NSA Guidance on Telework Solutions

As more businesses turn to software that enables online collaboration, the specific application those companies choose for that collaboration becomes more critical. On April 24, 2020, the National Security Agency (NSA) released guidance on some top collaborative platforms and their security postures. The NSA’s evaluation included 13 providers and use a set of specific criteria to evaluate the vendors. Below is a summary of these criteria, as well as a recommendation for the best option for collaborative software based on the NSA’s evaluation of which providers best met their recommendations.

End to End Encryption

End-to-end encryption (E2E) gives anyone sending files or content the ability to protect that content as it is sent to a recipient without other servers/services being able to intercept and read it. While E2E is useful, the most critical component is the ability for encryption while data is at rest. That data can be resting on either endpoint or within remote storage. The only people who should be able to access the content, unencrypted, are the sender and the intended recipient. Distributing keys carefully is an important part of reliable E2E, which is why apps supporting large group video chat capabilities sometimes don’t have this capability to enable better performance.

What Are the Encryption Standards Used and Have They Been Tested?

If E2E isn’t available, encryption should still be a part of your standard operating procedure. The NSA recommends having strong encryption standards with algorithms approved by the National Institute of Standards and Technology (NIST). They also recommend staying up to date with current Internet Engineering Task Force (IETF) protocol standards. Some applications use Transport Layer Security (TLS) version 1.2 secure protocol to protect their data as it moves — this is a common practice for transferring sensitive but unclassified information. NSA recommends using published protocol standards such as this one. When vendors opt to create their own encryption protocol, it should be subject to a rigorous, independent evaluation by an accredited source.

Does It Use Multi-Factor Authentication for Identification?

Multi-factor authentication (MFA) is a method of combating password theft. When users’ passwords are compromised, it exposes the system to malicious actors impersonating users’ accounts. MFA asks the legitimate user for a second form of identification — the type of ID can vary, but it will confirm the user’s identity. This decreases the likelihood that an impersonator can compromise the user’s account.

Can It Make Collaborative Sessions Invitation-Only?

When users set up collaborative sessions, it’s important to strive for exclusivity. Allowing open access on these sessions can leave them exposed to just about anyone. If sensitive information is discussed, or if it’s proprietary for any reason, this represents a major problem. That’s why it’s critical for apps to enable organizers to offer invitation-only access. There are several features they can implement to do this — waiting rooms, login passwords, etc. The crucial element is offering an additional level of authentication. A capability should also exist to show organizers and other meeting attendees when participants join via an unauthenticated or unencrypted method (i.e. via the phone).

Does the Application Share Data With Third Parties or Affiliates?

An application gathering basic information is common and in most cases, a necessity. That said, the vendor should protect all sensitive data such as contact information and meeting content. No third party or its affiliates should be able to gain access to the actual meeting content — meaning any discussions or content shared within the collaborative session. It can also apply to device data, session history, personally identifiable information of the users, or any other information that could pose a threat to the organization. The vendor should have a clearly defined privacy policy in place that states as much.

Can Users Delete Their Data Securely?

It’s unlikely any service will provide users with complete autonomy when it comes to the ability to delete data. But does the application or service give users the ability to delete any meeting content and their accounts when no longer in use? For example, the user should be able to delete any chat sessions or shared files once their meeting has concluded.

Is the Source Code Publicly Available?

If the vendor has developed and shared their source code publicly, it gives an added level of accountability. It allows users to verify that the vendor developed the source code using best practices for secure programming. Users can then gauge any potential vulnerabilities and assess risks.

Have Any Government Bodies, Focused on Security and Nationally Recognized, Reviewed the App?

According to NSA recommendations, any cloud services apps should undergo evaluation from the Office of Management Budget’s (OMB) FEDRAMP program. It also recommends undergoing evaluation from independent labs under the jurisdiction of the National Information Assurance Partnership (NIAP) against the Application Software Protection Profile (PP). In partnership with the DHS Science and Technology (S&T) Directorate Mobile Security R&D Program, NSA developed testing criteria. These criteria are based on the application PP. They include how the apps integrate with any platform resources, defensive measures they can take against exploitation, the permissions they may request for use, and any and all crypto libraries they may use as part of their operation. An app that adheres to these standards helps them establish a baseline of requirements that keep them more secure.

What Are the Best Applications for Telework?

These considerations all factor into the collaborative solution your organization uses. With that in mind, the best option is Microsoft Teams. Along with offering users a wealth of collaborative options, Teams checks the majority of the security requirement boxes put forth by the NSA. While it’s true that Teams does not have E2E, E2E is generally more important for consumer apps than enterprise apps. Additionally, Teams does have the capability to encrypt data in transit and rest. At the same time, it can enable advanced compliance features in Teams such as Legal Hold, eDiscovery, Insider Threat Management, and any automatic applications of compliance policies.

For help deploying, onboarding, and securing Microsoft Teams, contact us today.