Does the SaaS provider protect external data in transit using TLS?
Yes
Yammer uses HTTPS to transmit and receive data. TLS 1.2 is used to encrypt data whilst in transit between Yammer (Microsoft) servers and the user’s browser/app.
Does the SaaS provider protect external data in transit using correctly configured certificates?
Yes
Yammer meets the recommended cryptographic profiles for TLS as published by the NCSC. In addition the Yammer domain currently gets an ‘A’ rating from Qualys SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.
Does the SaaS provider protect internal data in transit between services using encryption?
Yes
Yammer uses encryption between services to protect data in transit.
Does the SaaS provider protect internal data in transit between services using correctly configured certificates?
Yes
Yammer uses correctly configured certificates to protect the data in transit.
If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method?
Yes
Yammer uses access tokens for API requests. API tokens are normally generated based on a user’s successful authentication via OAuth 2, as described in the API documentation.
If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created?
Yes
Yammer has a privilege tree to allow various levels of access, including admins and low privilege users. See below for more details.If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts?
Yes
Whilst Yammer does not provide 2 factor authentication (2FA) by itself, it does support single sign on (SSO) through the O365 system. O365 supports 2FA, allowing Yammer to benefit from Microsoft’s 2FA system. Alternatively, Yammer can be setup with other 2FA providers who are SAML 1.1- or 2.0-compliant.
Does the SaaS provider collect logs of events?
Types of log may include security logs and resource logs
Yes
Yammer logs a large variety of activity events and offers Admins the ability to search the audit log.Does the provider make logs available to the client?
Yes
Yammer allows verified admins to monitor account activity, such as device logon details and the IP addresses associated with the logins. Verified admins can also monitor keywords they have set to ensure sensitive data is not posted to Yammer.
Standard users can also see basic account activity for their own accounts within the ‘Account Activity’ section.
Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?
The provider’s previous track record on this is a good metric to see how they’ll cope with a new issue occurring.
Yes
Yammer incident response is handled by Microsoft. Additionally, the Yammer service is included in the Microsoft O365 bug bounty program.Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ?YesMost of Yammer’s security details can be found easily by navigating through the Microsoft Office site.
Source: NCSC
