In this article, we would like to show how working with Microsoft Teams looks from the point of view of users, IT administrators, and IS employees.
First of all, let’s clarify the difference between Teams and most other Microsoft products in their Office 365 offer (hereinafter, for brevity – O365).
Teams is only a client that does not have its own cloud application. And it places the data it manages in various O365 applications.
We will show what happens “under the hood” when users work in Teams, SharePoint Online (hereinafter SPO) and OneDrive.
If you would like now to move on to the practical part on ensuring security using Microsoft tools (1 hour out of the total course time), we highly recommend listening to our Office 365 Sharing Audit course, available link. This course covers, among other things, the sharing settings in O365, which are only editable through PowerShell.
Meet Acme Co.’s Internal Project Team
This is how this Team looks in Teams, after its creation and the provision of appropriate access to its members by the Owner of this Team – Amelia:
Team starts work
Linda implies that only the James and William with whom they discussed this will contact the file with the bonus payment plan placed in her Channel.
James, in turn, directs a link to access this file to an employee of the human resources department, Emma, who is not part of the Team.
William sends a contract with a third party’s personal data to another Team member via MS Teams chat:
We climb under the hood
Zoey, with the light hand of Amelia, can now add anyone to the Team at any time, or remove from it:
Linda, laying out a document with critical data intended for use by only two of her colleagues, made a mistake with the Channel type when creating it, and the file became available to all Team members:
Fortunately, there is a Microsoft application for O365 in which you can (using it completely for other purposes) quickly see what critical data do all users have access to, using for the test a user who is only part of the most common security group.
Even if the files are located inside the Private Channels (Private Channels) – this may not be a guarantee that only a certain circle of people will have access to them.
In the example with James, he provided a link to the Emma file, which is not even included in the Command, not to mention access to the Private Channel (if it was one).
In this situation, the worst thing is that we will not see information about this anywhere in the security groups in Azure AD, since access rights are granted to it directly.
The PDN file sent by William will be available to Margaret anytime, not just while working online chat.
We climb up to the waist
We understand further. First, let’s see what exactly happens when a user creates a new Team in MS Teams:
- A new Office 365 security group is being created in Azure AD, including Team owners and members
- The site of the new Team is created in SharePoint Online (hereinafter – SPO)
- Three new local (active only in this service) groups are created in SPO: Owners, Members, Visitors
- Changes are made in Exchange Online
MS Teams data and where they live
Teams is not a data warehouse or platform. It is integrated with all Office 365 solutions.
- O365 offers many applications and products, but the data is always stored in the following places: SharePoint Online (SPO), OneDrive (hereinafter – OD), Exchange Online, Azure AD
- The data that you share or receive through MS Teams is stored on these platforms, and not inside Teams itself
- In this case, the risk is a growing trend for collaboration. Anyone who has access to data on the SPO and OD platforms can make it available to anyone, both inside and outside the organization.
- All Team data (excluding the content of private channels) is collected on the SPO website, which is automatically created when the Team is created
- For each Channel created, a subfolder is automatically created in the Documents folder in this SPO site:
- files in the Channels are uploaded to the appropriate subfolders of the Documents folder of the SPO Commands website (named the same as the Channel)
- Email messages sent to the Channel are stored in the “Email Messages” subfolder of the Channel folder
- When a new Private Channel is created, a separate SPO site is created to store its contents, with the same structure as described above for regular Channels (it is important – for each Private Channel a special SPO website is created)
- Files sent via chats are saved to the sending user’s account on OneDrive (in the “Microsoft Teams Chat Files” folder), and chat participants are given access to them
- Chat and chat content are stored in the user and Team mailboxes, respectively, in hidden folders. Now there is no way to get additional access to them.
Water in the carburetor, flow in the hold
The main points that are important to remember in the context information security:
- Access control, and an understanding of who can be granted rights to important data, is transferred to the end-user level. Not provided full centralized control or monitoring.
- When someone shares company data, your “blind spots” are visible to others, but not to you.
In the list of persons who are members of the Team (through the security group in Azure AD), we do not see Emma, but she has access to a specific file, a link to which James sent her.
In the same way, we will not find out about its ability to access files from the Teams interface:
Can we somehow get information about which object Emma has access to? Yes, we can, but only by studying access rights to everything or to a specific object in the SPO, for which we have suspicions.
Having studied such rights, we will see that Emma and Chris have rights to the object at the SPO level.
Chris? We do not know any Chris. Where did he come from?
And he “came” to us from the “local” security group SPO, which already, in turn, includes the Azure AD security group, with members of the Compensations Team.
Can, Microsoft Cloud App Security (MCAS) able to shed light on the issues of interest to us by providing the desired level of understanding?
Alas, no … Despite the fact that we can see Chris and Emma, we can not see the specific users who are granted access.
O365 Access Levels and Techniques – IT Challenges
The simplest process of providing access to data on file storages within the perimeter of organizations is not particularly complicated and practically does not provide opportunities to bypass the granted access rights.
O365 has many opportunities for collaboration and data access.
- Users do not understand why restrict access to data, if you can simply provide a link to a file that is accessible to everyone, because they do not have a basic expertise in the field of information security, or neglect risks, making assumptions about the low probability of their occurrence
- As a result, critical information can leave the organization and become available to a wide range of people.
- In addition, there are many opportunities to provide redundant access.
Microsoft at O365 has probably provided too many ways to modify access control lists. Such settings are at the level of tenant, sites, folders, files, the objects themselves and links to them. Configuring accessibility settings is important and should not be neglected.
We provide the opportunity to take a free, about an hour and a half video course on the configuration of these parameters, a link to which is given at the beginning of this article.
Without thinking twice, you can block all external file sharing, but then:
- Some of the features of the O365 platform will remain unused, especially if some users are used to using them at home or at a previous job
- “Advanced users” will “help” other employees to violate your rules by other means
Configuring sharing capabilities includes:
- Different configurations for each application: OD, SPO, AAD and MS Teams (part of the configuration can be done only by the administrator, part – only by the users themselves)
- Configuration configurations at the tenant level and at the level of each specific site
What does this mean for IB
As we saw above, full reliable data access rights cannot be seen in a single interface:
Thus, in order to understand who has access to EVERY specific file or folder, you will need to independently create an access matrix, collecting data for it, given the following:
- Team Members Visible in Azure AD and Teams, but Not in SPO
- Team Owners can designate Co-Owners who can expand the Team list on their own
- TEAMs may also include EXTERNAL users – “Guests”
- Links provided for sharing or downloading are not visible in Teams or in Azure AD – only in SPO, and only after tedious click-throughs
- Access only to the SPO site is not visible in Teams
Lack of central control means you cannot:
- See who has access to which resources
- See where critical data is
- Meet the requirements of regulations requiring an approach to planning services with a focus on confidentiality of access at their core
- Detect abnormal behavior regarding critical data
- Limit attack area
- Choose an effective way to reduce the level of risk, based on their assessment
As a conclusion, we can say that
- For IT departments of organizations that choose to work with O365, it is important to have qualified employees capable of both technically implementing changes in sharing settings and substantiating the consequences of changing certain parameters to write O365-approved policies for working with IS and business units
- For IS, it is important to be able to conduct, on an automatic daily basis, or even in real time, an audit of access to data, violations of policies for working with O365 agreed with IT and business units and analysis of the correctness of the provided accesses, as well as see attacks on each of the services in them tenant O365