Team Collaboration: Weighing Security ConcernsTeam Collaboration: Weighing Security Concerns

Team collaboration has been the hot topic in enterprise communications for at least the last couple of years, and we know from our 2018 Team Collaboration Survey that these tools are quickly making their way into the enterprise. In fact, 90% of 160 enterprise IT respondents indicated that employees within their organizations currently use one or more such tool.

As adoption of these apps continues to grow, whether through IT procurement or virally, it brings security into the spotlight. Our survey results bear that out, with 84% of respondents ranking the ability to meet corporate security, privacy, and compliance mandates as the top factor for evaluating team collaboration apps, as shown below.

Source: No Jitter's 2018 Team Collaboration Survey

While there's "definitely a money factor," security is critically important at Grand Canyon University, agreed Chris Smith, director of IT at the school. GCU, a Christian university with roughly 19,000 students on its Arizona campus and 75,000 online students, runs a hybrid UC environment comprising Cisco, Microsoft, and Zoom on-premises and cloud tools, and is currently evaluating Cisco Webex Teams and Microsoft Teams for team collaboration.

"Cisco comes to the table with security in mind -- and that's great," Smith said. "Too often security is an elective, so it's a nice consideration that helps the cloud transition go smoother." At the same time, Microsoft is showing with Teams that it's finally gotten the message that security can't be an afterthought, he added.

Digging into Security Features
Good thing, because as Irwin Lazar, vice president and service director at Nemertes Research, shared last month on No Jitter, his firm has found security concerns to be the biggest inhibitor to team collaboration adoption. With team collaboration, "enterprise-grade security" should include, at a minimum, encryption at rest and encryption in motion, Lazar told me in an interview.

In addition, Lazar said, enterprise-grade security features might include things like single sign-on to allow IT control access to that app for authentication and tracking log-ins; support for industry security certifications like FedRAMP, HIPAA, ISO 27001, and SOX, as well as for privacy regulations like GDPR; and the ability to integrate with a mobile client for mobile device management (MDM).

Whether dealing with more traditional forms of enterprise communications or team collaboration, "organizations don't have a good appreciation of what data they're collecting, where it's sitting, or what they're doing with it -- and that's where problems come up," said Andreas T. Kaltsounis, partner at BakerHostetler, in a recent interview. Earlier this year, BakerHostetler released its 2018 Data Security Incident Response Report, based on the analysis of more than 560 data security incidents that the firm worked on in 2017. Examining this many incidents gives the firm a lot of perspective into the kind of situations that are causing companies to experience data breaches, Kaltsounis said.

"People aren't thinking about how sensitive the data is that's flowing through their email system until they get hacked," Kaltsounis said. "Those same issues apply to the collaboration software. We've seen situations with developers sending back information on projects, passwords, and keys they are using for different things, and then they have to go back and think about what was in there. There are downstream effects."

One particularly valuable piece of insight the report unveiled is around the issue of third parties that are supplying services, he said. In one example, an email provider was accessed by an attacker, who intercepted an invoice in the email system and attempted to reroute it. Because the email system was also integrated with the IM/presence application, the attacker also gained access to chat and was able to circumvent attempts to authenticate his or her identity.

"If you are only controlling access with user name and password, they can get ahold of those credentials," Kaltsounis said. "It's critical that organizations think about how they're securing remote access to [collaboration] tools" as well as what's being integrated with what, he added.

Next page: Who's getting it right and what enterprise's wantWho's Getting It Right?
Fortunately, team collaboration vendors seem to be on the mark with security, Lazar said.

As particularly good examples, he pointed to Cisco and Symphony for their end-to-end encryption models and because they let enterprises hold their own keys. These features are especially important for highly regulated organizations, he added.

UC analyst Zeus Kerravala, of ZK Research, agrees that Cisco's end-to-end encryption model, called Breach Lock, is a differentiator, as he explained in a recent No Jitter post. He wrote:

Cisco is able to take this approach because it allows its enterprise customers to hold their own encryption keys on premises. So a breach of the Cisco cloud would leave customer data unreadable.

For those who may be unfamiliar, Symphony, came to market in 2015 with a team collaboration solution aimed specifically at the financial industry. As such, security, privacy, and compliance have been top of mind since the get-go. "Our dedicated security team and independent third parties evaluate and test the security of our service," Symphony says on its website. "We conduct thorough vulnerability scanning and harden our systems with penetration testing."

Symphony not only lets customers hold their own keys as part of its end-to-end encryption model, but also boasts security policies informed by federal and international standards – i.e., from NIST and ISO -- and holds certifications such as SOC 3 Type II and SOC 2 Type II. In addition, it offers an administration and compliance portal for deploying and managing security capabilities like single sign-on, MDM, and two-factor authentication, as well as exporting content for archiving and e-discovery purposes.

Additionally, Symphony purports to have gotten around search difficulties that come into play with end-to-end encryption schemes with the development of its own "unique" encrypted search solution that keeps data encrypted while executing search queries.

The end-to-end encryption models developed by Cisco and Symphony represent a use case Richard Stiennon, chief research analyst for independent research firm IT-Harvest, spelled out in a 2016 whitepaper. While the world "woke up" to the necessity of encryption in 2013, with the discovery that many government intelligence agencies were intercepting nearly all network traffic, none of the initial encryption at rest/encryption in transit solutions came "close to guarantying end-to-end security, a system where the provider has no ability to see data in transit or at rest -- a customer-controlled security model," he wrote. "And perhaps the greatest shortcoming," he continued, have been "those services that do indeed encrypt everything but do so with little or no concern about who controls the encryption keys."

This is an issue with which Microsoft, with Teams, is still grappling. While it encrypts Teams data at rest and in transit, it doesn't provide full end-to-end encryption in the manner of Cisco and Symphony. The ability for customers to hold their own security keys is on the roadmap, however, and in the meantime, per Microsoft policy, no employee can access customer data, even when trying to resolve an issue, without a formal request, Mark Longton, principal group program manager at Microsoft, told me in an email exchange.

Outside of encryption, Microsoft boasts a long list of security features for Teams. The company lays claim to being a compliance leader with EUMC, HIPAA, ISO 27001, ISO 27018, SSAE16 SOC1 Type I and II, SOC2 Type I and II, FERPA, and GLBA global standards, Longton told me. In addition, it offers central management and automatic provisioning through Office 365, with single sign-on and multi-factor authentication.

Further, Teams integrates with Microsoft Intune for mobile device and app management, which has features for compliance and litigation support, Longton said. Customers can do things like set archive policies for content; use compliance content search, e-discovery, and legal hold for channels, chats, and files in Teams; audit and report on all relevant Teams activities; and access the complete set of information protection features within their existing Office 365 environments, he added.

If GCU is any example, enterprise organizations appreciate the attention Cisco, Microsoft, and others are paying to security for their team collaboration apps. As Smith said, "Otherwise, we have a harder time being able to adopt those kind of tools."

What Enterprises Want
In fact, one of the things that has Smith pushing to go with Webex Teams, is the company's attention to security. "I've been in the industry for over 25 years," he said, "so I'm very abreast of tech pertaining to on-prem solutions. But how do you go from spending millions on infrastructure to moving into a cloud-based infrastructure? The question is how do you get to the cloud and how do you deal with security [once there]? What happens to the level of control? How does it look?"

But in pitting Cisco against Microsoft in the team collaboration battle, it may not be security that's the ultimate decision factor at this point.

Related content:

Follow Michelle Burbick and No Jitter on Twitter!
@nojitter
@MBurbick