wait in the lobby for someone to let them in.
- You can also remove participants during a meeting, designate “presenters” and “attendees,” and control which meeting participants can present content.
- With guest access, you can add people from outside your organization but still retain control over your data.
- Moderation allows you to control who is and isn’t allowed to post and share content.
- Advanced artificial intelligence (AI) monitors chats to help prevent negative behaviors like bullying and harassment.
- When recording a meeting, all participants are notified when a recording starts
- Recordings are only available to the people on the call or people invited to the meeting.
- Recordings are stored in a controlled repository that is protected by permissions and encryption.
Microsoft also specifies what it calls their privacy commitments to you, saying they never use your Teams data to serve advertisements; they do not track participant attention or multi-tasking in Teams meetings; your data is deleted after the termination or expiration of your subscription; they take “strong measures” to ensure access to your data is restricted and carefully define requirements for responding to government requests for data; and that you may access your own customer data at any time and for any reason.
There’s an overarching practice of privacy
within Microsoft, and it’s well documented and published. They go further and diagram the architecture components within Teams and how data flows between them and where it ends up:
Finally,
there is documentation covering data residency locations for Teams data and it’s reasonable to infer that Microsoft abides by these. Overall, this is a very robust stance around user privacy protection, and it’s what one would expect from an experienced titan like Microsoft.
Vulnerabilities
Microsoft Teams is not, however, immune to threats and vulnerabilities. On April 27, 2020, researchers at CyberArk disclosed
a Teams issue discovered in March that uses shared GIF images as a conduit to hijack other peoples’ Teams login credentials. Considering that Teams uses integrated authentication with Office365/Active Directory versus a separate username/password, this has the potential be quite a “keys to your company’s kingdom” – those credentials would work for that person’s Office365 email, Share Point, and other services.
Exploiting the vulnerability relies on a specific sequence of events, involving a user’s authentication token contained within a cookie sent to teams.microsoft.com. The problem occurs when the cookie/token is passed along to related downstream infrastructure components called subdomains, like foo.teams.microsoft.com, bar.teams.microsoft.com, or anything-at-all.teams.microsoft.com. CyberArk drew a fantastic diagram of the attack workflow as well:
The biggest problems with this threat: first, it’s stealthy. It is completely silent to the attacked user. They have no idea they’ve ever been attacked. Second, it’s wormable – meaning it can spread automatically between users at a targeted company or sent to Teams groups.
Fortunately, Microsoft worked quickly
and corrected the affected subdomains as well as other mitigations to the threat before the vulnerability was made known publicly, and it is believed the threat is no longer viable
as of this writing.
Encryption
Because Teams is integrated into the Office 365 ecosystem, it rides upon Share Point. Files are stored in SharePoint and are backed by SharePoint encryption. Notes are stored in OneNote and are backed by OneNote encryption. The OneNote data is stored in the team SharePoint site. Teams also enforces team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest. The Wiki tab content is also stored within the team SharePoint site.
Important: Teams private channels
currently support only a subset of security and compliance features.
Currently, all Office 365 client applications including Teams, Outlook, and Skype for Business use TLS for encryption, and the implementation specifics are publicly available to review. Of note is that connections using older TLS versions 1.0 and 1.2 are not blocked, but will be as of June 1, 2020. Microsoft further publishes a list of TLS cipher suites
supported by Office 365 and therefore Teams, and all the listed cipher suites as of this writing are considered modern and of adequate cryptographic strength.
Lastly, because Teams uses HTTPS for transport, it is possible to conduct third-party analysis of the TLS parameters of the supporting infrastructure. One such example is an analysis by the venerable Qualys SSL Labs:
User Settings
Teams supports an array of user settings like tagging, email integration, file sharing, and guest/external user access. What’s very nice about this is that they can all be centrally managed
by a per-organization policy, rather than per-user.
Summary
Microsoft Teams is a worthy contender in the video conferencing and collaboration space, and the Office 365 ecosystem integration helps people be more productive with it. That said, it works best when your company is already riding on the Office 365 train – it doesn’t lend itself easily to the individual user like other standalone video conferencing applications do. The security and privacy benefits from this integration and Microsoft’s expertise of providing the greater Office 365 service to an enormous number of businesses. The single sign on integration, while convenient and in accordance with security industry best practices, means there is possibly no separation between your Teams account login and password and your work email and Share Point credentials. This is usually fine if you’re using Teams only for work, but a personal meeting use of Teams for a virtual happy hour may unacceptably blur the line between “personal” and "work” – two information security realms to which you should take heed of The Offspring…and keep ‘em separated.
Come back next week (and each week in May) for another episode of Video Conferencing Showdown!
Share this post with others:
When it comes to automating processes around your business, it can simultaneously seem like everything can be automated, and absolutely nothing can be automated. As with many other things, the real answer is somewhere in the middle but can be a bit challenging to put your finger on. These projects usually start when someone at the strategic level of the organization has decreed that “we are going to automate!” and either they personally go on the hunt for what to automate or they hand it off to someone on their team to go do the leg work and come back with “automation” (maybe in a nice box with a bow on it). Sound familiar?
Data is everywhere. You’ve got a lot to focus on and it can be hard to stay on top of what’s going on with your business. Report creation in Excel is often time-consuming and can quickly become a nightmare. Modernizing your reports and streamlining your process with PowerBI to get more reliable and consistent reporting across all of your systems can be a game changer for your business. Read on to learn about three key acceleration tactics that our team uses on every implementation that we facilitate.
83% of knowledge workers require technology to work together. Microsoft Teams is a cloud-based collaboration and communication tool that lets workers share the right information to the right people all through one integrated platform. According to a Forrester report, The Total Economic Impact of Microsoft Teams, there are a variety of ways using Teams saves organizations time and money. Read and download the infographic to share here .
How to Get Started with the Power Automate app for Teams You can get started with Power Automate app in just 3 quick steps: Click on the … in the left-hand corner of your teams browser Search for “Power Automate” Click on the Power Automate app icon and pin it to your left-hand Teams navigation panel
As mentioned, there are several options available for automating your business. One of our favorite low-code/no-code options is the Microsoft Power Platform. As a suite of 4 different tools, the Power Platform can automate routine tasks, customer support, data visualization, and more. A few highlights on the effectiveness of the Power Platform are:
It is no secret that 2020 and the coronavirus pandemic altered the reality of doing business. These changes are showing little signs of letting up and a lot of the adjustments made to respond to a remote workforce may very well become a permanent feature in daily business operations. As business decision makers (BDMs) and IT decision makers (ITDMs) head into a new year it is important to keep an eye out for technology solutions that can further support these operational changes while increasing efficiency. This post briefly highlights the top 3 digital solutions we have our eyes on for 2021 and our Microsoft-based clients.
In our latest video series, Patrick Boren, Principal Consultant at TexasPGB, introduces the newest addition to the Microsoft Project family, Microsoft Project Operations. In this video Patrick discusses: What challenges Project Operations aims to solve What is Project Operations and common use cases for the tool Who uses Project Operations Upcoming "Day in the Life" Sessions Watch the video or read the condensed transcript below.
Having a wealth of data at your fingertips is great, but what happens when your data is so vast that it takes you years to make a key discovery? A friend of mine told me a story recently about an experience he had. His first company conducted a VP meeting every quarter – everyone scrambling to put together their presentations and make their case based on the data from Excel spreadsheets. Departments and information tended to be segmented into silos. While much of the data could be shared across the company, rarely was it compiled in a way to show how one area of the business could affect another.
If you are looking to migrate your data to Microsoft 365 there are two common methods to funnel your data - SharePoint or Common Data Service (CDS). SharePoint solutions take advantage of lists and libraries. Data is housed, originated, and manipulated entirely within the SharePoint platform. CDS solutions use both standard and custom entities to collect and house data that is then integrated across the Microsoft 365 platform. Below we will review a few ways each method is different and what you should look for before making a final decision for your data migration plan.
When it comes to technology, do you have a one-size-fits-all vendor? In today’s world of cost cutting, we see more and more organizations that end up missing out on huge technology opportunities by assuming a single vendor can and will do it all. As a technology consulting firm, we’re frequently asked “aren’t you the same as my managed service provider (MSP)?” Fortunately, for those that ask, we’re able to shed light on how a Technology Consulting Firm varies from an MSP.
