Most of us first look at conferencing tools, like chat features, screen and document sharing options, editable meeting spaces, and so on. Then we move on to the real meat – platform components: reporting and analytics options, the ease of access for participants, branding and customization opportunities, et cetera.
With the disturbing news of Zoom-bombings, security has become a front and center matter. This is probably a good thing. Security is often overlooked, but there’s no denying its importance.
How important is web conferencing security? More important than you may think! A 2014 Forrester report found that trade secrets are shared in as many as 1 in 5 online meetings. 1 in 5! That’s potentially millions of meetings where valuable information could be compromised.
While Zoom-bombings are cretinous, they are nowhere near as nefarious as someone tuning into your call and simply taking notes. One hacker who joins a random meeting at the right time might be able to gain leverage against that organization.
If you aren’t making security a focal point of your appraisal, you may be putting yourself, and your business, at risk. Web conferencing platforms are susceptible to several major security threats, such as:
Getting hacked isn’t the end of it. There are laws out there that put very particular demands on how businesses handle consumer information. Some legislation has been industry specific. Some addresses the Federal Government. Consider the following:
Even if you work at a law firm or for a management consultant group, you may be at risk. Any time you share strictly confidential information through web conferencing platforms, security is a necessity.
Below, we’ve outlined six factors you need to consider when evaluating web conferencing security.
Is there some standard out there that tells clues you into the security levels of a web conferencing platform? Yes! A few actually.
Many international organizations look for a platform to be ISO 27001 Certified. (ISO stands for the International Organization of Standards.) For those of us stateside, the standard bearer is the National Institute of Standards and Technology (NIST).
In the last decade, the US government realized that with changing technologies and data sharing, new security measures needed to be put in place for federal agencies. As a result, the Federal Information Security Management Act (FISMA) was enacted to get the process rolling.
NIST, in turn, developed standards specific for web conferencing security and cloud systems. The eventual outcome was the Federal Risk and Authorization Management Program (FedRAMP).
Let’s just say this. If the web conferencing platform you use is FedRAMP certified, you can feel confident you’re well protected.
These standards can be far-reaching. Here’s a quick run-down on what you need to know about FedRAMP:
Is your web conferencing platform FedRAMP compliant? If not, you should evaluate how extensive your web conferencing security features are.
To give you a few suggestions of what to consider, here are a few examples of the layers of security that factor into FedRAMP compliance.
Strong security begins with the configuration of gated access. Passwords for hosts before they open a virtual room; codes for participants before they join. But there are ways to further secure access.
The following examples are required for FedRAMP compliance:
To further limit the availability of access, gates such as session locks and credential termination help manage who enters your virtual rooms:
All of the above options are ideal for preventing the threats mentioned earlier.
A comprehensive security system allows account administrators to define the roles and privileges of your employees. These determinations will, in turn, establish the conditions by which a user can interact with a group or virtual room. You can define these privileges with role-based access controls (RBAC) and dynamic privilege management:
You wouldn’t want a participant to be able to open up your meeting room whenever they feel like it. Setting RBACs limit the number of people who have the “clearance” to open your virtual room. Additionally, if an individual isn’t a set up with a desired role, they won’t be able to join active meetings. Thus, you prevent people from joining events where they shouldn’t be there.
These controls then translate into room controls. So having tiers is key. Minimally, it seems valuable to have Hosts, Presenters, and Participants. (Note: The level of control descends from most control with Hosts to least with Participants.) The host owns the room. They can set access requirements. They manage the content uploaded and the interactions of the room.
Presenters, being a tier down, have some control over the room but less than Hosts. And participants are limited to interactions with the pre-configured aspects of the room: Polls, Chats, Q&As, and so on. RBACs serve a great security purpose, both before sessions and while the event is taking place.
When it comes to ensuring valuable information isn’t falling into the wrong hands, you need security features that allow account administrators to easily define roles and privileges. RBACs and dynamic privilege management represent great options for managing the privileges of your users during your online events.
Imagine you’re a low-level operative of the CIA in the 1970s. You’ve just been assigned to a new case and the files are scattered across your desk. Trembling with excitement, you peel back the manilla folder to find…a bunch of completely redacted documents?!?! “This is going to be a long case,” you grumble angrily.
But then again, you are a low-level operative in this scenario. 😉
Redaction of information serves an important purpose for our government. It helps agencies share records and reports without compromising the most sensitive aspects of those files. While not a perfect analogy, blacklisting features on a web conferencing platform works in a similar manner. You get to collaborate and communicate while curbing security vulnerabilities.
The ability to blacklist features basically means that you – as an account administrator – can limit which features appear in users’ virtual rooms. Blacklisting can also give you the opportunity to place restrictions on the functionality of those features.
How does this help? Well, let’s consider a few examples.
Web conferencing platforms are often loaded with features. Chats, notes, Q&As, screen shares, file shares, whiteboards, and many more. These tools are great for maintaining productive conversations and collaborating efficiently over the web.
That said, heavily regulated industries may find that some features problematic. While we shouldn’t start donning tin-foil hats and eyeing everyone with suspicion, it is important to note that these features could be used to leak information – accidentally or maliciously. Links shared in chats, information added to a notes features, or the documents uploaded to a file share can all wind up leaked if hosts are not being careful.
For some organizations, these possibilities may seem too dangerous. So, the ability to completely disable features may be desired. Make sure the platforms you consider offer this type of control.
Disabling the functionality of certain features can is a big boon for secure web conferencing. Especially when screen sharing. Many of us have those stories where someone made the unfortunate mistake of accidentally sharing their web browser – and the cat video they were watching. Working hard, Joe, or hardly working?
Of course, the security implications can be significant for regulated industries. What if someone accidentally shares an internal financial record during a meeting with customers? Or a trade secret? Or a classified document? Even if it’s only seen for five seconds that’s exposure many organizations can’t afford.
Certain platforms allow you to actively disable desktop, window and application sharing. The most secure web conferencing platforms (and it’s a small group) take it up another level – they even allow you to block the screen sharing of certain applications or programs.
What types of programs can be blocked? Any that you feel would be relevant, but it does have to be operating system specific. For example, you could block the sharing of Microsoft Word, Excel, PowerPoint, Notepad, and so on. The same can be done for Macs.
By blacklisting certain programs and applications, you can reduce the likelihood confidential information will be shared by mistake.
(Alternatively, you can “whitelist” certain processes. This can be a better option for many organizations, as they can more quickly limit the number of shareable processes. Instead of singling out two dozen for exclusion, you can pick a few that you know you’ll need and limit screen sharing to those.)
The above three factors reflect critical layers for web conferencing security.
Although still immediately relevant to and important for web conferencing, these final two factors also pertain to the security measures taken by web conferencing providers.
Just because an online event concludes without issue, doesn’t mean you’re in the clear yet. Most web conferencing platforms allow you to record the online events, which is great because recordings can be shared with individuals who were unable to attend. But these recordings may leave you susceptible to information compromise.
What happens to the information in the recording when your web conferencing provider stores it for it to you? If not encrypted, these recordings can prove a significant vulnerability. The standard for securing the recordings requires the AES 256-bit encryption. A good web conferencing provider will encrypt the recording while in storage and transmission.
The best providers also keep logs of interactions with encrypted materials. If your recordings are encrypted, any employee who interacts with them will be identified – their virtual fingerprints will be everywhere. So, on the off chance a recording goes missing, you can figure out who may be responsible!
Most web conferencing platforms are SaaS and cloud-based. This works for most companies.
If you need to go above and beyond the typical security controls because your information has a virtual “burn after reading” stamp on it, you should look into external hosting options or on-premise deployment.
External hosting is a service some web conferencing providers may offer – to manage the “classified” information of your online events.
An external host can provide you several services. To begin with, they can monitor and manage content that is uploaded. Depending upon your needs, these uploads can later be purged to minimize exposure. If the information is very delicate, the content can be destroyed upon the event’s closure. The benefits of monitoring limit the potential harm of compromised information.
An external host can also create a metadata backup of the online event. Such a backup provides you a means to retain some information related to the event, but nothing that will leave you exposed. Be aware that not all web conferencing providers facilitate external hosting.
External hosting options should be at the top of your list when evaluating web conferencing security.
On-premise deployment is another good option for bolstering web conferencing security. “On-prem” allows you to place the software behind your firewall and under the supervision of the Technicians, you trust most.
Organizations with high-level security needs and are threatened by hackers and the like, often turn to on-prem deployment. It gives your IT team the control they need to ensure every aspect of your online events is secure. Doing so also gives your team the opportunity to run the diagnostics reports that the most important for your organization.
What good is a web conferencing platform that allows you to share valuable information if it doesn’t have the security measures to ensure the info will remain protected?
If you can find a web conferencing platform whose features meet FedRAMP compliance, you’ve probably found a winner. Couple that platform with a provider who offers external hosting options, and you can feel confident they truly are covering all your web conferencing security needs.
This blog was originally published in July of 2016; then republished on February 26th, 2018.