Since the COVID-19 pandemic drove millions of employees out of corporate offices and into a new era of remote work, team collaboration SaaS adoption has skyrocketed -- as have cloud collaboration security concerns. External attacks on enterprise cloud accounts increased by 630% between January and April 2020, with threat actors largely targeting collaboration services, according to security provider McAfee. And, with experts anticipating remote work will continue well past the pandemic, experts warn lax policies and risky behavior on collaboration platforms put companies at significant ongoing risk.
"You wouldn't allow unknown people to walk into an office, straight past security and around the building unescorted looking at papers sitting on people's desks," Nigel Hawthorn, marketing director at McAfee, wrote on the provider's blog. Yet, McAfee researchers found that the typical enterprise using Microsoft Teams adds a new guest user -- such as a third-party partner, customer or client -- every few minutes. This adds up to a startling number of external visitors inside an organization's private digital space. As a major vendor, Microsoft invests heavily in the security of its products, Hawthorn added, but enterprises are still responsible for ensuring they use collaboration software responsibly.
Organizations with proactive cloud collaboration security plans are also more likely to see measurable benefits -- such as cost savings, increased revenue and higher productivity -- from their collaboration platforms, Metrigy researchers found. According to experts, keeping data secure in these environments requires CISOs and other security leaders to adopt a multipronged approach that addresses technology, processes and people. Strategies should include the following.
1. Vet team collaboration vendors
Any cloud collaboration suite inherently carries third-party risk, according to Dana Simberkoff, chief risk, privacy and information security officer at data management and security provider AvePoint, based in Jersey City, N.J. "With any kind of cloud technology, you're basically taking your stuff and putting it on someone else's computer, which means you have less control," she said.
The nature of cloud services requires that enterprises rely on their providers to have good foundational cybersecurity, agreed Patrick Hevesi, analyst at Gartner. CISOs should, therefore, ask questions, such as the following:
- How does a provider monitor and control who enters its server facilities?
- Does the provider have security cameras?
- Is the provider's network layer secure?
Organizations that, by necessity, rushed to deploy team collaboration software as part of their pandemic response plans should retroactively complete thorough supply chain risk assessments as soon as possible, Simberkoff advised her fellow CISOs. "Know your data, your employees and your vendors. Those are the three pillars of survival in the world we find ourselves in," she said.
Reiko Feaver, a partner specializing in privacy, data and cybersecurity law at cloud-based, geographically distributed legal firm Culhane Meadows, encourages clients to carefully review providers' security certifications and, if possible, to independently audit their internal operations. "If they're having IT consultants access their systems remotely, for example, make sure they're monitoring that access and cutting it off when it's no longer necessary," she said. Culhane Meadows itself has been remote since 2013.
The deep and wide security and engineering expertise of top vendors, such as Cisco and Microsoft, should engender relatively high levels of confidence among users, according to Gartner's Hevesi. Even smaller SaaS offerings running on major cloud platforms, including AWS, Microsoft Azure and others, benefit from economies of scale and the considerable security resources of those vendors.
Alternatively, Hevesi would look twice at a startup SaaS provider working out of its own small data center. "Say they don't patch their servers or run on a legacy version of TLS. Maybe they're susceptible to [the] Heartbleed [bug], or they have no certifications or standards in their infrastructure. That would worry me," he said.
Even so, enterprise CISOs don't have to ban all small, up-and-coming cloud collaboration tools, and they don't have to reinvent the wheel vetting them. According to Hevesi, virtually all cloud access security brokers (CASBs) actively assess an abundance of third-party SaaS applications and compile the results for easy reference. A CASB customer can also often submit a ticket requesting that the broker vet an app not yet in its database.
Even after initial vetting and adoption, organizations should periodically reassess their providers' security, experts urged. "You can't just throw your hands up in the air and assume they are doing the right thing," Feaver said. "You have to have your own systems and checks in place."
2. Weigh guest access settings
Even the best team collaboration suite is only as safe as its security settings, experts advised. When deploying a new SaaS platform, IT leaders need to proactively configure user access and permissions to align with organizational risk appetite.
Research from Metrigy suggested that opening collaboration platforms to external users helps drive ROI. But prematurely flinging open the doors of a newly deployed collaboration app could invite catastrophic data leaks. With that in mind, Hevesi recommended that CISOs initially limit or even block users' ability to invite outside parties.
"First, set [the collaboration platform] up, lock it down and make sure your security team knows how to manage it," he said. As the cybersecurity team successfully adds layers of controls, such as multifactor authentication (MFA) and data loss prevention (DLP) policies, they can then slowly expand user permissions and extend third-party access.
Culhane Meadows has adopted a similarly measured approach to cloud collaboration security, according to Feaver. The firm relies heavily on Microsoft Teams for internal communications and plans to add external clients to the platform in the near future -- but only after the security team finishes implementing a variety of identity-driven controls. "There will be security around who you can invite, what you share, who has access to what [resources] and for how long," Feaver said.
Patrick HevesiAnalyst, Gartner
Metrigy analyst Irwin Lazar suggested enterprises looking to enable intercompany collaboration consider federation, which bridges two organizations' collaboration spaces but keeps their systems and data separate. Both direct application-to-application federation and third-party federation, which involves separate software that brokers a connection between two collaboration platforms, tend to be more secure than the more common guest access option, he added. The latter gives CISOs relatively little control over users and data.
In some cases, for example, guest users could continue to access an organization's collaboration platform even after they leave their companies, Lazar suggested in a recent webinar. "And, if my employees are guests in somebody else's system, I don't really know what they're doing [with our data]," he said.
It's also important to note that default settings sometimes change on the vendor side, experts warned. In February 2021, for example, Microsoft Teams started automatically supporting third-party guest access, unless administrators manually disable the feature.
"Why would Microsoft do this?" tweeted Jeremy Laurenson, security engineer at Microsoft competitor Cisco, calling the move "a catastrophe for data ownership and security." The change illustrates the need for regular settings reviews.
3. Layer cloud collaboration security controls
A robust cloud collaboration security plan requires layers of controls, starting with MFA, according to Hevesi. "Now that users aren't behind your firewall, you need to verify that they are who they say they are," he said.
DLP and data classification should also be high priority. "With a decentralized workforce, it gets harder to keep track of data," AvePoint's Simberkoff said, adding that CISOs should always know where data lives, who can access it, if they've shared it and when it's been deleted.
Data classification technology lets security managers tag resources as sensitive, enabling the data to advocate for its own security if someone tries to download or share it inappropriately on a collaboration platform, said Lakshmi Hanspal, global CSO at collaboration SaaS provider Box. "Data can then say, 'No, I'm highly confidential, and I cannot transgress these boundaries.' It's self-aware," she said.
Security leaders can also establish conditional access and privileges based on user identity, device trust, geolocations and more. "Maybe on a managed device, I can fully access an earnings report, but from an unmanaged device, I have only 'view' privileges, without download or print capabilities," Hanspal said. Or trusted users accessing data from atypical geolocations might have to take additional steps to prove their identities.
According to Hevesi, the ultimate must in team collaboration security is a CASB, which acts as a gatekeeper between enterprise endpoints and cloud services and combines features like DLP, MFA and threat detection. "You wouldn't deploy a data center without a firewall, and you shouldn't deploy SaaS applications, especially collaboration applications, without a CASB," he said.
CASBs can also help organizations identify and track shadow IT, from standalone, unsanctioned collaboration applications to seemingly innocuous but potentially risky integrations within sanctioned platforms. At the General Services Administration in 2016, for example, a Google Drive-Slack integration exposed more than 100 governmental Google Drive accounts to both internal and guest Slack users at the independent U.S. government agency over a five-month period. "It's important for security practitioners to do periodic hygiene checks so they can decommission and block certain apps if necessary," Hanspal added.
4. Train employees on cloud collaboration security risks
Ultimately, data leaks are more likely to stem from inadvertent user error than from sophisticated, targeted attacks, said Jacob Ansari, CISO at Schellman & Company, an independent security and privacy compliance assessor based in Tampa, Fla. "It's important to train users about the correct use of these meeting [tools] to avoid potential problems, such as inadvertently sharing a screen with confidential information, not using a meeting password or allowing too many untrusted parties to attend meetings," he said.
At AvePoint, Simberkoff educates employees on security and privacy risks that extend beyond the virtual boundaries of collaboration platforms themselves, such as sharing physical workspaces or digital devices with family members. "Confidential conversations need to occur in writing rather than on video or at a time when you know nobody else is around," she said. And anyone sharing a device -- parents who let kids access their laptops to do schoolwork, for example -- should deploy separate user profiles with unique login credentials.
Simberkoff also stressed the importance of understanding the demands of employees' roles and the realities of their diverse working conditions and of making it "easier for them to do the right thing than the wrong thing." CISOs should train workers on the risks of unsanctioned app use, while also fostering open communication between security and the business. For example, shadow IT can ultimately serve as a red flag that important functionality is missing from an enterprise's approved collaboration suite.
"It's really important for security officers to see themselves as enabling business rather than stopping people from doing things," Simberkoff said. Security should act like highway guardrails, she added, letting collaboration platform users work as efficiently as possible, while still staying relatively secure.