Data Protection and Encryption in Microsoft Teams
For companies, departments, project groups, school classes, organizations, and even clubs, Microsoft Teams has become the central hub for collaboration in Microsoft 365. At this place, Microsoft bundles all functionalities and applications that you need for your digital office life. However, security and data protection has been discussed intensively over the past weeks and months.
We have taken a closer look at how Microsoft protects the business data of customers and will give you five tips on how you can achieve more security and data protection in your company without spending too much time.
Files and Metadata — This Is How (In-) Secure Your Information Is in Microsoft Teams
Microsoft Teams stores the files you upload, but also a lot of meta-information and personal data. See the following section for details.
Personal Information in Microsoft Teams
The day-to-day use of Microsoft Teams produces a significant amount of data. These are obvious things, like your profile data with the e-mail address and — if given away — a profile picture and phone number. Also, there are video or audio files such as voice mails or recordings and information that you pass on when chatting or in private messages. But there are also files that you store for yourself privately or for collaborative work in your team.
Microsoft saves all this personal data and encrypts it, using standard technologies both when it is transferred between different devices, users, or data centers, as well as when it is kept in the data center.
The Location of Files in Microsoft Teams
Microsoft stores files that are already “at rest” in different locations in their data centers, depending on the kind of content. For example, the storage location for files you share in a private chat or chat during a meeting or call is OneDrive for Business. Team files that someone shares in a channel are stored in SharePoint. If you want to know exactly where your files are, you can find detailed information in the Microsoft documentation “Storage Location of Data in Microsoft Teams”.
Geographic Location of Your Data
Geographically, Microsoft keeps your data in the region to which your company is assigned. In Australia, Canada, France, Germany, India, Japan, South Africa, South Korea, Switzerland (including Liechtenstein), United Arab Emirates, United Kingdom, Americas, APAC, and EMEA, the save location of company data is within the country or region to which the company belongs. However, Microsoft also mentions that data residency is currently (as of 09/2020) only offered to new enterprise customers who have not previously had a Microsoft Teams’ license. This means that companies with long-standing licenses, the data will be stored somewhere in the wider region. With an inquiry to Microsoft, you can request the migration to Office 365 services in the local data center regions as soon as they exist in your country.
The Period of Storing Your Data
If there is no other adjustment, Microsoft will save business data until the company or user cancels the use of Microsoft Teams. After the end of use, they delete the data within 90 and 180 days. If administrators or users explicitly remove personal data, Microsoft will delete the copies of that data within 30 days.
How Microsoft Encrypts Your Data
Transport Layer Security (TLS) and Secure Real-time Transport Protocol (SRTP) are used to transfer data between users’ individual devices and Microsoft’s data centers.
When at rest, your company data is protected in the Microsoft Enterprise Clouds with Microsoft’s own encryption solution BitLocker, and a Distributed Key Manager (DKM). BitLocker encrypts data stored in SharePoint Online or OneDrive for Business with one or more Advanced Encryption Standard (AES) 256-bit keys.
The Distributed Key Manager (DKM) ensures that only authorized persons have access to the key for encoding and decoding information that has been made unintelligible by the DKM. In addition, there are so-called Customer Keys and Service Keys. The Service Key supports Microsoft users in meeting compliance obligations. The keys and customer data are stored in separate locations.
The “Availability Key” — Practical and Problematic at the Same Time
Furthermore, there is an Availability Key, which enables recovery in case of the loss of the Root Key itself or the control over these keys. If you lose your root key, you can contact the Microsoft support. The Microsoft support team can use the Availability Key to initiate the recovery. This is only possible because Microsoft always has a key — and therefore access to your data. You should always be aware of this.
Keep the American Legislation in Mind
In response to the question “Which third parties have access to personal information?”, Microsoft mentions law enforcement authorities that may require Microsoft to disclose personal information. Microsoft further states that they “will notify the customer immediately and provide a copy of the claim, unless prohibited by law”. With this last subordinate clause, Microsoft refers to the American CLOUD Act. According to this, law enforcement agencies can request the surrender of data in a relatively uncomplicated manner. The law also allows prohibiting the cloud provider from informing the respective user about such a request. We have compiled further information on the CLOUD Act here for you. You can find detailed information from Microsoft at “Encryption in the Microsoft Cloud” and “What third parties have access to personal data?”.
Here are 5 easy-to-implement tips to help you increase the security of your personal and confidential business information within Microsoft Teams.
5 Simple Tips to Make Microsoft Teams More Secure
1. Settings in the Admin Center — Which Cloud Storage Can Be Used
You can change settings for security, compliance, and protection of sensitive company data of the entire organization in the “Admin Center” of Microsoft Teams.
You need administrative rights to determine whether Microsoft Teams is allowed to access external cloud storage. Besides Microsoft OneDrive, ShareFile, Dropbox, Box, Google Drive, and Egnyte are available. Those settings can be found under “Org-wide settings” “Teams settings” “Files”.
2. Control External Apps in Teams
Third-party apps can be integrated into the various channels in Microsoft Teams. You can find out which apps these are in “Teams apps” “Manage Apps” ¬¬ “Apps” in the Admin Center. Company administrators can define which apps to allow or block for specific user groups or the entire organization. You can also manage apps in the individual teams themselves; directly in Microsoft Teams, via “Manage Team” “Apps”.
3. Retention Policies in Microsoft Teams
In Microsoft Teams, data or files in chat or channels are kept indefinitely. Administrators can customize retention policies for Microsoft Teams chats and channel messages across the entire organization and set the period for which data should be retained and which data should be deleted. Microsoft Teams retention policies permanently remove data from all team locations when it is deleted.
4. Member Management in Microsoft Teams
In Microsoft Teams, you can create different teams (e.g. departments) for the entire organization as well as subordinate channels for groups (e.g. thematic or project-related). When creating a channel, you can determine whether it is “public” or “private”.
In Microsoft Teams, you can assign members two different roles. Users are either team owners or team members. Team owner is automatically the person who created the team. She or he can make other members team owners so that several people can manage the settings and memberships. The second role is team member. These are all other people who join or are invited to join the team and the individual channels. Depending on your organization’s basic settings, you can also use guest access to add members that do not belong to your organization to a team.
If a Microsoft 365 group division already exists in your company, you can use it as a basis for your teams in Microsoft Teams. The existing organizational structure simplifies inviting and managing members and synchronizing group files in Microsoft Teams.
5. Encrypt Files in Microsoft Teams with the Boxcryptor App
Critical company data, trade secrets, or data that are subject to data protection regulations require special protection. To ensure this protection in Microsoft Teams, it is advisable to use additional end-to-end encryption. This client-side encryption of files ensures that only authorized persons can access them. Therefore, you encrypt your sensitive files before you upload them to Microsoft Teams.
Since July 2020, Boxcryptor has been providing enterprise customers with an app that allows them to use exactly this encryption without having to interfere with existing workflows. In addition to storing encrypted files directly in Microsoft Teams, which can be shared by the members of a channel, you also have the option of sharing encrypted files directly in posts.
Often, just a few small steps are enough to provide more safety and protection in everyday work. With this information and the five targeted measures, we would like to help you protect the sensitive data that arises in the daily use of Microsoft Teams and make the use of Microsoft Teams in your company or organization more secure.