← Patterns / SP-021

Realtime Collaboration Pattern

Real-time collaboration has become a foundational capability for modern organisations. Platforms such as Microsoft Teams, Zoom, Cisco Webex, Slack, and Google Workspace enable video conferencing, voice calls, screen sharing, instant messaging, and simultaneous document editing across organisational boundaries. The security challenge is substantial: these tools create persistent, high-bandwidth channels between internal systems and external participants, often carrying the organisation's most sensitive working documents and strategic discussions. This pattern addresses the security architecture for real-time collaboration environments where internal and external users share documents, co-author content, and communicate synchronously. Unlike email, which is store-and-forward with well-understood security models, real-time collaboration introduces live data streams, shared persistent storage, presence information, and session recordings -- each with distinct security requirements. The attack surface is wide: from the collaboration platform itself, through the network transport, to the unmanaged endpoints of external participants. A central concern is the tension between usability and security. Collaboration tools succeed only when they are frictionless enough for adoption. Overly restrictive controls drive users to shadow IT alternatives -- personal messaging apps, consumer file-sharing services, unapproved video tools -- which are far harder to secure and audit. The architecture must therefore provide security that is largely invisible to legitimate users while maintaining strong authentication, encrypted transport, content protection, and comprehensive audit trails. User lifecycle management is critical. Collaboration spaces accumulate participants over time, and stale accounts with access to sensitive shared folders are a persistent risk. The pattern requires automated provisioning tied to identity governance, with regular access reviews and prompt de-provisioning when engagements end. External guest accounts require particular attention: they should be time-bounded, limited in scope, and subject to stronger authentication requirements than internal users. The pattern also addresses the data residency and retention dimensions of collaboration. Shared documents, chat histories, meeting recordings, and whiteboard content all constitute business records that may be subject to regulatory retention requirements, e-discovery obligations, or data sovereignty constraints. Organisations must define clear policies for what is recorded, where it is stored, how long it is retained, and who can access historical collaboration data.
Release: 26.02 Authors: Aurelius, Vitruvius Updated: 2026-02-06
Assess
ATT&CK This pattern addresses 308 techniques across 12 tactics View on ATT&CK Matrix →
image/svg+xml Actor: Security Manager DMZ Secure Server Network Actor: External Partner Actor: Internal Employee Actor: Security Administrator AC-02 Account Management AC-17 Remote Access AC-20 Use Of ExternalInformation Systems AT-02 Security Awareness AT-03 Security Training AU-02 Auditable Events AU-06 Audit Monitoring,Analysis, And Repor.. AU-09 Protection Of AuditInformation CA-02 Security Assessments CA-03 Information SystemConnections CM-03 ConfigurationChange Control CP-09 Information SystemBackup IA-02 User IdentificationAnd Authentication IA-04 IdentifierManagement IR-04 Incident Handling IR-07 Incident ResponseAssistance RA-03 Risk Assessment RA-05 VulnerabilityScanning SI-11 Error Handling SI-12 Information OutputHandling And Retent.. OSA is licensed according to Creative Commons Share-alike.Please see:http://www.opensecurityarchitecture.org/community/license-terms

Click any control badge to view its details. Download SVG

Key Control Areas

  • Account Management and Access Governance (AC-02, IA-04): Every collaboration participant -- internal employee, external partner, or guest -- must have a uniquely identifiable account tied to a verified identity. Account provisioning should be linked to business justification such as a project, contract, or partnership agreement. External accounts must be time-bounded with automatic expiry unless explicitly renewed. Regular access reviews should verify that all active accounts still have a legitimate business need. Orphaned accounts from completed projects or departed partners are a common source of unauthorised access to sensitive shared content. Automated lifecycle management through identity governance platforms reduces the risk of stale accounts accumulating in collaboration spaces.
  • Remote Access and External System Controls (AC-17, AC-20, CA-03): Real-time collaboration inherently involves remote access from diverse endpoints, many of which the organisation does not manage. The architecture must define acceptable connection methods, enforce encrypted transport (TLS 1.2+ minimum), and establish policies for external information system usage. System interconnection agreements (CA-03) should govern how collaboration platforms integrate with partner organisations' infrastructure. Where external participants connect from unmanaged devices, the architecture should consider browser-based access modes that limit data download, copy/paste restrictions for sensitive content, and watermarking of displayed documents to deter screen capture.
  • Authentication and Identity Verification (IA-02, IA-04): Strong authentication is essential given the sensitivity of real-time collaboration content. Internal users should authenticate via the organisation's identity provider with multi-factor authentication enforced. External participants present a harder challenge -- the organisation cannot mandate their authentication infrastructure. Options include federated identity (SAML/OIDC with trusted partner IdPs), one-time passcodes via email or SMS, or hardware tokens for high-security engagements such as M&A due diligence or board communications. Meeting and session access should use unique join codes with waiting rooms or lobby controls that require host approval before participants can enter. Anonymous or dial-in-only access should be restricted to the minimum necessary.
  • Audit Trail and Monitoring (AU-02, AU-06, AU-09): Comprehensive audit logging must capture who accessed which collaboration spaces, when, what content was viewed or modified, and what was downloaded or shared externally. Audit events should include session join/leave times, screen sharing initiation, file upload/download, permission changes, and recording start/stop. Logs must be protected from tampering (AU-09) -- collaboration platform administrators should not be able to modify or delete audit records. Regular monitoring and analysis (AU-06) should identify anomalous patterns: unusual access times, bulk downloads, external sharing to unexpected domains, or repeated failed authentication attempts. These logs also serve compliance and e-discovery requirements.
  • Configuration and Change Management (CM-03, CP-09): Collaboration platform configurations -- tenant settings, sharing policies, guest access policies, retention rules, and integration permissions -- must be managed through formal change control. Uncontrolled configuration changes can silently weaken security: enabling anonymous access, extending external sharing permissions, or disabling audit logging. Backup procedures (CP-09) must cover collaboration content including shared documents, chat histories, and meeting recordings. Many organisations discover too late that their backup strategy does not cover cloud collaboration data, leaving them exposed to accidental deletion, ransomware affecting sync clients, or vendor service disruptions.
  • Vulnerability and Risk Management (RA-03, RA-05, CA-02): Collaboration platforms represent a significant attack surface that requires ongoing vulnerability management. Regular vulnerability scanning (RA-05) should cover the platform infrastructure, integration points, and custom extensions or bots. Security assessments (CA-02) should evaluate the platform's security configuration against vendor best practices and industry benchmarks. Risk assessments (RA-03) should specifically address the data flows in collaboration scenarios: what is the impact if an external participant's compromised endpoint exfiltrates meeting recordings or shared documents? What is the risk of a supply chain attack through a collaboration platform plugin or integration?
  • Incident Handling and Security Awareness (IR-04, IR-07, AT-02, AT-03, SI-11): Users must understand the security risks specific to real-time collaboration: sharing screens that expose sensitive applications, joining calls from public locations where conversations can be overheard, accepting meeting invitations that are actually phishing attacks, or uploading malicious files to shared workspaces. Security awareness training (AT-02, AT-03) should include collaboration-specific scenarios. Incident handling procedures (IR-04) must cover collaboration-specific incidents: unauthorised recording of meetings, data leakage through external sharing, compromised guest accounts, and platform-level security incidents. Error handling (SI-11) should ensure that collaboration platforms do not expose sensitive system information in error messages.

When to Use

Use this pattern when internal and external partners must collaborate synchronously on shared documents, conduct video or voice conferences, share screens for presentations or demonstrations, or communicate via persistent chat channels. Applicable when the collaboration involves confidential or commercially sensitive information that requires encryption, access control, and audit trails. Appropriate for organisations adopting cloud-based collaboration suites (Microsoft 365, Google Workspace, Slack, Zoom) and needing a security architecture to govern their use. Also applicable when regulatory or contractual obligations require demonstrable controls over collaborative data sharing with external parties.

When NOT to Use

This pattern is not appropriate for ad-hoc, one-time file transfers where the Secure Ad-Hoc File Exchange pattern (SP-019) is more suitable. Not applicable where all collaboration is purely internal with no external participant requirement and the organisation already has adequate internal communication controls. The pattern assumes the ability to distribute authentication credentials or tokens to external participants; where this is not feasible (very large public audiences, anonymous participants), a different model such as webinar or broadcast architecture is more appropriate. Not suitable for air-gapped or highly classified environments where real-time collaboration with external parties is prohibited by policy.

Typical Challenges

The primary challenge is balancing security with the frictionless experience that drives adoption. Overly restrictive controls -- requiring hardware tokens for every external guest, blocking all file sharing, or disabling screen sharing -- push users to consumer alternatives (WhatsApp, personal Dropbox, unapproved Zoom accounts) that offer zero security visibility. Guest account lifecycle management is persistently difficult: collaboration spaces accumulate external participants over months or years, and without automated review and expiry, stale accounts with access to sensitive content proliferate. Data loss prevention is complicated by the real-time nature of the tools -- once a screen is shared or a document displayed in a meeting, the content has effectively been transmitted to all participants' endpoints regardless of download restrictions. Platform sprawl is another challenge: organisations often run multiple overlapping collaboration tools (Teams for internal, Zoom for external, Slack for development teams) creating inconsistent security policies and audit gaps. Regulatory compliance adds complexity when collaboration involves participants across jurisdictions with different data sovereignty requirements, and meeting recordings or chat logs become subject to retention and e-discovery obligations.

Threat Resistance

This pattern addresses data leakage through unmanaged external participant endpoints, which remains a residual risk that can be mitigated but not eliminated. It defends against unauthorised access to collaboration spaces through strong authentication, account lifecycle management, and session controls. The pattern mitigates man-in-the-middle attacks on collaboration streams through mandatory end-to-end or transport encryption. It addresses malicious file upload through content scanning of files shared in collaboration spaces. Unauthorised recording or screen capture is partially mitigated through platform controls and watermarking, though it cannot be fully prevented on unmanaged endpoints. The pattern defends against account takeover through MFA and anomalous access detection. It addresses the risk of shadow IT collaboration tools by providing a secure, usable sanctioned alternative. Compliance risks from uncontrolled data retention or missing audit trails are mitigated through logging, retention policies, and regular security assessments.

Assumptions

The organisation has selected or will select a collaboration platform that supports enterprise security controls including SSO, MFA, audit logging, and granular sharing policies. Shared information will include confidential business documents, and therefore both the communication channel and storage must be encrypted at rest and in transit. External participants will connect from endpoints that the organisation does not manage, and the architecture must account for this. Identity governance processes exist or will be established to manage the lifecycle of both internal and external collaboration accounts. Network bandwidth and reliability are sufficient to support real-time audio, video, and document collaboration without degradation that drives users to unmanaged alternatives.

Developing Areas

  • End-to-end encryption in enterprise collaboration platforms is advancing but remains incomplete. Microsoft Teams enabled E2EE for 1:1 calls but not group calls or channels as of early 2026, and enabling E2EE disables features like recording, live captions, and compliance archiving that enterprises depend on. The fundamental tension between E2EE and enterprise requirements for DLP, eDiscovery, and compliance recording has no clean technical resolution, and platform vendors are navigating this trade-off differently with no industry consensus emerging.
  • AI meeting assistants and copilots that join calls to take notes, summarise discussions, and generate action items create a significant and largely unaddressed data exposure risk. These tools process real-time audio and video streams through cloud-based AI models, potentially exposing confidential discussions to third-party providers. Guest participants may not be aware that an AI assistant is processing the meeting, raising consent and regulatory questions under GDPR and similar frameworks. Enterprise governance policies for AI meeting assistants are still forming.
  • DLP for messaging platforms lags behind DLP for email and file sharing by several years. The real-time, informal nature of chat messages -- combined with rich media, reactions, threads, and integrations with bots and apps -- makes content classification and policy enforcement significantly harder than for structured email. Emerging approaches use ML-based content classification to detect sensitive data in chat streams, but false positive rates remain high enough to be disruptive in fast-moving collaborative conversations.
  • Ephemeral messaging compliance is creating regulatory tension. Features like disappearing messages and auto-delete timers in platforms like Signal, WhatsApp, and even Teams are popular with users but may violate records retention requirements in regulated industries. Financial services regulators including the SEC and FCA have imposed significant fines for off-channel communications on ephemeral messaging platforms, yet prohibiting these tools entirely pushes usage further into shadow IT where it is completely invisible.
  • Guest access governance across collaboration platforms is operationally immature at most organisations. The average enterprise accumulates thousands of external guest accounts across Teams, Slack, and other platforms, with no automated lifecycle management or cross-platform visibility. Emerging identity governance solutions are beginning to offer unified guest access reviews, but the lack of standardised federation protocols across competing platforms means that revoking a departing partner's access requires manual action on each platform separately.
AC: 3AT: 2AU: 3CA: 2CM: 1CP: 1IA: 2IR: 2RA: 2SI: 1
AC-02 Account Management
AC-17 Remote Access
AC-20 Use Of External Information Systems
AT-02 Security Awareness
AT-03 Security Training
AU-02 Auditable Events
AU-06 Audit Monitoring, Analysis, And Reporting
AU-09 Protection Of Audit Information
CA-02 Security Assessments
CA-03 Information System Connections
CM-03 Configuration Change Control
CP-09 Information System Backup
IA-02 User Identification And Authentication
IA-04 Identifier Management
IR-04 Incident Handling
IR-07 Incident Response Assistance
RA-03 Risk Assessment
RA-05 Vulnerability Scanning
SI-11 Error Handling