Tips for Selecting a Collaboration Tool with Security in Mind.
Today’s enterprises are adopting a variety of digital collaboration tools to drive employee productivity, deliver cost-effective mobility, and improve communication among distributed teams. Using these tools, employees can easily connect with colleagues, partners, and suppliers regardless of their location, sharing their work in simple and efficient ways through online collaborative workspaces.
But while there’s no disputing their benefits, these collaboration and communications tools are introducing a multitude of new security risks to the enterprise.
Collaboration tools are vulnerable to security threats
As employees exchange information, have private conversations, and transfer files and documents to and from the cloud, collaboration platforms are providing yet another way for cybercriminals to harass, exploit, and eavesdrop on organizations, as well as leak sensitive or proprietary information.
Too often, these risks are not fully understood, accepted, or given proper attention by today’s enterprises. And when that’s the case, tools that can hold so much promise can end up becoming dangerous and costly instead.
A number of factors make enterprise collaboration apps vulnerable targets for malicious intent. First, these tools are increasingly moving to cloud platforms as enterprises seek ways to expand their accessibility and availability, as well as drive down costs. While this approach offers many benefits, putting services and applications into the public cloud does introduce new security concerns. There are also issues surrounding the behavior of employees using these applications, many of whom are carrying a myriad of personal devices or inadvertently engaging in activities that might be risky. This can include intentional or unintentional leaks of intellectual property or data theft, or setting weak/easy-to-guess passwords.
Recent research from Trend Micro found that some chat platforms were at risk of being hacked and used as command and control (C&C) infrastructure for malware. The report states that the API functionality on popular chat platforms like Discord, Slack, and Telegram can be successfully abused, effectively turning these apps into C&C servers that cybercriminals can use to make contact with infected or compromised systems. Unfortunately, this is just one of many examples of legitimate services and applications being exploited to facilitate cybercriminal efforts.
Even with these risks, the undeniable productivity gains offered by these tools mean they are here to stay. So, what can today’s enterprises do to protect their users and maintain the confidentiality, integrity, and availability of their data?
Invest in an enterprise-grade tool
While there are many collaboration and communications apps to choose from today, beware of using tools that are meant for personal usage in the enterprise. Organizations are quickly realizing the data privacy risks involved with these platforms, with some even opting to ban consumer-grade messaging apps from company-issued devices in an effort to better protect user data. To survive in this ever-expanding threat landscape, businesses require enhanced security features and controls that are typically only available in enterprise-grade tools, including firewalls, encryption of data in transit with TLS, and distributed denial of service (DDoS) mitigation technologies.
Ensure the infrastructure is properly protected
It’s critical for enterprises to carefully select a platform where the underlying infrastructure has been designed with security in mind. This means proper protections are in place for the hardware, software, and networking equipment, as well as the physical security of the data center facilities that operate the services. Ask your service provider if their infrastructure is designed and managed in accordance with cloud security standards and controls, such as OWASP. Make sure the data center facilities are properly monitored and protected as well; access should be monitored 24/7, activity of authorized staff should be tracked, and fire detection and extinction systems should be in place to prevent data leaks or loss.
Maintain control over application level security
While the service provider should guarantee the privacy and security of the underlying infrastructure and services, it’s important for businesses to make sure they can maintain some control over security at the application layer. This allows them to manage the security of their connectivity to the cloud, as well as user privacy rules, identities, and access control within the app itself. With many providers, this is known as a Shared Security Responsibility Model, which allows both the enterprise and the service provider to share the burden of security and take some initiative to protect each user.
Multi-factor authentication (MFA) is a must
The best way to ensure that only authorized users or administrators access their accounts and associated resources is to make user authentication a multi-step process. This includes basic authentication (a user signing in with their email address/username and private password), as well as the use of signed web tokens for each API call. As a best practice, forgotten credentials should be reset, rather than recovered. And it’s critical to educate users to use a complex password, one that incorporates numbers, letters, and special characteristics and is very difficult to guess.
Arm yourself for the new threat landscape
Modern collaboration and communications platforms must be built to address the new threat landscape that today’s enterprises are facing. Alcatel-Lucent Rainbow™ is an enterprise-grade, highly secure Unified Communication-as-a-Service hybrid cloud solution that enables customers to interface with and deploy custom applications quickly and securely.
To learn more about how the enhanced security features of the Rainbow platform help to protect the confidentiality, integrity, and availability of enterprise data, please visit our Rainbow webpage. We also invite you to connect with us on Twitter at @ALUEnterprise or check us out on LinkedIn.