7 Ways to Secure Collaboration Tools in Your Organization
The push to embrace Slack, Teams, and Zoom at work comes with new security risks for organizations.
![Mobile phone interface with collaboration apps. Mobile phone interface with collaboration apps.](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb06518d6bedf856b/64f0a6243d73a35f6c614dc7/Slide_1_CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Source: Tada Images via Adobe Stock
The pandemic accelerated the adoption of digital technologies on all fronts, especially the use of online collaboration platforms such as Slack, Microsoft Teams, and Zoom.
Slack, for example, started out with programmers in a small department sharing ideas. It is now the primary corporate messaging platform at many companies.
The problem? Some of these tools weren’t designed for the enterprise. While they have become more central to how businesses operate, security teams may not fully realize the attack surface they present, says Oliver Tavakoli, chief technology officer at Vectra.
"These tools are also relatively immature as far as the accompanying security protections provided by third parties," he explains. "This trend will continue until suppliers of such collaboration tools put more effort into providing more policy controls to lock down the environment and add more telemetry to monitor it.”
So how do security teams manage these new tools? Here are seven tips.
Research from DoControl found that the average 1,000-person company using software-as-a-service (SaaS) applications exposes its data to between 1,000 and 15,000 external collaborators. On average, between 200 and 3,000 companies also have access to any one company’s data, while some 20% of a typical organization’s SaaS files are shared internally to anyone who can click a link. Collaboration tools like Slack accelerate this issue because sharing direct links from Google Docs and other embedded apps makes it easy to access files.
What makes matters worse, says Brian Mannion, chief legal officer at Aware, is when the IT department doesn't know people in the company are using a tool, meaning it's a lot harder to control the environment.
"What companies want to do is give employees the tools that they need, make them user-friendly, make them accessible, but still have the controls necessary so they can manage the application and do all the things most enterprises have gotten really good at — like making sure that they have been patched and that they have access controls," he says.
Companies need a mechanism where they can manage documents and files continuously, adds Adam Gavish, co-founder and CEO at DoControl.
"So for example, if somebody shared a document in Slack externally, we'll ask them if they really need the document," he explains. "If the employee doesn't respond in two or three days, we will delete it. If they say they still need the document, we'll give them another 30 days and then we’ll delete it."
Whether it's a part of the Great Resignation or for other reasons, when people leave a company, they often retain access to shared documents and collaboration tools like Slack — with all of the data that's been shared.
Seth Art, senior security consultant at Bishop Fox, says companies should tie Slack access to the company's identity, typically an email address. "If the account is tied to a company email, then once the email is decommissioned the employee loses all access to their applications," he says.
Security teams need to stop access when the employee leaves, adds Aware's Mannion.
"So if I've got authority tied to a particular link, the most conservative practice is to automatically kill all the links. Or as a fallback policy, make all external links to your data repository system valid for 30 days. Then once the person leaves, the company has a 30-day window of risk," he says. "But at least it's only 30 days as opposed to forever, so you have to balance those out-of-the box controls that come with these tools and then implement them or mature them for your particular environment and your particular use case."
According to Nasser Fattah, North America steering committee chair at Shared Assessments, departing employees have always presented a security challenge because of inadvertent continued access. The issue becomes even more exacerbated with impromptu departures that require very timely access removal.
"In addition to the ability to quickly inventory who has access to what, it's also important to be sure monitoring is in place so the company can flag departed employees who are attempting to access IT resources," Fattah says.
Collaboration tools create two basic types of risks for personally identifiable information (PII) exposure. First, employees can mishandle PII by sharing documents over the collaboration platform. Second, insiders can obtain unauthorized access. The problem security teams face is that the collaboration tools were not set up as enterprise platforms where admins could set policy controls.
For example, Aware's Mannion points out that there's no real control mechanism to stop employees from entering credit card information on a tool like Slack. So given that possibility, a security team should employ a data leakage prevention (DLP) tool that is set to look for instances of credit card numbers. Then the team has to provide a mechanism to manage it so credit card numbers can be immediately deleted.
"On the other hand, you may realize that the employees need to manage these credit cards and Slack is the best way to do it," Mannion says. "So then how do I quarantine off a section of the Slack environment so that I can again meet the employees needs, because all they're trying to do is get the job done?"
Bishop Fox's Art says the security team should take advantage of services that can help security teams set controls. For example, GitHub offers continuous scanning on the lookout for PII or health data and will send alerts so the security team can investigate any issues.
In the past, hackers needed VPN access to enter a network, or they would have to phish an employee to get in. Today, all they need is access to the API keys, Bishop Fox's Art says.
When conducting penetration tests on cloud environments, he says he finds that nobody is changing API keys. They sit in Lambda functions in cloud, compute instances or in Kubernetes. And while an insider would have to be somewhat savvy to know about stealing API keys, it's still a risk that hackers could exploit.
So how do you secure API keys? First, make it so users can only obtain network access from a specific IP address. Second, rotate the API keys continuously so they are only good for a certain amount of time, whatever suits the organization.
The move to working from home and hybrid work has created more opportunities for data exposure. In the wake of the pandemic, sensitive company documents are found increasingly distributed in the personal or remote devices of employees without being protected or assigned the proper policies to mitigate security risks. According to DoControl, some 4% of all SaaS assets are unmanaged.
Above all, security teams must protect customer data because that's what attackers consider valuable, Aware's Mannion says. They must also determine precisely what employees are doing with the applications and to what extent they create data with the collaboration tools.
"You know, sometimes you have to risk-rank what you're going to focus on," Mannion says. "What's really important is your customer data — and as we all know, that's what the bad guys are going after, that's what the regulators care about, and that's what your customers care about, so that should be your primary focus."
Collaboration platforms can constitute a compliance risk if they are not integrated into standard audit and compliance processes. This could expose the company to substantial fines and data loss risks.
Kevin Dunne, president at Pathlock, points out that as more and more companies embrace digital transformation, they are storing more information in cloud collaboration platforms. Any US company that's publicly traded and markets and stores information about financial transactions, customers, and/or employee data is likely subject to SOX, GDPR/CCPA, and/or PCI-DSS in one way or another.
Storage of documents, particularly spreadsheets and PDFs, often presents a sizable threat to security and compliance, Dunne says. These are often aggregated data files, like customer lists in spreadsheets, or fragmented data files, such as customer mortgage applications in PDFs. Both present challenges in terms of securing sensitive information and ensuring adherence with compliance frameworks.
Focus on a few key initiatives for compliance, Dunne says:
Data discovery and classification: Find out what documents contain sensitive information, like employee, customer, or financial data.
Data access governance: Control who can access sensitive information and enforce least privileged access across these user accounts.
Data access monitoring: Keep an eye on who is accessing sensitive data, where, and from what device to unearth any unusual behavior that should be acted on.
"Organizations should also acknowledge that collaboration tools are only one area that sensitive data can reside in the cloud and be subject to compliance mandates," Dunne says. "Cloud applications such as Salesforce, Workday, and SAP S/4 HANA also characteristically contain a wealth of concentrated, sensitive data that needs similar safeguards in place."
In many ways it boils down to the same kinds of retention policies as before, Aware's Mannion says: Know and manage the data, and get rid of it when the company no longer needs it anymore. That said, keep the data for as long as the company has to either because of a regulatory requirement or a data hold by a litigation that the company’s working on or regulatory investigation, whatever the case may be.
Once you add Slack or Teams to the enterprise, and employees get messages from outside the company — or even their departments — there's a new element of risk.
According to Aware's Mannion, everyone understands that they can get an email from anybody, but that's not the same for messages from Slack and Teams. So up until now, users have been trained not to click on email links or attachments that look suspicious. However, people don't think as carefully when they get a Slack or Teams message because they tend to think it's from a co-worker or someone in the department or company.
"We really have training that we're going to have to get into all over again because with email, we've all been burned and trained, but does anybody think the same way when they get a Slack message with a link tied to it?" Mannion asks. "And that's what will change as we move to more open environments, which is good because nobody wants to live in two different worlds. I just want to do all my work right in one place because it goes back to that basic premise that people just want to do their job and they want to do it quickly and do it well."
Once you add Slack or Teams to the enterprise, and employees get messages from outside the company — or even their departments — there's a new element of risk.
According to Aware's Mannion, everyone understands that they can get an email from anybody, but that's not the same for messages from Slack and Teams. So up until now, users have been trained not to click on email links or attachments that look suspicious. However, people don't think as carefully when they get a Slack or Teams message because they tend to think it's from a co-worker or someone in the department or company.
"We really have training that we're going to have to get into all over again because with email, we've all been burned and trained, but does anybody think the same way when they get a Slack message with a link tied to it?" Mannion asks. "And that's what will change as we move to more open environments, which is good because nobody wants to live in two different worlds. I just want to do all my work right in one place because it goes back to that basic premise that people just want to do their job and they want to do it quickly and do it well."
The pandemic accelerated the adoption of digital technologies on all fronts, especially the use of online collaboration platforms such as Slack, Microsoft Teams, and Zoom.
Slack, for example, started out with programmers in a small department sharing ideas. It is now the primary corporate messaging platform at many companies.
The problem? Some of these tools weren’t designed for the enterprise. While they have become more central to how businesses operate, security teams may not fully realize the attack surface they present, says Oliver Tavakoli, chief technology officer at Vectra.
"These tools are also relatively immature as far as the accompanying security protections provided by third parties," he explains. "This trend will continue until suppliers of such collaboration tools put more effort into providing more policy controls to lock down the environment and add more telemetry to monitor it.”
So how do security teams manage these new tools? Here are seven tips.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024