Let’s not beat about the bush: We’re living through some very unusual times. As I write to you, from a government-imposed State of Emergency to deal with the fallout from COVID-19, I can’t help but be thankful for the technologies in place that have allowed me to keep working, stay in touch with colleagues and loved ones, and assist other organisations with rapidly enabling their own remote working capabilities – all from the relative safety of my own home.
Since the inception of Insync Technology in 2013, we have always been “remote ready”. We were born in the cloud, and even before Teams came along, we were using technologies like SharePoint Online, OneDrive and Skype for Business to deliver remote working capabilities.
Microsoft Teams is simply the latest iteration of this, bringing communication and collaboration workloads into one client experience, while also making it easier than ever to extend “out-of-the-box” capabilities with functions like custom Teams apps and bots. And whilst many organisations have been somewhere on their own Modern Workplace transformation journeys, if nothing else COVID-19 has led to these plans being expedited, legitimising as to why organisations should be deploying Modern Workplace technology in the first place.
One component of the Microsoft Teams platform where usage has recently increased significantly is of course, Online Meetings. As you would imagine, online meetings have been part of a typical my ’day in the life’ for some time, but now it’s different. Online meetings have become my primary means of communicating with clients, colleagues, and even family and friends (weekend Jackbox Games sessions via Teams are fantastic!)
Given the sudden surge in popularity of all types of online meeting platforms, what better time to review Microsoft Teams security and exploring how Microsoft protects you and your data.
The Elephant in the Room
Before I go through the various security features Microsoft Teams offers, I should address the reason I decided to post this blog. Microsoft Teams hasn’t been the only online meeting platform to see huge increases in usage over the last few weeks: Cisco’s WebEx, Google’s Hangouts Meet and Zoom have also seen a huge increase in activity.
Of these providers, it’s been the latter that has not only seen a huge increase in usage but has also drawn a huge amount of criticism. And for good reason.
There have been multiple security issues uncovered with Zoom over the last few months, continuing a trend that started well before the current COVID-19 crisis. Back in July 2019 we saw a serious zero-day vulnerability uncovered, where Zoom were installing a local web server on Macs. Why? To remove clicks from the meeting join experience. In an interview with The Verge, Zoom’s Chief Information Security Officer, Richard Farley, said:
“Ultimately, it’s based on the feedback of the people that have been following this and contributing to the discussion. Our original position was that installing this [web server] process in order to enable users to join the meeting without having to do these extra clicks — we believe that was the right decision. And it was [at] the request of some of our customers.
But we also recognise and respect the view of others that say they don’t want to have an extra process installed on their local machine. So that’s why we made the decision to remove that component — despite the fact that it’s going to require an extra click from Safari”
Since then, there have been further security issues identified (a timeline of which can be found here). At time of writing, I’m learning of yet another: A security researcher found a way to access and download Zoom recordings – even after they had been deleted.
As expected, Zoom’s security woes have resulted in various government bodies (US Senate, Australian Government, Australian Defence Force), private organisations (SpaceX, NASA) and educational institutions (Singapore, New York City Department of Education) banning the use of Zoom for meetings.
For security vulnerabilities identified to date (well, not including the most recent but all the others), Zoom’s CEO Eric Yuan has publicly apologised. Zoom has now committed to a 90-day freeze on feature development in order to prioritise resolving the issues. It raises two crucial questions: Is security not considered the most paramount deliverable when deploying any new feature or capability? Should feature delivery be at the expense of security, compliance and privacy?
It was at this point in writing that I was going to provide a (probably quite boring) list of each and every feature that Microsoft employs to ensure your security and privacy are protected in Microsoft Teams. Rather than reinvent the wheel, you can find links to detailed information Microsoft provides in the Useful Links section at the end of the article. Instead, let’s start with some of the security issues Zoom has encountered, and work back through the specific configuration and default behaviour that protects your security and privacy in Microsoft Teams.
Zoom Offers New Privacy Option for Paid Accounts
Ok, so not a security issue per se, but one that I think deserves a mention. In this blog post, Zoom’s Chief Technology Officer Brendan Ittelson said that, effective from April 18th:
“Every paid Zoom customer can opt in or out of a specific data centre region. This will determine the meeting servers and Zoom connectors that can be used to connect to Zoom meetings or webinars you are hosting and ensure the best-quality service”
The driver for this was of course the discovery that Zoom call traffic (specifically, transmission of encryption keys) had been routed via servers located in China, even though not a single meeting participant was located in China. Given that it is well within the rights of the Chinese government to legally request and obtain encryption keys for secure traffic that traverses their region, this is less than ideal.
What about Teams?
Whilst Office 365 does exist in China, it’s not operated by Microsoft: it’s operated by 21Vianet. Microsoft license their service and technology to 21Vianet, who only provide a subset of Office 365 capabilities, of which Microsoft Teams is not one.
So, unsurprisingly, Microsoft does not route any traffic (Teams or otherwise) via China. Moving on.
Zoom “rolls their own” encryption scheme
Leading on from the previous issue, the same researchers also discovered that the encryption keys themselves were not up to industry standards. Zoom’s own security documentation claims that they can use “AES-256” encryption for meetings, although the use of the term can does not necessarily mean that they do.. On further investigation, the researchers found that:
“In each Zoom meeting, a single AES-128 key is used in ECB mode by all participants to encrypt and decrypt audio and video. The use of ECB mode is not recommended because patterns present in the plaintext are preserved during encryption”
ZOOM SECURITY WHITE PAPER - APRIL 2020
So, not only were encryption keys traversing a region where they may be compromised, the keys themselves weren’t all that secure in the first place. On top of which, Zoom actually came out and made the claim that their platform supported “end to end encryption” when in fact it didn’t, as acknowledged by Zoom’s Chief Product Officer, Oded Gal, who stated:
"Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption. While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it."
The point of actual end to end encryption is to ensure only the communicating users can decrypt messages, not communicating users and the service provider. To use this term in marketing, and even notifications within the client itself, is misleading and dishonest.
What about Teams?
All network communications in Microsoft Teams are encrypted by default. No need to enable, it’s there by design. All Teams services use a combination of PKI certificates and various industry-standard encryption techniques (OAUTH, TLS). All services also use Secure Real-Time Transport Protocol (SRTP) to secure media streams (audio, video and content sharing). This includes 256-bit Advanced Encryption Standard (AES) encryption. If you want to know more about encryption in Office 365 check out this Microsoft Docs article.
If you’re not familiar with the term, “Zoombombing” refers to the practice of uninvited attendees joining a Zoom meeting. Said attendees may then decide to go forth and do things like share pornographic images with participants. Given the huge uptake of Zoom by both businesses and educational institutions, this is far from ideal.
How does Microsoft Teams prevent this?
First and foremost, Microsoft Teams provides the ability to disable “anonymous” meeting join for an entire Office 365 Tenant. This is configured from the Teams Admin portal under Meeting Settings:
If I disable this, with a single setting I can ensure any meeting participant that wants to join meetings within my organisation must be an authenticated user meaning they need to be signed in with a valid Active Directory account. If a rogue user did somehow get access to the meeting join link (say, a student copied it to a public forum or gave it to friends) and attempted to join as an unauthenticated user, meeting entry will be denied:
Disabling anonymous meeting join does not mean that no external participants can join your meetings, it just means that anonymous (unauthenticated) external participants cannot join. Externals can still join if they are authenticated against their own Office 365 Tenant. If you don’t want external, authenticated meeting participants to automatically be admitted to your meetings, configure the Teams Meeting Policy (more on this below) to limit automatic entry to Everyone in your organisation, rather than Everyone in your organisation and federated organisations. This will force them to the lobby to be admitted by the meeting organiser.
The Microsoft Teams Meeting Policy
The Teams Meeting policy is used to control which meeting features are available to participants for meetings that are scheduled by users in your organisation. The below screen grab shows what the default configuration looks like, which applies to all Teams users out of the box. You can of course create as many meeting policies as you like, meaning different classes of users can have different settings and capabilities.
Looking at the Participants and guests section above, and assuming I’ve allowed anonymous meeting join for my organisation, I have granular control over how anonymous meeting participants join meetings. Default settings do not allow anonymous participants to start a meeting, they are not automatically admitted to the meeting (must go via the lobby), and dial-in (PSTN) participants must also wait in the lobby until admitted by a meeting organiser\presenter.
A Little bit on Meeting IDs
As a side note, a contributing factor to Zoombombing being feasible has been the relative ease in which “Zoombombers” can access a valid Zoom meeting ID. Meeting IDs were easily accessible (displayed in plain text) in the app’s title bar (since removed from Linux, Mac & Windows apps). Default password settings also meant that Zoom permitted anyone to join a meeting if they had the Meeting ID, no password authentication required. Couple this with “War Diallers” – automated tools capable of finding valid Zoom meeting IDs and which ones are not password protected – and you are inevitably going to have issues.
To be fair, Zoom is working to address these issues, and I understand what the company were trying to do in the first place, remove friction from the meeting join workflow. Unfortunately, designing for this level of simplicity, and not enforcing an authentication mechanism by default, has been a major contributing factor to Zoom’s security woes.
What about Microsoft Teams?
To start with, there’s no concept of a personal, static Meeting ID within Teams. Each meeting (ad-hoc or scheduled) has a unique meeting identifier, one that’s more complex than a 9-11 digit number, and it’s never on display during a meeting. Here’s an example of a Teams meeting URL (before you try and join, I’ve changed two characters 😊):
If you are in a meeting and you want to share meeting join information “manually”, Teams supports this by allowing you to copy all meeting join information to the clipboard and pasting into a medium of your choice.
500,000 Zoom accounts sold on hacker forums
As reported by Bleeping Computer, thousands of leaked Zoom account details have been appearing on hacker forums. Details being traded include a victim's email address, password, personal meeting URL, and their Host Key (a 6-digit PIN used to claim host controls in a Zoom meeting).
It should be noted that Zoom itself need not be hacked in order for these lists of compromised accounts to exist. Humans have a propensity to use the same password for multiple online services, so it only takes one service where you’ve used the same password to be compromised for a hacker to try their luck using your credentials somewhere else,Zoom for example.
Unsure if any of your passwords been compromised? Go and find out at HaveIBeenPawned?.
How does MicrosoftTeams ensure this doesn’t occur?
Given that Teams is built on top of Office 365, Azure and other related Microsoft cloud technologies, it’s no surprise that authentication is handled by Azure Active Directory (Azure AD\AAD). Azure AD is Microsoft’s cloud-based enterprise identity service, it provides things like Multi-Factor Authentication and Conditional Access to protect users from cybersecurity attacks. These security capabilities aren’t unique to Microsoft Teams: Azure AD underpins authentication across Microsoft’s entire ecosystem. There is no need to use different credentials to access Teams than you would use to access any other Microsoft service, including your Windows PC. Couple that with Single Sign On (SSO), and you now have one set of secure credentials that can be used to access Microsoft devices and subsequent applications without needing to repeatedly enter in credentials. To be honest, I don’t use a password at all – I use Windows Hello.
Of course, given that we’re using one set of creds to access all our cloud services (including Teams), it is reasonable to ask how does Microsoft protect me if my username and password are somehow compromised?
If you don’t use Azure AD Multi-Factor Authentication (MFA) today, you should be! There is literally no easier way to protect against 99.9% of cybersecurity attacks. Deploying MFA ensures that access to your account is only possible if you have both the account password and access to a secondary device (sometimes referred to as “something you know, something you have”), therefore providing an additional layer of security. The concept isn’t new, it’s just a little more advanced than it used to be, who remembers these?
Today, we typically use an app on a smartphone to support MFA, and I don’t have to enter a code anymore, I can simply click approve.
To get the above screen shots, I actually had to “downgrade” my MFA capabilities, because I’ve gone one step further and don’t use a password at all when I sign-in to Office 365. I use Passwordless MFA - check out more on that here.
So, my account credentials are protected using MFA. What if I want to go even further?
Conditional Access is a feature of Azure AD that enables organisations to define specific conditions for how users authenticate and gain access to applications and services. For example, I can use a user’s location (in the office or remote? In Australia? Or Overseas?), the device they’re trying to use (is this a device registered against our organisation or not?), the application, and even input from real-time risk analytics, to decide whether to allow someone access to Teams:
Here’s an article from 2017 (yes, it’s been possible to do stuff like this for ages) that talks about using Conditional Access with Microsoft Teams.
I think it’s safe to say that the last few months have seen unprecedented change in how people around the world work, communicate, and stay productive. The trend to support “remote ways of working” is nothing new, but what is new is organisations moving to using these tools rapidly in response to a global pandemic.
Human nature is to gravitate towards a solution that provides the path of least resistance, it’s something we refer to in the IT world as Shadow IT. If you don’t give your users tools to help them be productive, they will find a way to access alternative tools themselves, and we’ve seen this occur on a mammoth scale with the uptake of Zoom for online meeting needs. Unfortunately, it’s come at a major cost to security and privacy. You don’t have to take my word for it, when Zoom’s CEO Eric Yuan was asked if he would now prioritise security in the wake of all these security issues he said:
"If you asked me this question one year ago, I would hesitate to say yes. But now, absolutely yes. We're going to transform our business to a privacy-and-security-first mentality."
For any new feature or capability being rolled out to Microsoft Teams, security and compliance are absolute fundamentals. Microsoft have a commitment to ensuring privacy and security for its customers before all others – their business and reputation depend on it. Jared Spataro, Corporate Vice President for Microsoft 365 captures this commitment perfectly:
"Now more than ever, people need to know that their virtual conversations are private and secure. At Microsoft, privacy and security are never an afterthought. It’s our commitment to you—not only during this challenging time, but always. Here’s how we’re working to earn your trust every day with Microsoft Teams"
For Zoom, a core focus on features and simplicity has come at the expense of security and privacy. If these things are important to you and your organisation the solution is simple, use Microsoft Teams.
Check out the following links for more on Microsoft Teams security and Meeting Policy configuration: