How do you know if a Microsoft Teams App meets your organisation’s security requirements?
Microsoft Teams allowed hundreds of third-party application integrations that extend, expand and integrate into the Teams experience in all kinds of powerful ways, but how is an organisation to know which meet their security standards and requirements. It could be a full-time job to go and understand the security and compliance standards of each of the available applications.
Enter the App Certification Program. The goal of the app certification program is to provide customers with a reliable, unified, and publicly accessible cloud app risk assessment catalog. This will help enterprise customers expedite the otherwise arduous and time-consuming process of reviewing app information related to security, data handling, and compliance practices before approving them for use in their tenant.
Microsoft will gather information from app partners and making it accessible in one central location, in a consistent format. Behind the scenes, this leverages the SaaS app catalog and security and compliance information stored in Microsoft Cloud App Security.
This program is currently in its pilot phase. In the first stage of the app certification program, Microsoft will allow Teams app partners to self-attest their apps against more than 80 risk factors provided by Microsoft Cloud App Security, as well as leverage their security and compliance information submitted in CSA STAR. In the future, his app certification program will extend beyond Teams to include the entire app ecosystem across Microsoft 365.
https://docs.microsoft.com/en-us/teams-app-certification/all-apps
What information to application developers need to provide for the app certification program?
Basic information about your app like licensing details and contact information.
Data Handling – Information about what data your app is collecting, why you’re collecting that information, and if the administrator has any control over the collected information. Examples include data accessed through Microsoft Graph, any bot capabilities, and any telemetry you’re collecting.
Security and Compliance – Information related to security and compliance of the entire app (not just your Teams app, but the underlying services as well). The information is stored in the Microsoft Cloud App Security catalog.
https://docs.microsoft.com/en-us/cloud-app-security/attest-your-app
About Microsoft Cloud App Security
Powered by native integrations with Azure Active Directory, Intune, and Azure Information Protection, Microsoft Cloud App Security offers tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, your organization across a range of cloud applications.
- Cloud Discovery: Discover all cloud use in your organization, including Shadow IT reporting and control and risk assessment.
- Data Protection: Monitor and control your data in the cloud by gaining visibility, enforcing DLP policies, alerting, and investigation.
- Threat Protection: Detect anomalous use and security incidents. Use behavioural analytics and advanced investigation tools to mitigate risk and set policies and alerts to achieve maximum control over network cloud traffic
Cloud App Security integrates visibility with your cloud by:
- Using Cloud Discovery to map and identify your cloud environment and the cloud apps your organization is using.
- Sanctioning and un-sanctioning apps in your cloud.
- Using easy-to-deploy app connectors that take advantage of provider APIs, for visibility and governance of apps that you connect to.
- Using Conditional Access App Control protection to get real-time visibility and control over access and activities within your cloud apps.
- Helping you have continuous control by setting, and then continually fine-tuning, policies.
I feel I can let my shoulders drop and breath a sigh or relief. This totally needs to happen and would be a godsend for the reasons you outline in your article.
Great article thanks Tom!