3 elements of collaboration security and governance every digital workplace needs
July 1, 2022 / Alan Shen
Short on time? Read the key takeaways:
- The COVID-19 pandemic led to rapid adoption of workstream collaboration platforms, but security and governance were often overlooked.
- Collaboration sprawl can result in lost productivity, increased vulnerability, and abandoned workspaces that pose security risks.
- Governance policies for workspace configuration can ensure proper security and organization of teams and channels.
- Guest access can be complex and IT leaders must decide who is allowed access, what they can access, and for how long.
Enterprise collaboration platforms — such as Microsoft Teams, Slack and Cisco Webex Teams — promise end users a better way of working.
With many of today’s employees following a remote or hybrid model, collaboration technology offers a centralized hub for colleagues to connect and streamline workflows.
At the start of the COVID-19 pandemic, companies began rapidly adopting and deploying new workstream collaboration (WSC) platforms — a process that normally can take months or even years for large enterprises. But security and governance were often an afterthought in a rush to get these platforms up and running.
As the adage goes, with great power comes great responsibility. Without proper governance policies, end users are left to their own devices to complete projects as efficiently and effectively as possible, sometimes in ways that are not the most secure for organizations.
For example, employees might invite external guests to a team workspace, not realizing they’ve indirectly given that guest user access to a channel containing sensitive documents. Most users aspire to clean up their workspaces, but this rarely materializes into action as other business deliverables take priority.
These common scenarios demonstrate why every enterprise can benefit from defining and maintaining collaboration security policies before deploying a new WSC platform. In this article, we discuss an approach that helps address three key governance areas: digital sprawl, workspace configuration and guest access.
Digital sprawl
While having many teams and channels may not sound like a problem, the effects of collaboration sprawl can quickly snowball into a major security threat. Too many workspaces result in lost productivity as end users struggle to identify the correct workplace. Even worse, they may abandon their search and create yet another team. As collaboration sprawl increases, so does your organization’s vulnerability surface area.
Abandoned or orphaned workspaces present other challenges. Even though a team or channel is no longer used after a project ends, the data remains accessible to many. Abandoned teams and channels create security headaches and heightened risk, especially when group ownership needs more oversight. These policies can help IT get a better handle on sprawl:
- Manage who has permission to create teams or channels. Defining who can create workspaces nips the sprawl problem in the bud. Some organizations add a step in the workspace creation process, requiring approval from IT to do so. This step prevents the proliferation of unnecessary teams and ensures new teams are correctly configured.
- Perform workspace audits. Even if a team or channel starts as necessary, there is no guarantee it will be needed in the future. Enterprises should audit workspaces periodically to ensure they still provide business value. Likewise, unused workspaces should undergo review to decide if they should be archived or deleted, depending on your organization’s data retention policy. Some organizations choose to have all teams and channels undergo a scheduled renewal process, while others review inactive ones.
Risk can originate from several points within a WSC platform including files, chat streams, comments and meeting transcripts.
Workspace configuration
Governance policies for workspace configuration help ensure the application uses the necessary levels of security and consistent organization of teams and channels. Since these settings will be applied to all workspaces when created, be sure to finalize your enterprise’s naming and security conventions before deploying a WSC platform. Here are key settings to consider:
- Workspace naming conventions: Enforcing proper naming conventions makes it easier for end users to find the right workspace and know whether guests and colleagues have access. Common methods include adding a prefix or suffix to denote an external-facing workspace or incorporating location or department names.
- Minimum and maximum number of owners: Each team has designated owners who control basic settings and oversee workspace activity. Given the importance of this role, companies can set policies to mandate that a workspace has at least two owners. Conversely, it’s also essential to prevent an excessive number of owners, where nobody oversees the workspace.
- Workspace classification: Beyond configuring a workspace as private or public, classification goes a step further to denote the sensitivity level of the data accessible to team members. Workspace classification can be based on team membership, expected topics of discussion and shared content types. For instance, teams classified as highly sensitive may restrict external guests, such as partners or customers.
- Third-party apps: While there are many nuances to managing third-party app integrations, enterprises must carefully consider which apps to allow within their WSC platforms. Depending on data security policies, IT may require continuous auditing or a custom approval process for new applications.
Guest access
While it may sound simple, one of the most complex collaboration security issues lies in guest access. Beyond choosing whether to enable or disable guest access, IT and business leaders decide who should be allowed to be a guest, what they should be able to access and how long to grant access privileges. While cybersecurity teams may prefer to disallow guests entirely, this approach can introduce further problems as guest users can be critical collaborators on projects that drive business outcomes. Here are questions to answer when establishing guest privileges:
- Who should be allowed as a guest? Many companies opt to whitelist or blacklist certain domains to distinguish guests from known contractors and avoid granting access to competitors. IT can also consider limiting users from public domains, as this type of guest can access the workspace at any time, regardless of their employer. Aside from guest domains, it’s also important to think through the general process of adding a guest, including knowing what approvals are required and from whom.
- What should guests be able to access? Your organization will likely want to restrict guest access to some workspaces, particularly highly sensitive ones. Carefully consider guest default settings and develop granular policies. Automated workflows can reduce the burden on IT to monitor, optimize and enforce these policies manually.
- How long should guests retain access? One common issue with guest access is the failure to remove external guests after completing a project or collaboration. Once a project ends, team members often move on to the next deliverable and forget to remove guest access. Consider a periodic audit process for guests to protect and secure your data. The review should be mapped to the sensitivity level of the workspace and be conducted monthly, quarterly or biannually.
Collaboration security and governance involve creating, managing and enforcing complex policies. Before creating and enforcing policies, IT must collaborate across departments and business units to make several critical decisions affecting their digital workplace for years to come.
With the rapid growth of a distributed workforce and the increased use of enterprise WSC platforms, companies can greatly benefit from strong collaboration security and governance policies as a vital component of ensuring enterprise data security.
