Enterprise compliance policies begin with data. How can you better protect sensitive data—such as proprietary or customer information—by limiting access to authorized individuals? Compliance officers and IT security teams alike need tools that give them oversight and governance over user access to the company systems that store such data.
Your messaging platform is no exception. Sometimes, sharing confidential information with partners and vendors is necessary to do business. At other times, it’s critical to keep information with company walls, or even restricted to particular teams or individuals.
Setting up the appropriate user access controls on Mattermost is a first step toward establishing a strong compliance policy around your company’s communications data. The following best practices will give you a head start.
1. Use guest accounts to minimize your risk when sharing data externally
Chances are some of your teams collaborate with external contractors, vendors, partners, or even customers for a myriad of reasons. Your website team wants to brainstorm UX ideas with a design firm, your app dev team wants help implementing a third-party service, or your support team needs to resolve issues for a customer.
Mattermost allows you to restrict access to your organization’s public channels so that external users can only access the channels appropriate to their collaboration. The Mattermost Guest Accounts feature, available for all Enterprise Edition customers, allows external users to chat freely with internal teams in designated channels—even when they’re logging in from external email domains. External users can use many of the platform’s UI settings. But they can not discover other public channels or message individuals and groups outside of the channel or channels they have access to.
Guest accounts also allow designated team members to add new guests or remove guest access when projects end, as well as whitelist external domains for greater control. Read our recent blog post about guest accounts for more.
2. Authenticate individuals using your existing SAML, Active Directory, or LDAP systems
Most enterprises prefer to manage user identity and access policies in one place for greater ease and efficiency (or for compliance and security reasons).
For example, your company may use common services and protocols—such as SAML single sign-on or Active Directory/LDAP—that serve as the “system of truth” for your most current user data. They support compliance policies by keeping track of information that governs employee access to company systems, such as new hires and departures.
You can configure your setup to automatically provision accounts to new employees or remove access when an employee has left the organization or is otherwise no longer an approved user. Mattermost makes it easy to establish a secure connection with your directory service and use the same policies and attributes to authenticate users, synchronize data, and control access to your messaging platform.
3. Protect highly sensitive information by restricting access with AD/LDAP Groups
Some confidential information is too sensitive for broad internal consumption. For example, a new strategic project may be operating in stealth mode or the HR team may need to collaborate on personnel matters. In this case, it’s helpful to be able to create private teams and channels that restrict access to these conversations.
Mattermost makes this easier with AD/LDAP Groups, available with Enterprise Edition E20. This feature takes AD/LDAP synchronization a step further and allows you to create groups of users based on department, security classification, or other designations. You can easily set up and manage private teams or channels, restrict access to anyone outside the group, and remove access to a member who has left the group.
4. Set advanced permissions to administer roles
In addition to data access, many compliance policies govern how data should be handled, persisted, or shared with third-party systems. For example, your company may wish to prevent some or all users from editing or deleting information shared within channels. Or you may wish to control the types of third-party integrations used on the platform.
Mattermost Advanced Permissions, available to all Enterprise Edition customers, gives you a robust permissions structure that you can configure according to your organization’s roles and responsibilities. It allows you to set up role-based access control and permit specified roles to execute certain actions on the platform. Your system admins, team admins, and channel admins can be given very specific permissions to manage the users, data, and integrations associated with their roles.
Permissions schemas for roles can be customized on a team level for organizations that require different permissions for different teams.
5. Educate your organization on confidential data classification and policies
Compliance is everyone’s responsibility and it’s important to proactively reinforce your policies across the organization. Whether you do so annually, quarterly, or only during new-hire onboarding, you will want to make sure that everyone is up to speed on the latest requirements and understands their part in maintaining compliance.
As your central messaging platform, Mattermost can help you spread the word. Your system admin can set up a custom announcement banner to display a notice to all users on the platform. You can use the banner to communicate compliance details, such as data classification, the meaning of “company confidential,” or reminders on safe data handling practices.
To highlight compliance during onboarding, you can create custom Terms of Service for new team members to accept before they gain access to Mattermost.
We hope these best practices help you gain greater control over compliance at your company. Mattermost was designed with compliance at its core, and the features we’ve discussed here can help you get even more out of the platform.
Learn more about compliance on Mattermost.