It’s time to write a post about Collaboration and Security because for some reason IT departments, Analysts and others have either lost their minds, or are clueless about what’s going on, and I think some people should be fired.
The blasé attitude to some very serious security concerns by all involved blows my mind. If I were running the Digital Strategy for some of these companies I would be handing out pink slips.
Zoom has been in the news for what to the naked eye looks like a “turn my camera on without my permission” issue, but is in fact much deeper.
Even once you uninstall the app, a web server was left in place that had permission to install an app which had full access to your camera, microphone on who knows what else…. by you clicking a web page link. It would go out to the network, download an installer and install it.
Let me extrapolate that for you: You walk into coffee shop, get on a plane or whatever and a hacker has set up a WiFi network with its own DNS server, web server etc. They pop up a “Hotspot login” that you click and this fools your local Zoom web server into going and grabbing the hackers install file and installing it. now you’re toast…No wonder Apple pushed a silent update to remove the software. If you don’t get how this could be a monster issue, then you should NOT be in your job.
Where was the IT Security department when this stuff cleared the security audit? A simple port scan would have found the server. Someone needs to be fired.
Next…Microsoft is out there telling people how widely deployed MS Teams is and telling IT Departments that they have fantastic Data Loss Prevention and Encryption facilities… and customers are deploying it en masse.
Except each instance of MS Teams’ discoverability and security lives on the underlying Exchange/ Sharepoint/ Onedrive infrastructure… These sit, siloed inside your O365 Tennant. There is no “federation” of email messages, Sharepoint files or Onedrive files. (Unlike Skype for Business that did in fact do federation)
This means than if your user is invited to collaborate on a project with a different company (which happens with me multiple times a week) then none of the Files, Text or other data you contribute can be monitored, seen or managed by your IT department.. because the data isn’t in your Tennant – its in someone else’s.
This means all your Office365 Security and Compliance Classifications, Labels, Sensitive info types and DLP Policies do not apply.
In the words of a CSO I met with just yesterday “I wish I had known about this before we rolled it out”. I hear this time and time again. Again, someone should be fired.
A policy in place in my org works just fine:
Until I collaborate with someone outside my organization:
Updated: Here is a full video walking through several examples of policy holes in Microsoft teams.
Similarly we’re told to add all kinds of integrations and Tabs to our Microsoft Teams. Bummer, the only things that the policy and retention applies to are Teams chats/messages, Exchange, Sharepoint and Onedrive. In your own Tennant. All bets are off when you’re off collaborating with external folks.
Even in your own Tennant, all the other tabs and apps are massive loopholes in your DLP you can drive trucks through – see “Locations” below to which a policy can apply:
The answer: Turn off external collaboration in Teams and use Email because then we can monitor files as well as messages.
Its 2019. Move to email? Are. You. Kidding. Me?
Someone needs to be fired.
“I wish I had known this before we rolled out Teams/Zoom” is a pretty shitty position to be in and I will bet big money none of these folks will come clean until their company data or machines is exploited and they’re.. fired.
There are all kinds of these sorts of issues that are issues explicitly in collaboration tools because they’re some of the few tools you MUST be able to use inter-org. By design they operate in the area where you are most vulnerable – where you are working with folks outside your organization – vendors, customers, partners or in the case of some companies either subsidiaries or even different departments in a city (Think Fire, Police each wanting their own control)
In 2019 you are badly deluded if you think you don’t need to collaborate across organizational boundaries. When it comes to critical data like M&A discussions for a company or ongoing clinical trials collaboration between drug company and the FDA or participant hospitals, THIS is where the value is and THIS is where the security issues are.
Security people: Get off your asses and do your job! Just installing the latest Collab shiny object without thorough vetting is putting your company data at risk.
Jeremy Laurenson 
The worse thing I’ve seen by security orgs,
Security: “Oh Microsoft has already been through our security vetting process so they’re good”.
Me: For which application?
Security: Office.
Me: But MS Teams is a collaboration app, it’s completely different from Word, Powerpoint, Outlook.
Security: Yes but it’s part of Office 365 and that’s approved.
Me: Virtual facepalm in my mind, whilst maintaining a nervous smile.
Security takes a back seat when people here the word “free” or “we are cheaper”. I guess now they might be looking harder at what the real cost is for placing trust in vendors who’s only selling points are those two phrases. Considering Zoom used a web server to get around a security feature in Safari they might also consider the real cost of “easy to use” as well. If I were a CISO I would be wondering if they created these hacks to get around very real security features what other hacks have they created in their infrastructure we can’t see or test for. I would also be wondering if this is how they react to a security researcher what if we do a pentest and find something will they actually do anything about it unless we expose them like he did. Something to think about at least.
This is why i love Cisco Webex Teams.
It’s not perfect, but you have one Control Hub where you can setup rules for external and internal communication.
And if you want, you can setup your own Key Server and the cloud only contains encrypted data.