Data Protection and Encryption in Microsoft Teams
For companies, departments, project groups, school classes, organizations, and even clubs, Microsoft Teams has become the central hub for collaboration in Microsoft 365. At this place, Microsoft bundles all functionalities and applications that you need for your digital work life. However, security and data protection has been discussed intensively over the past weeks and months.
We have taken a closer look at how Microsoft protects the business data of customers and will give you five tips on how you can achieve more security and data protection in your company without spending too much time.
Table of Contents
- Files and Metadata — This Is How (In-) Secure Your Information Is in Microsoft Teams
- 5 Simple Tips for Admins to Make Microsoft Teams More Secure
Files and Metadata — This Is How (In-) Secure Your Information Is in Microsoft Teams
Microsoft Teams stores the files you upload, but also a lot of meta-information and personal data. See the following section for details.
Personal Information in Microsoft Teams
The day-to-day use of Microsoft Teams produces a significant amount of data. These are obvious things, like your profile data with the e-mail address and — if given away — a profile picture and phone number. Also, there are video or audio files such as voice mails or recordings and information that you pass on when chatting or in private messages. But there are also files that you store for yourself privately or for collaborative work in your team.
Microsoft saves all this personal data and encrypts it, using standard technologies both when it is transferred between different devices, users, or data centers, as well as when it is kept in the data center.
The Location of Files in Microsoft Teams
Microsoft stores files that are already “at rest” in different locations in their data centers, depending on the kind of content. For example, the storage location for files you share in a private chat or chat during a meeting or call is OneDrive for Business. Team files that someone shares in a channel are stored in SharePoint. If you want to know exactly where your files are, you can find detailed information in the Microsoft documentation “Storage Location of Data in Microsoft Teams”.
Geographic Location of Your Data
Geographically, Microsoft keeps your data in the region to which your company is assigned. In Australia, Canada, France, Germany, India, Japan, South Africa, South Korea, Switzerland (including Liechtenstein), United Arab Emirates, United Kingdom, Americas, APAC, and EMEA, the save location of company data is within the country or region to which the company belongs. However, Microsoft also mentions that data residency is currently (as of 12/2021) only offered to new enterprise customers who have not previously had a Microsoft Teams’ license. This means that companies with long-standing licenses, the data will be stored somewhere in the wider region. With an inquiry to Microsoft, you can request the migration to Office 365 services in the local data center regions as soon as they exist in your country.
The Period of Storing Your Data
If there is no other adjustment, Microsoft will save business data until the company or user cancels the use of Microsoft Teams. After the end of use, they delete the data within 90 and 180 days. If administrators or users explicitly remove personal data, Microsoft will delete the copies of that data within 30 days.
How Microsoft Encrypts Your Data
Transport Layer Security (TLS) and Secure Real-time Transport Protocol (SRTP) are used to transfer data between users’ individual devices and Microsoft’s data centers.
When at rest, your company data is protected in the Microsoft Enterprise Clouds with Microsoft’s own encryption solution BitLocker, and a Distributed Key Manager (DKM). BitLocker encrypts data stored in SharePoint Online or OneDrive for Business with one or more Advanced Encryption Standard (AES) 256-bit keys.
The Distributed Key Manager (DKM) ensures that only authorized persons have access to the key for encoding and decoding information that has been made unintelligible by the DKM. In addition, there are so-called Customer Keys and Service Keys. The Service Key supports Microsoft users in meeting compliance obligations. The keys and customer data are stored in separate locations.
The “Availability Key” — Practical and Problematic at the Same Time
Furthermore, there is an Availability Key, which enables recovery in case of the loss of the Root Key itself or the control over these keys. If you lose your root key, you can contact the Microsoft support. The Microsoft support team can use the Availability Key to initiate the recovery. This is only possible because Microsoft always has a key — and therefore access to your data. You should always be aware of this.
Double Key Encryption
At the beginning of 2021, Microsoft introduced Double Key Encryption. Here, enterprise customers have sole control over the encryption keys. Since Microsoft itself can no longer access the keys, the company cannot release any data at government request. Of course, the double key procedure also protects against access by employees of Microsoft itself. Whether with malicious intent or through a mistake, even if files fall into the wrong hands, they are completely unusable. Therefore, there is no danger to data security.
However, there are some limitations, especially when it comes to supported file formats and platforms, as you can read in the article “Azure Information Protection (AIP) and Boxcryptor - Comparison of Security and Application”.
Keep the American Legislation in Mind
In response to the question “Which third parties have access to personal information?”, Microsoft mentions law enforcement authorities that may require Microsoft to disclose personal information. Microsoft further states that they “will notify the customer immediately and provide a copy of the claim, unless prohibited by law”.
With this last subordinate clause, Microsoft refers to the American CLOUD Act. According to this, law enforcement agencies can request the surrender of data in a relatively uncomplicated manner. The law also allows prohibiting the cloud provider from informing the respective user about such a request.
We have compiled further information on the CLOUD Act here for you. You can find detailed information from Microsoft at “Encryption in the Microsoft Cloud” and “What third parties have access to personal data?”.
Here are 5 easy-to-implement tips to help you increase the security of your personal and confidential business information within Microsoft Teams.
5 Simple Tips for Admins to Make Microsoft Teams More Secure
1. Check Settings in the Admin Center
Setting options for the security, compliance, and protection of sensitive company data of the entire organization can be found in the “Admin Center” of Microsoft Teams.
Here you can make settings to ensure that Microsoft Teams meets the unique needs of your organization. For example, you can create external access or guest access that allows external people to collaborate with your organization in Microsoft Teams. You can also restrict the chat function for certain user groups or enable settings for whether access to files from external cloud storage such as Dropbox or Google Drive is allowed.
In any case, we recommend examining the preset items thoroughly and considering how you can grant the most efficient, but at the same time data-saving collaboration possible in your organization.
2. Control External Apps in Teams
Third-party apps can be integrated into the various channels in Microsoft Teams. You can find out which apps these are in “Teams apps” => “Manage Apps” => “Apps” in the Admin Center. Company administrators can define which apps to allow or block for specific user groups or the entire organization. This allows administrators to ensure that users don’t just add any app to Teams and give those apps permission to access data about team members or channel content.
You can also manage apps in the individual teams themselves; directly in Microsoft Teams, via “Manage Team” => “Apps”.
3. Retention Policies in Microsoft Teams
In Microsoft Teams, data or files in chat or channels are kept indefinitely. Administrators can customize retention policies for Microsoft Teams chats and channel messages across the entire organization and set the period for which data should be retained and which data should be deleted.
Microsoft Teams retention policies permanently remove data from all team locations when it is deleted. Automatic deletion of certain sensitive data helps companies comply with industry policies and regulations, such as the GDPR or HIPAA.
4. Private Channels in Microsoft Teams
In Microsoft Teams, you can create different teams (e.g. departments) for the entire organization as well as subordinate channels for groups (e.g. thematic or project-related). When creating a channel, you can determine whether it is “public” or “private”.
While organizational members can join public channels at any time, private channels are reserved for members predefined by the channel creator.
By creating different channels for different departments or project groups, access to information can be managed. For example, if the HR department communicates in a private channel, employees from other departments cannot access the sometimes sensitive and personal information that may be discussed in that channel.
5. Encrypt Files in Microsoft Teams with the Boxcryptor App
Critical company data, trade secrets, or data that are subject to data protection regulations require special protection. To ensure this protection in Microsoft Teams, it is advisable to use additional end-to-end encryption. This client-side encryption of files ensures that only authorized persons can access them. Therefore, you encrypt your sensitive files before you upload them to Microsoft Teams.
Since July 2020, Boxcryptor has been providing enterprise customers with an app that allows them to use exactly this end-to-end encryption without having to interfere with existing workflows. In addition to storing encrypted files directly in Microsoft Teams, which can be shared by the members of a channel, you also have the option of sharing encrypted files directly in posts and chats. Furthermore, you can encrypt messages to protect important information from the eyes of unauthorized people.
With Boxcryptor for Microsoft Teams — in contrast to Microsoft’s own Double Key Encryption option — all common file formats can be encrypted on Windows as well as macOS, Android and iOS devices and processed simultaneously in the company.
Often, just a few small steps are enough to provide more safety and protection in everyday work. With this information and the five targeted measures, we would like to help you protect the sensitive data you work with every day in Microsoft Teams and make the use of Microsoft Teams in your company or organization more secure.