Back in October, Microsoft introduced Microsoft Teams Premium (Premium) during Ignite, later announced Premium preview as a limited trial for commercial customers in December, and now generally available February 1. These updates likely went under the radar for many security and compliance professionals, as the solution's safeguards are buried within the valuable efficiency and collaboration enhancements. Admittedly there are some interesting meeting and webinar branding features, and I'm personally excited about the new note taking functionality (powered by OpenAI's ChatGPT) to generate tasks and flag moments in the recording where you're mentioned. However, the purpose of this blog is to highlight the meetings protection capabilities that come with Premium and address nuances an IT or security leader should consider prior to procuring the add on.
The best visual representation for security and compliance features are found here, but I've copied below for reference.
Assigning Microsoft Purview sensitivity labels to meetings is noted as the only feature that requires a Microsoft 365 E5 subscription or a Microsoft E3 subscription with the Advanced Compliance add on license. Yet, it's important to note that watermarking, encryption, and other controls mentioned in the table can be powered by the sensitivity label or a meeting template. The controls listed can be configured from the Microsoft Purview compliance portal, and there is a high degree of variables that can now be managed with a Teams Premium license based upon the degree of sensitive information being shared and the controls an organization is seeking for attendees, presenters, and internal vs external parties. Some other features are controlled in the Teams admin center once the Premium add-on is licensed and provisioned. Go here for a more detailed breakdown of where each feature can be controlled or deployed.
Teams Premium is a per-user, per-month license where any user benefiting from Teams Premium functionality needs to have a Teams Premium license assigned. This logic would also include the same per user licensing considerations for Microsoft Purview and sensitivity labeling.
One last housekeeping note - as of this writing, Premium is coming to GCC on March 1, 2023 but not available for GCC High tenants. I'll be monitoring that release heavily, as there are great applications for the Defense Industrial Base (DIB) and state, local, and federal government.
Previously with Teams, administrators could configure tenant-wide policies to prevent recording of Teams meetings, or organizers could choose to automatically record on a per meeting basis. Now with Premium and the use of meeting templates or Microsoft Purview sensitivity labels, recording control can be automatically trimmed to organizers only once a label is applied during the meeting creation process.
In a similar manner, a sensitivity label can be applied to control watermarking of shared content and/or the video feeds of attendees and presenters. Administrators can scope the label to include include meetings and subsequently configure protection settings for Teams meetings and chats.
This level of control can be extremely beneficial in a healthcare setting for example where a clinician could label a meeting as a "Consult" or "Care Plan Review", and the intent for the latter label may be to prevent recording, watermark content displayed to the patient or other audiences as Protected Health Information (PHI), and limit who can bypass the lobby in order to protect patient privacy and uphold certain HIPAA standards. Another industry relevant example would be labeling Controlled Unclassified Information (CUI) via watermarking so that the live presentation is marked, as well as the recording, for posterity and future CMMC requirements impacting aerospace and defense companies.
(The 7 E's Principle) Elegant End-to-End Encryption Efficiency Enablement
The key to the 7 E's Principle is that there is no 7 E's Principle. However, the extension of Microsoft Purview labels into Teams Premium allows End-to-End Encryption (E2EE) to happen automatically once a meeting sensitivity is selected. That is in fact elegant and efficient.
E2EE was announced back in October of 2021, before Tom Brady retired for the first time (Yes, he's retired again for the second time). However, IT and cybersecurity leaders know that relying on users to manually apply encryption to meetings (or any data protection setting for that matter) is often a losing game (which is why Tom Brady retired the second time). This is an efficiency gain as well as a data protection and compliance benefit. Any time a compliance process can be converted to an automated technological measure (pending proper configuration), risk can be alleviated.
Back to the HIPAA and HITECH example in healthcare -
HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information (ePHI) to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4).
If an email containing ePHI should be encrypted per the standard above, shouldn't a Teams (or other video communications application) meeting be considered as a part of a providers scope IF the meeting contains audio and video content with protected health information (PHI) of patients within it? Transcription of the meeting with PHI discussed? etc.
Your organization would need to determine the risk and application of the standard, but nevertheless Teams Premium's capabilities may scratch that risk itch. Similar requirements can also be found within Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 for commercial businesses working with the Department of Defense and handling Covered Defense Information. Also, the Financial Industry Regulatory Authority (FINRA) maintains rules for the protection of customer's financial information and records that may be exchanged in virtual meetings.
Protect More Data with Less
Teams Premium can be deployed via a 30 day trial as of this writing, but is also accessible for licensing from now until June at $7 per user, and $10 per user come July. Considering many organizations are already already using Microsoft Purview's Information protection capabilities as a part of their E5 licensing, IT and cybersecurity leaders can extend the utility of these labels (that they already have) for a subset of users who regularly attend or host sensitive meetings. For example, not every user may be licensed for E5 or F5 due to the nature of their work; thus, those E5 users maybe a target for the usefulness of Teams Premium. Furthermore, there may be benefit in licensing Teams Premium for certain departments or business units within the organization - such as financial operations, human resources, research and development, etc.
Though it may be obvious, but this blog only covers a fragment of the Premium offering. I've only 'bored' you with the security and compliance features!
Original post on LinkedIn: