Hey folks!
We spend a lot of time talking about features in our blogs. We wanted to change it up and instead spend a moment to talk about a real-world, here-and-now problem that every company faces today: how do I keep my users and my company safe? Regardless of whether you’re a large Fortune 50 enterprise or a start-up, your data is critical to your business. And you need to keep it safe and secure.
As you go through the process of deciding how to set up and secure your collab solutions, make sure you are thinking about how to best facilitate your users getting work done. Make decisions, but be ready to change by asking: “What are people using these tools for that I wasn’t considering before?” and adapt your policies to keep that work getting done, not prevent it. There will always be patterns that are straight-up incorrect. But for the most part, people find new ways of doing things to be more efficient at their job, so help them do that securely and within boundaries. No reasonable employee starts their day hoping to compromise the crown jewels of their employer!
To help you on your journey to addressing this challenge within your collaboration architecture, we will share insights into our own approach. However, we truly believe that deploying an IT solution is never a one-off activity. You need to be able to adapt and evolve your solutions as your business grows and develops. So it is key that you choose a solution that gives you the flexibility to monitor adoption and activity, and adapt accordingly.
Top considerations when securing your team collaboration solution
The most secure cloud in the world is one with: (a) no users (b) no code and (c) that is not connected to the Internet. Where no-one can do anything wrong, or inject malicious code and compromise the system! But, security like that gets in the way of getting work done. On the other hand, the most easy-to-use deployment is one where there are no boundaries or gates, just wide-open and free-form collaboration and sharing between your users and others. Once again, not a great solution. The best solution lies somewhere in between. But your best solution is unlikely to be the same as that of IT leader to your left, or to your right either.
How do you choose the best solution for your business? Here is our list of top 3 considerations
1) This is not just a lift and shift exercise, but needs careful planning. A cloud-based collaboration solution is fundamentally different from tools like on-prem email servers or chat. The flexibility and velocity of the Internet mandates a different paradigm for the way that services operate. You need to make sure you plan for the different modalities that online collaboration takes – audio, video, screen sharing, sending files, etc. – much more than was possible in email. Find the tools that will help you manage these modalities – Data Loss Prevention (DLP)/ Cloud Access Security Broker (CASB) solutions like Cisco Cloudlock can help.
2) Set policies that allow but control the types of interactions you want your users to engage in. We’re now seeing an uptick in pre- and post-meeting activity to make high-bandwidth, synchronous activities as efficient as possible. Business critical decisions are now being made in real-time in messaging – with screens being shared, files being authored, and tasks being assigned. You need to define security policies that support and control this – will your users be allowed to work with others outside your organization? Can files be shared? Remember – it’s important to give employees the capabilities that they need in order to be as productive as possible. Rather than saying “no files can be shared,” consider defining what kind of files could be shared openly? How long should data be retained for? Do you need to comply with legal regulations? Get clarity on what your users should be doing, set policies to control those capabilities, and, again, make sure you monitor.
3) Understand the sensitivity of the data that will be exchanged during those interactions. Which teams handle the most sensitive data? What tools do you currently have in place that need to be part of your architecture going forward? Choose a solution that is sufficiently open to support any integrations that you need, and which doesn’t prevent you from changing those integrations in the future. Also remember to monitor – choose DLP engines that help you to make sure the right things are happening with your data. Again, a product like Cisco Cloudlock can help you in this journey.
These 3 considerations aren’t easy to combine with a good solution – it’s an art more than a science. And if you’re part of a bigger company, addressing issues like litigation and legal discovery proceedings are also realities you’ll need to contend with. Make sure your platform supports the capabilities you need! Cisco Webex Teams has a wealth of capabilities to support eDiscovery, Legal Hold, and content retention management. Our goal is to give you the connective tissue between disparate apps and services to deliver a seamless and efficient experience for your users to get work done.
Cisco is Customer Zero
At Cisco, we pride ourselves on being “Customer Zero” for our own products. We have a very close partnership with our IT and Legal teams as we work together to find that happy medium of usability vs. security and compliance. To that end, I’d like to introduce Daniel Black and Tony DeGruy, our key representatives from Cisco Legal and Cisco IT. Here they share how we worked through this challenge of ensuring both high security and usability:
Nice to meet you all! We’ve recently gone through exactly the struggles outlined – what are the right policies to set for our users to enable maximum productivity while maintaining the necessary control? This first required us to look at the work that Cisco Webex was intended to enable for our users. As Jono highlights above, IM is the new email, so when we thought about retention, we needed to take this into consideration. If we wiped all Webex Teams discussions immediately when they were done, decisions and critical context would be lost. If we kept all data around indefinitely, then we opened ourselves up to potential issues. So it was a healthy (and long!) discussion trading-off usability and security/governance to find the right middle ground policy.
Similarly, we needed to look at the tools we used to manage our Webex deployment. We had built a homegrown system to provide DLP and CASB capabilities before. As Webex rolled out its integration with Cloudlock, we realized it was more cost effective to use Cloudlock to manage our Webex deployment than to continue to build our own. And finally – we made the switch to use the new Webex Teams file sharing and storage integration with Office 365 to help manage our data sprawl. By enabling users to share and edit their documents from SharePoint Online and OneDrive for Business, we’re helping to provide a better productivity experience, while centralizing where our corporate documents reside – improving our ability to manage and monitor our corporate assets!
Embrace change: monitor usage and adapt
Critical to the success of our project with IT was the ability to be able to define the right policies for the organization. But this is not a static state. IT cannot be caught on its heels – we must all be ready to adapt as new ways of doing work emerge. Which is why you see the “configure and monitor” storyline show up in all of the considerations above. For those of us that remember back to the “Bring your own device” wave of the digital transformation (I like to think of that as the “first real wave”), the number one driver for the change was people wanting to use a different toolset than that which IT had blessed.
Personal mobile devices were taking off, and people wanted to use these, not their cumbersome laptops or desktop devices, to check email and communicate. And when some IT managers prevented this type of choice, people created a shadow set of services and infrastructure. IT dashboards and monitoring systems looked great: green circles and tiles across the board. No approved and monitored device was out of compliance – but hence the keyword was “monitored.” There was a growing tidal wave of devices that weren’t being monitored because people didn’t want to comply with the stringent requirements that IT set out. And thus began the first wave of transformation for IT.
Don’t let history repeat itself. Instead of enforcing rigid policies around what can and cannot be used, focus on ensuring that you have visibility across the toolset. And make sure that you choose a solution that fits with the systems you have in place, and can evolve as your business needs change. Cisco Webex has engaged in several key partnerships with industry leading DLP and CASB vendors – including our very own Cloudlock! – to ensure that you can use your preferred tool to monitor and remediate user behavior. Use these tools to monitor how users are working. And when you see patterns of usage that you hadn’t considered before, ask “should this be allowed?” Finding a set of policies that enables customer work actually improves your ability to respond to these requests and ultimately increases the reliability of critical compliance tasks like legal discovery and hold activities. Don’t let overly stringent security policies be the reason a new chat service or file storage service has cropped up without you knowing and managing it!
I hope this has been a useful article for you! I’d love to hear about your own experiences in this space. Reach out at jonluk_at_cisco.com on Teams or connect on Twitter _at_jonoatwork to let me know about how you do this. Or come discuss in our Collaboration Apps community. Let’s make these best practices a Bridges not Islands exercise as well!
Rock on,
Jono
Thank you for the post Jono.
What I got from this post is that there is a trade-off between security and productivity.
This seems quite similar DevOps: a trade-off between developing faster and keeping code stable.
What do you think?
Yes! That’s exactly right. How you approach security needs to be grounded in your goals and what your users need to do. Just like with devops and CICD – velocity and rate of deploy vs checks and balances!
it also bears repeating – we are Cisco Webex are heavily focused on making sure that you can *choose* the way you want your users to work. That means giving you the knobs to control that, as well using our tools (like Cisco Cloudlock & Duo), or bringing your own DLP/CASB engines. If you want more info on these, do let me know!