What does Teams do for security?
Well, since Teams is part of the Office 365 solution set, Teams follows the rest of the platform by securing data in transit and at rest. Your data is kept in region where the tenant is provisioned and if there is in “in country datacenter” the entire Teams dataset (voicemail, images, files in chat, SharePoint, and ODFB, will be kept in that in country datacenter. Finally, the same security and privacy principles for the entire Office 365 solution set is applicable to Teams: Data encryption at rest and in transit, Pen Testing, security reviews and automation, etc.
So, in addition to the native security features, you can further secure Teams at a base level using conditional access and Multi-Factor Authentication (MFA). For example, you can use conditional access to allow just users with a US IP address to access your Teams content. Or you can enforce conditional access with MFA on just your guest accounts. This means that guests would require MFA (via a text message pin or through the MS Authenticator App)
This is just some low hanging fruit of Teams Security, there are other Office 365 tools and functions that extend into Teams and ODFB/SPO. These include Office 365 Advanced Threat Protection (ATP) to help with malicious files and links. Consider the example of a guest account that gets compromised, the bad actor can easily see what other tenant Teams the compromised account is a member of. While the attacker is impersonating someone, they can upload a malicious file or share a malicious link in the Teams chat and your users, while likely trained for e-mail zero trust, are probably a softer target in a Teams Room with guests. ATP protects your org and your users in Office 365 SharePoint, OneDrive for Business, and Teams just like it does in Outlook. Known and zero-day attack prevention (via the detonation chamber feature) is available in Teams via Threat protection, just make sure you check those boxes in the admin center.
There is also Data Loss Prevention (DLP) and Information Protection (IP) to consider – when orgs transition to Teams from Skype for Business, IP/DLP are new areas of concern to secure.
How can you apply? In the Compliance section of Office 365, you can choose the Teams chat and channels and define the scope of users/accounts to include in the scope and then the rules (condition based, keywords, exceptions, actions, etc.)
The tools are built to help you with just external users (guest accounts) but can also be used to prevent transfer of internal data types, via warning and notifying or blocking outright. For example, you can block your users from sending credit card (CC) information via chat. The user experience is that it warns and blocks the user that sent the protected info, and removes it from the “sent to” users (whether in a 1:1 or a Group chat)
In the event of a compromised guest account, or even internal employee, these tools can help you detect or prevent data exfiltration. You can even protect the data using Azure Information Protection (AIP) to label and classify and Cloud App Security (CAS), so that if the data leaves the organization it is still protected (encrypted and access control built into the document).