Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding Microsoft Teams Security & Compliance features and plan for Governance


Published on

Delivered a session focusing on Microsoft Teams at SharePoint Saturday @ Chennai,


This session Provides an Overview of Microsoft Teams and Primarily focus on the Security and Compliance features available with Microsoft Teams, and also show how you can plan for Governance in Teams.

Published in: Technology
  • Be the first to comment

Understanding Microsoft Teams Security & Compliance features and plan for Governance

  1. 1. Ravikumar Sathyamurthy @shakthiravi Microsoft MVP | Office Apps & Services Understanding Microsoft Teams Security & Compliance features and Plan for Governance 09/02/2019
  2. 2. • Microsoft Teams Overview • Understanding Security and Compliance for Teams • Planning for Microsoft Teams Governance • Learning Resources • Demo • Q&A
  4. 4. The Modern Workplace The Classic Workplace
  5. 5. work-life blur more mobile tech savvy multiple devices digital generation fast paced
  6. 6. A complete, intelligent solution that empowers everyone to be creative and work together, securely Unlock creativity Built for teamwork Integrated for simplicity Intelligent security Microsoft 365 Office 365 + Windows 10 + Enterprise Mobility + Security
  7. 7. Microsoft 365: Universal Toolkit for Teamwork Hub for TeamworkCo-AuthorConnect Across the Organization Intranets & Content Management Email & Calendar TeamsOffice AppsYammerSharePointOutlook Office 365 Groups Single team membership across apps and services Microsoft Graph Suite-wide intelligence connecting people and content Security and Compliance Centralized policy management
  8. 8. Office 365 Groups Microsoft 365 Teamwork: Where to start a conversation Outer LoopInner Loop Files Sites Content SharePoint Email
  9. 9. Chat for today’s teams Communicate in the moment and keep everyone in the know Customizable for each team Tailor your workspace to include content and capabilities your team needs every day. A hub for teamwork Give your team quick access to information they need right in Office 365 Security teams trust Get the enterprise-level security and compliance features you expect from Office 365.
  10. 10. Communicate through chat, meetings & calls Collaborate with deeply integrated Office 365 apps Customize& extend with Office 365 apps, 3rd party apps, processes, and devices Work withconfidence enterprise level security, compliance, and manageability
  11. 11. Teams clients Teams Services Skype Infrastructure Office 365 platform and services Azure Teams and Skype for Business Admin Tools Controls for managing communications and Teams specific features M365 and Azure AD Admin Tools Controls for Groups, Identity, Licenses, Access Security & Compliance Admin Tools Controls for managing Security & Compliance across M365
  12. 12.
  13. 13. PrivacySecurity Security by design • Data Encryption at rest and in transit • Dedicated security professionals • Threat models, Security Reviews, Automated Security Tools • Penetration testing with regular rotation of 3rd party penetration testers • All keys stored in Azure Key Vault • Admin: Screening, training, access control • Host: Access control, anti-malware, patch management, AAD Modern Authentication • Network: Firewalls, edge routers • Facility: Physical controls, video surveillance, access control • Bug Bounty Program (We pay friends, hackers and researchers to find security bugs) Privacy by design • Data stored in-region based on tenant affinity • No customer content accessible in logs or telemetry • Grant least privilege required to complete task • Dedicated Privacy professionals • Adhere to Office 365 data classification and data handling standards • Access to Production environments is locked down • GDPR
  14. 14. How compliant is Microsoft Teams? is where you can download the audit reports dards for Microsoft Compliance Standards Download More than 950 Office 365 controls • Access control • Auditing and logging • Identification and authorization • Awareness and training • Continuity planning • Incident response • Risk assessment • Communication protection • Information integrity • Deployment Approvals and management Ongoing compliance processes • Recurring audits like SOC, FEDRAMP, ISO+ independent verification Microsoft Teams Certification Microsoft Cloud Services Verified with International, Regional and Industry specific standards and terms Strong Privacy and Security Commitments • ISO 27001 • ISO 27018 • EU Model Clauses (EUMC) • GDPR • HIPAA Business Associated Agreement • SSAE 16 SOC 1 & SOC 2 Reports • FedRAMP Moderate and High • IRS 1075, UK Official (IL2) • Health Information Trust Alliance (HITRUST) Contractual commitment to meet US and EU data residency requirements Controls
  15. 15. Capability Description Archive Any content stored in any Teams related workload needs to be preserved immutably Compliance Content search Any content stored in any workload can be search through rich filtering capabilities and be exported to a specific container for compliance and litigation support​. eDiscovery – Messaging/Files Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk. Legal hold When any team or individual is put on In-Place Hold or litigation hold, the hold is placed on both the primary and the archive messages (No edits or deletes). Auditing and reporting All Team activities and business events must be captured and available for customer search and export. Conditional Access and Intune MAM Ensure that access to Microsoft Teams is restricted to devices that are compliant with IT Admin or Corporate Organization set policies and security rules both for the Teams Apps and the services it uses under the hood. Includes MAC Support for Conditional Access as well. Moderator support The ability to have a moderator (owner of team) of a Team delete data from any user in the team that is inappropriate and mute users in a team/channel. Windows Information Protection Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps like MS Teams. Allowed List of Apps An Admin can control the list of 3P apps (bots, connectors, tabs) that can be used by end users within a tenant. Retention / Preservation Help organizations reduce the liabilities associated with messaging. The Customer can configure their tenant to retain data for a fixed period of time or retain it with unlimited storage for different Teams workloads. eDiscovery – Calling/Meetings Rich in-place eDiscovery capabilities including case management, preservation, search, analysis and export to help our customers simplify the eDiscovery process to quickly identify relevant data while decreasing cost and risk. Data loss prevention (DLP) Identify any sensitive data stored being transferred within or outside of Customer Organization in Teams to intercept and prevent leakage​ for Files and Chat/Channel Messages. Advanced Threat Protection Support for safe files and safe links in Microsoft Teams to protect your organization from malicious attacks with the power of Office 365 Advanced threat protection Business information Barriers Prevent exchanges or communication that could lead to conflicts of interest. (a.k.a. Ethical walls) VDI Virtual Desktop support for Teams to serve requirements of regulated industries and users with virtual desktops AvailableToday
  16. 16. Data Residency Our Promise If Customer provisions its tenant in Australia, Canada, the European Union, India, Japan, the United Kingdom, or the United States, Microsoft Teams will store the following Customer Data at rest only within that geo: • Microsoft Teams chats, channel messages, images, voicemail, and contacts • SharePoint Online site content and the files stored within that site • Files uploaded to OneDrive for Business Canada east North Central US Dublin East Asia Southeast Asia Amsterdam UK West AMERICAS EMEA APAC 181 countries | 40 languages (NOTE: Hebrew and Arabic RTL languages now supported) East USUS Gov Arizona US Gov Texas Canada central UK South West India Central India Japan East Japan West Australia East Australia Southeast In region In country US Gov
  17. 17. The compliance boundary is where Microsoft can manage the security and privacy of customer data User Browser, Desktop ,Mobile compliance boundary Microsoft Teams Guest user Anonymous join to a meeting Federation communication Email a channel Connectors Apps/Bots Tabs Calling Plan (PSTN) Push Notifications (Mobile Other Cloud storage (3rd party) Graph API Giphy 2-way communication Inbound data Outbound data Data posted to a channel Data posted to a channel Query to Giphy Push notifications to Apple or Google to notify mobile client Optional Box, Dropbox, Google drive, Citrix Fileshare Any third-party tab is hosted outside the compliance boundary Any third-party App/bot or line of business app is hosted outside the compliance boundary Graph APIs can be exposed to line of business apps or 3rd party apps Enables inbound/outbound calling outside the organization Standard Teams user Guest added via AAD B2B Anonymous user joining a meeting Communication between multiple tenants Key URL Preview Get a preview of a URL that is posted to a message
  18. 18. Image Files Voicemail Message Recording Calendar meeting Contacts Media service on Azure (using Blob storage) Team files  SharePoint Chat files  OneDrive for Business Individual mailbox in Exchange Chat service table storage (moving to Cosmos DB) Media service on Azure (using Blob storage) (<24 hours) Individual mailbox in Exchange Exchange Ingested to Exchange to enable compliance Ingested to Exchange to enable compliance Encoded to Stream Telemetry Microsoft Data warehouse (No customer content) Entity Storage Storage Key data entities and location where data is stored at rest
  19. 19. How Teams Enables Information Protection Ingestion flow of Teams data to both Exchange and SharePoint for Teams Files and Messages Ingestion flow of Teams Meetings and calling data to Exchange
  20. 20. For the full Microsoft Teams experience, every user should be enabled for Exchange Online, SharePoint Online, OneDrive for Business and Office 365 Group creation. Exchange Online ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Exchange Online Dedicated vNext ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Exchange Online Dedicated – Legacy Yes (must be on allowed list) ✕ ✕ Yes (must be on allowed list) ✓ ✕ ✕ ✓ ✓ ✕ Yes (Exchange 2013+)* ✕ ✓ ✓ Exchange on- premises Yes (must be on allowed list) ✕ ✕ Yes (must be on allowed list) ✓ Exchange 2016 CU3 or later ✕ ✓ ✓ ✕ Yes (Exchange 2013+)* ✕ ✓ ✓
  21. 21. Retention Policies for Microsoft Teams Features Available Retention Policies for Teams Chat and Channel Messages Note: includes ability to target specific Teams for channel messages and Users for 1xN chat Now Support for retention policies for Teams Files Now Support for Preservation and Deletion policies > 30 days Now Support for Deletion Policies under 30 days Coming soon … Support for Advanced Retention settings Future
  22. 22. DLP Mode - Passive - Intercept Sharing of data - Internal - External DLP Provider - Microsoft - 3rd Party Protection - Messaging - Files Top Scenarios:  Files Protected through Onedrive and SharePoint DLP  Support for Office 365 DLP (80 sensitive types supported)  Support for 3rd Party DLP providers through:  Graph Webhook (an event API) to listen to all Teams messages via admin approved 3rd Party app  Graph API to update message with DLP Violation
  23. 23. Information barriers are designed to properly control the flow of information from one part of the organization (IB group) to another (IB group) to avoid conflicts of interest Workloads involved: • Teams • OD4B, SPO • Exchange Proposed Scope Scenarios  Group A cannot communicate with Group B  Group C cannot communicate outside of its group Events that require IB policy evaluation  Add member to a Team (or underlying group)  New 1xN Chats  Join team meeting/call/screen sharing Retroactive scenarios for IB Policy changes  Existing chat threads  Membership in a Team
  24. 24. • RBAC ( Role Based Access Control) • Teams Settings • Messaging Policies • Meeting Settings • Live Event Policies • External Access • Guest Access • Ability to create teams • Naming of teams • Classification of teams • Retention Policies • Expiration Policies
  25. 25. Feature Set Controls Where to find them New roles Meeting TeamsMeetingPolicy TeamsMeetingConfiguration TeamsGuestMeetingConfiguration TeamsMeetingBroadcastPolicy TeamsMeetingBroadcastConfiguration MS Teams & Skype for Business Admin Center/Skype for Business PowerShell Module TSA/TCA Messaging TeamsMessagingPolicy TeamsGuestMessagingConfiguration ExternalAccess (Federation configuration) MS Teams & Skype for Business Admin Center/Skype for Business PowerShell Module TSA Calling TeamsCallingPolicy TeamsGuestCallingConfiguration MS Teams & Skype for Business Admin Center/Skype for Business PowerShell Module TSA/TCA (TCA no guest config) Teams core configuration TeamsClientConfiguration TeamsUpgradePolicy Skype for Business PowerShell Module TSA Team Collab GuestAccess ExternalSharing Naming Policy Expiry Policy Classification Who can create groups Azure Active Directory Admin Center/Azure Active Directory Preview PowerShell Module n/a Security & Compliance Conditional Access Policies Safe Attachments eDiscovery Content Search Retention Policy AAD Admin Center O365 Security & Compliance Center n/a
  26. 26. Feature Set Tools Where to find Meeting/Calling Call analytics Conference bridge/telephone number management/voice routing configurations* Call quality dashboard (linked) Manage users – audio conferencing, policy assignment Microsoft Teams & Skype for Business Admin Center/Skype for Business PowerShell Module Team Collab Manage teams (preview) Microsoft Teams & Skype for Business Admin Center and Microsoft Teams PowerShell Module Security & Compliance Content search Audit log Office 365 Security and Compliance Center
  27. 27. BRK2159: What's new in Microsoft Teams, BRK3118: Microsoft Teams Architecture Update BRK3135: Learn more about security and compliance for Teams BRK3140: Microsoft Teams in the Government Cloud BRK3170: Driving Teams Adoption: Enabling the modern workplace with O365 & Microsoft Teams BRK4012: How to manage Microsoft Teams effectively Admin training for Microsoft Teams Coffee in the Cloud Series  Foundations - Core Components of Microsoft Teams  Governance, management and lifecycle in Microsoft Teams Microsoft Service Adoption Specialist Course and Certification Microsoft Ignite Sessions Learning / Training Official Documentation Microsoft Tech Community Microsoft Teams technical documentation Plan for governance in Teams Governance quick start for Microsoft Teams Overview of security and compliance in Microsoft Teams Roadmap Microsoft 365 Roadmap Skype for Business to Microsoft Teams Capabilities Roadmap
  28. 28. Q&A