7 Ways a Collaboration System Could Wreck Your IT Security
The same traits that make collaboration systems so useful for team communications can help hackers, too.
October 18, 2018
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt4cb49a5a2331b415/64f0d67c6d7cd0402f466433/Image_1.jpg?width=700&auto=webp&quality=80&disable=upscale)
It can seem as if no corporate meeting is complete until someone says the word "collaboration." And for good reason: Use of collaboration tools is spreading to keep up with the phrase's ubiquity, with the global collaboration tool market projected to reach nearly $10 billion by 2021.
But before an IT group blithely answers the call for a collaboration system – by which we mean groupware applications such as Slack, Microsoft Team, and Webex Team – it's important to consider the security risks these systems may bring.
That's because the same traits that make these, and similar, applications so useful for team communications also make them vulnerable to a number of different security issues. From their flexibility for working with third-party applications, to the ease with which team members can sign in and share data, low transactional friction can easily translate to low barriers for hackers to clear.
When selecting and deploying collaboration tools, an IT staff should be on the lookout for a number of first-line issues and be prepared to deal with them in system architecture, add-ons, or deployment. The key is to make sure that the benefits of collaboration outweigh the risks that can enter the enterprise alongside the software.
(Image: rawpixel)
At this point in the history of IT security, some think that mentioning the importance of encryption is unnecessary, but each month seems to bring new reminders that some IT departments have yet to get the message. The contents of that message, in clear text, read, "Encrypt everything you care about."
It's not difficult, and it's no longer terribly expensive, to make sure that employees use VPNs when they connect to the collaboration system. A zero-trust architecture requires encryption within the collaboration application, rather than simply around the application. And the storage systems where data from the collaboration system are stored should be encrypted if that data is at all sensitive to the organization.
Performing a risk assessment will show a team which data must be encrypted and which can remain in the clear. But once the assessment is complete, the security team should be willing to follow its mandates and insist on encryption for every bit of high-risk, high-value data in the collaboration system.
In many cases, the team setting up a collaboration system will make the decision to have users inherit their privilege level from the AD, LDAP, or other directory system in use by the organization. That works well in many situations, but the nature of projects and collaboration means there can be privilege mismatch. Worse, a privilege escalation attack on one side of the application/OS equation can mean an increased vulnerability on the other side, as well.
IT security groups need to pay particular attention to users who might be able to reach a privilege level that allows them access to documents and processes in the collaboration system to which they're not truly entitled. This could result in regulatory violations as well as breaches in sensitive information stores due to unauthorized access.
One of the more powerful aspects of modern collaboration systems is their integration with third-party applications for increased functionality and ease of use. Those integrations range from intelligent voice assistants (more on them later) to process automation tools and task-list builders.
But with every third-party integration comes access to the vulnerabilities that may exist within those third-party tools. It's one thing to consider the enterprise applications that may interface with the system, but many of the more popular collaboration systems also feature (or, at least, allow) consumer-grade products and services to connect to their APIs.
Those consumer-level products and services can range from to-do list managers to file storage clouds, and from voice assistants to multiservice task managers like IFTTT. In many cases, they don't require IT department intervention to take effect and may or may not be amenable to enterprise governance mechanisms. The issue for the IT department may well be creating rules for expansion that cover ad-hoc employee experiments and conditions for their safe deployment.
While many of the popular collaboration systems have dedicated applications, almost all also allow access through a Web browser. Where there are Web browsers there are Web applications, and where there are Web applications there are vulnerabilities.
The simplest way to deal with these vulnerabilities is through a Web application firewall (WAF), which offers a layer of explicit protection for browser-faced applications. Regular Web application protections, including strict port lockdown and constant monitoring, are also critical.
Perhaps the most effective way to deal with browser threat, though, is to create rules stipulating that all team members gain access to the collaboration system through the dedicated application. Threats are unavoidable, but dangers can sometimes be reduced by simply limiting the paths users (and hackers) can take to get into your critical information.
While many of the popular collaboration systems have dedicated applications, almost all also allow access through a Web browser. Where there are Web browsers there are Web applications, and where there are Web applications there are vulnerabilities.
The simplest way to deal with these vulnerabilities is through a Web application firewall (WAF), which offers a layer of explicit protection for browser-faced applications. Regular Web application protections, including strict port lockdown and constant monitoring, are also critical.
Perhaps the most effective way to deal with browser threat, though, is to create rules stipulating that all team members gain access to the collaboration system through the dedicated application. Threats are unavoidable, but dangers can sometimes be reduced by simply limiting the paths users (and hackers) can take to get into your critical information.
It can seem as if no corporate meeting is complete until someone says the word "collaboration." And for good reason: Use of collaboration tools is spreading to keep up with the phrase's ubiquity, with the global collaboration tool market projected to reach nearly $10 billion by 2021.
But before an IT group blithely answers the call for a collaboration system – by which we mean groupware applications such as Slack, Microsoft Team, and Webex Team – it's important to consider the security risks these systems may bring.
That's because the same traits that make these, and similar, applications so useful for team communications also make them vulnerable to a number of different security issues. From their flexibility for working with third-party applications, to the ease with which team members can sign in and share data, low transactional friction can easily translate to low barriers for hackers to clear.
When selecting and deploying collaboration tools, an IT staff should be on the lookout for a number of first-line issues and be prepared to deal with them in system architecture, add-ons, or deployment. The key is to make sure that the benefits of collaboration outweigh the risks that can enter the enterprise alongside the software.
(Image: rawpixel)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024