Guidance

Yammer security review

Created:  11 Jun 2018
Updated:  11 Jun 2018
Yammer
A security review of Yammer, an enterprise social networking service, based on the NCSC's SaaS security principles.

Yammer is an enterprise social networking service which allows users to communicate, collaborate and connect privately within their respective organisation. It is hosted in the Microsoft Cloud and is an additional part of Office 365. Access to Yammer can be granted based on a user's internet domain, allowing only users with an applicable email address to join the service.

 

How Yammer performs against the SaaS Principles

Question

Answer

Detail

Does the SaaS provider protect external data in transit using TLS?

Yes

Yammer uses HTTPS to transmit and receive data. TLS 1.2 is used to encrypt data whilst in transit between Yammer (Microsoft) servers and the user’s browser/app.

Does the SaaS provider protect external data in transit using correctly configured certificates?

Yes

Yammer meets the recommended cryptographic profiles for TLS as published by the NCSC. In addition the Yammer domain currently gets an 'A' rating from Qualys SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls. 

Does the SaaS provider protect internal data in transit between services using encryption?

Yes

Yammer uses encryption between services to protect data in transit.

Does the SaaS provider protect internal data in transit between services using correctly configured certificates? 

Yes

Yammer uses correctly configured certificates to protect the data in transit.

If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?

Yes

Yammer uses access tokens for API requests. API tokens are normally generated based on a user’s successful authentication via OAuth 2, as described in the API documentation.

If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?

Yes

Yammer has a privilege tree to allow various levels of access, including admins and low privilege users. See below for more details.
If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?

Yes

Whilst Yammer does not provide 2 factor authentication (2FA) by itself, it does support single sign on (SSO) through the O365 system. O365 supports 2FA, allowing Yammer to benefit from Microsoft's 2FA system. Alternatively, Yammer can be setup with other 2FA providers who are SAML 1.1- or 2.0-compliant.

Does the SaaS provider collect logs of events?

Types of log may include security logs and resource logs

Yes

Yammer logs a large variety of activity events and offers Admins the ability to search the audit log.
Does the provider make logs available to the client?

Yes

Yammer allows verified admins to monitor account activity, such as device logon details and the IP addresses associated with the logins. Verified admins can also monitor keywords they have set to ensure sensitive data is not posted to Yammer.

Standard users can also see basic account activity for their own accounts within the ‘Account Activity’ section.

Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?

The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.

Yes

 

Yammer incident response is handled by Microsoft. Additionally, the Yammer service is included in the Microsoft O365 bug bounty program.
Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Yes Most of Yammer's security details can be found easily by navigating through the Microsoft Office site.

 

Exporting data

  • Verified Yammer admins are able to export all data stored within their Yammer instance via the data export API.
  • Users can copy messages from Yammer and paste them where they desire.
  • Users can also download documents directly from where they were posted within Yammer (dependent on document access restrictions).

Was this guidance helpful?

We need your feedback to improve this content.

Yes No