Remote working has skyrocketed over the past month in response to COVID-19, with IT leaders fast-tracking purchases of collaboration tools to keep their employees connected during this time. But in the rush to implement video conferencing at scale, many didn’t have time to properly evaluate how providers handled data security and privacy, leaving themselves vulnerable to risk.
As your organisation adjusts to this “new normal,” here are a few key considerations to evaluate the security of a cloud video conferencing service for your remote workers.
1 – Data Privacy
It’s important to understand how a video conferencing provider manages customer data. By necessity, some data will need to be shared with the provider, so make sure you ask about the provider’s policies with respect to that data.
What kinds of user data are collected?
Any video conferencing service will need to collect some user data. This might include basic information submitted by users such as a username and email address to establish a video account. Other information that might include a phone number, an avatar image used for an account profile photo, a self-described location, or a self-described time zone.
Information that would be collected without direct input from the individual would be generated by conducting video calls: IP addresses, device types, platform operating system, called/calling party video addresses, and the like.
What is done with this information?
Ideally, the data should only be used to provide the ability to conduct video calls, to provide on-demand usage history and analytics, to enable billing, and to be used in aggregate with whole-service usage statistics. While this may involve sharing data with authorised third parties, the purpose is only to maintain and grow the service so it can meet and anticipate the capacity needs of the entire user population.
At no time should the user data be shared with any unauthorised outside parties. Users of the video conferencing service should be confident that their data is private and secure, and should be able to request information about how their video service provider uses their data, how long it is retained, and under what regulatory standards it handles such user data.
Where is my data stored? How is it stored and handled? Over what geographies does my data traverse?
Data at rest has to be stored somewhere, and data in motion needs to traverse from Point A to Point B. Enterprises should consider both where data is stored and where it traverses to and from, as well as who has access to the data and how they have been vetted. Even if the data is encrypted and not human-readable, there may be requirements that the data reside within a certain geography, or at least predictably so the majority of the time. Various video conferencing services have the ability to geofence data; it may be worthwhile to inquire.
2 – Meeting Security Mechanisms
Once video conferencing accounts have been created and meetings begin to take place, an enterprise will need to understand how their live meetings are being secured. Users of the video conferencing service should be confident that the tool set they use provides mechanisms to protect their communications and intellectual property automatically and predictably. There should be no ambiguity in this regard.
Are my communications encrypted?
The purpose of a video conferencing service is to allow a calling and called party to communicate with each other. Organisations should understand whether those communications are secure, using encryption technology, to what standards, and to what strength? Is encryption always enabled, or does it have to be manually enabled? Under what circumstances are communications encrypted, and what limitations are there, if any? These are important questions to ask for any collaboration tool under consideration.
Are there other mechanisms available to secure my meetings?
The tool set for the video service should, in addition to encrypting communications, provide additional security mechanisms. For example, users should have the ability to create dynamic, unique meeting rooms so that uninvited guests cannot join their calls using older meeting join details. They should also be able to set up PIN codes to control who has access to their meetings.
Within a meeting, there should be tools to help users easily understand who has joined the meeting, to provide the ability to eject unwanted participants, and to lock the meeting space so unwanted participants cannot rejoin. There should be options to specify which participants are able to share content for all to see. If there are additional features like group chat and live streaming, IT should consider whether those can be enabled and disabled at will, or if they are always enabled.
3 – A Culture of Security
Ultimately an enterprise should be confident that the video service they are using and the vendor providing the service has a culture built around security. Does the vendor have an industry-recognised certification for an Information Security Management System, such as an ISO 27001 certification? What other compliance certifications or statements are they able to offer? Are their products updated and maintained regularly with security patches for known vulnerabilities and exploits? Are they willing to coordinate vulnerability testing alongside you so that you can obtain testing results directly?
As the modern workforce adjusts to new ways of working and continues to adopt video conferencing, there is no shortage of tool sets to evaluate. Cloud video services can be a fantastic option for those seeking an out-of-the-box tool that is easy to roll out and manage. For those in highly-regulated industries like government, healthcare, and financial services, you may want to consider self-hosting your deployment on-premises or in the private cloud of your choice for additional security controls. Either way, your users will thank you for taking the time to ensure their communications are secure, private, and protected.
Guest Blog by Peng Mok, Senior Solutions Architect, Pexip
Peng Mok has 20 years’ experience in the video and voice communications industry, and prior to joining Pexip, worked as a senior engineer at Cisco. His background is in electrical engineering in the study of digital communication technologies, and he brings this knowledge to global enterprises, government agencies, and healthcare organizations to design video collaboration architectures at scale. Pexip simplifies video conferencing to empower teams to meet, regardless of location or technology, and more information is available here.
