6 Factors of Web Conferencing Security to Consider

What features do you look for in a web conferencing platform?  

Most of us first look at conferencing tools, like chat features, screen and document sharing options, editable meeting spaces, and so on.  Then we move on to the real meat – platform components: reporting and analytics options, the ease of access for participants, branding and customization opportunities, et cetera.  

With the disturbing news of Zoom-bombings, security has become a front and center matter. This is probably a good thing. Security is often overlooked, but there’s no denying its importance. 

How important is web conferencing security? More important than you may think!  A 2014 Forrester report found that trade secrets are shared in as many as 1 in 5 online meetings.  1 in 5!  That’s potentially millions of meetings where valuable information could be compromised.

While Zoom-bombings are cretinous, they are nowhere near as nefarious as someone tuning into your call and simply taking notes. One hacker who joins a random meeting at the right time might be able to gain leverage against that organization.

If you aren’t making security a focal point of your appraisal, you may be putting yourself, and your business, at risk.  Web conferencing platforms are susceptible to several major security threats, such as:

• Bombing: New to the game is the fear of someone disrupting your important meetings with disturbing or pornographic images and videos.

• Snooping: If not properly secured, an outside party can listen in on your online meetings and exploit your business’s information.

• Compromise of sensitive information: Personal information shared over web conferences is vulnerable to internal and external leaks or theft. The consequences of an information compromise can have serious legal ramifications.

• Hacking: Most web conferencing platforms store the information of participants and users for some time.  We’re talking about emails, phone numbers and company names, as well as things like individuals’ responses to polls.  Then there are the files you’ve uploaded – financial analyses, revenue reports, organizational documents, and so on.  If one hacker gets an admin’s password, they’ll find a trove of information.  That spells huge trouble for everyone.

Getting hacked isn’t the end of it.  There are laws out there that put very particular demands on how businesses handle consumer information.  Some legislation has been industry specific.  Some addresses the Federal Government. Consider the following:

• If you’re in healthcare, I’m sure you’re well aware that the Health Insurance Portability and Accountability Act (HIPAA) makes it criminal to not appropriately secure patient information.

• In the financial sector, the Gramm–Leach–Bliley Act’s  (GLBA) Financial Privacy rule requires businesses to be transparent about how they protect consumers’ information, including data stored within web conferencing platforms. Violation of the GLBA can lead to severe fines…or worse.

• For most of you in the Federal government…well, the restrictions are tight. You may only be able to use web conferencing platforms that have been granted FedRAMP Agency Authorization (more on this below).

Even if you work at a law firm or for a management consultant group, you may be at risk.  Any time you share strictly confidential information through web conferencing platforms, security is a necessity.

(Learn more about regulatory compliance related to conferencing.)

Below, we’ve outlined six factors you need to consider when evaluating web conferencing security.

Web Conferencing Security: 6 Crucial Factors

Factor #1: FedRAMP Compliance

Is there some standard out there that tells clues you into the security levels of a web conferencing platform? Yes!  A few actually.

Many international organizations look for a platform to be ISO 27001 Certified.  (ISO stands for the International Organization of Standards.)  For those of us stateside, the standard bearer is the National Institute of Standards and Technology (NIST).

In the last decade, the US government realized that with changing technologies and data sharing, new security measures needed to be put in place for federal agencies.  As a result, the Federal Information Security Management Act (FISMA) was enacted to get the process rolling.

NIST, in turn, developed standards specific for web conferencing security and cloud systems.  The eventual outcome was the Federal Risk and Authorization Management Program (FedRAMP).  

Let’s just say this. If the web conferencing platform you use is FedRAMP certified, you can feel confident you’re well protected.

These standards can be far-reaching.  Here’s a quick run-down on what you need to know about FedRAMP:

• FedRAMP standards are in accordance with legislation outlined by FISMA, and they meet the baseline security controls set out by  NIST in their special publication 800-53.

• As defined by the NIST, security controls are the safeguards and countermeasures used by a particular information system to protect confidential and integral parts of that system.

• In all, there are 18 “families” of security controls that range from system configuration management to physical and environmental protection. Within each family, there are numerous sub-categories with hundreds of specific security controls.

• If your web conferencing platform is FedRAMP compliant, it will hold the “Agency FedRAMP Authorization” title.

Is your web conferencing platform FedRAMP compliant?  If not, you should evaluate how extensive your web conferencing security features are.

To give you a few suggestions of what to consider, here are a few examples of the layers of security that factor into FedRAMP compliance.

Factor #2: Advanced Access Restrictions

Strong security begins with the configuration of gated access. Passwords for hosts before they open a virtual room; codes for participants before they join.  But there are ways to further secure access. 

The following examples are required for FedRAMP compliance:

• Atypical usage: Restrictions that can be set to limit the hours a virtual room can be accessed. By tightening hours of usage, you can minimize the time in which vulnerable information can be viewed and tampered.

• Remote or wireless access: Certain parameters allow you to monitor remote users, and relay only encrypted information to protect from unwanted hands.

To further limit the availability of access, gates such as session locks and credential termination help manage who enters your virtual rooms:

• Session locks: A session lock is set by a host after a sensitive online event begins.  Doing so restricts access to participants who show up late. Locks help avoid unwanted visitors peeping in on your conversations.

• Credential termination: When a member leaves the hosted space, the credentials they used initially will no longer work.  This functionality is very important if you have participants who join meetings to speak on a topic, but then are required to leave later when information they aren’t privy to is shared.  You wouldn’t want them joining again, so you prevent readmittance with credential termination.

All of the above options are ideal for preventing the threats mentioned earlier.  

Factor #3: Define Roles and Privileges

A comprehensive security system allows account administrators to define the roles and privileges of your employees.  These determinations will, in turn, establish the conditions by which a user can interact with a group or virtual room.  You can define these privileges with role-based access controls (RBAC) and dynamic privilege management:

• Role-Based Access Controls: When used in large online event settings, RBACs allow you to define the levels of interaction users can have in a platform.

You wouldn’t want a participant to be able to open up your meeting room whenever they feel like it.  Setting RBACs limit the number of people who have the “clearance” to open your virtual room.  Additionally, if an individual isn’t a set up with a desired role, they won’t be able to join active meetings.  Thus, you prevent people from joining events where they shouldn’t be there.

These controls then translate into room controls.  So having tiers is key.  Minimally, it seems valuable to have Hosts, Presenters, and Participants.  (Note: The level of control descends from most control with Hosts to least with Participants.)  The host owns the room. They can set access requirements.  They manage the content uploaded and the interactions of the room.

Presenters, being a tier down, have some control over the room but less than Hosts.  And participants are limited to interactions with the pre-configured aspects of the room: Polls, Chats, Q&As, and so on.  RBACs serve a great security purpose, both before sessions and while the event is taking place.

• Dynamic privilege management: Through dynamic privilege management, you allow a user to retain their virtual identity when their access privileges are amended. In a similar scenario to the above, a user could have their privileges upgraded for a one-time event, then demoted at the event’s conclusion.  All the while, their virtual identity remains intact.

When it comes to ensuring valuable information isn’t falling into the wrong hands, you need security features that allow account administrators to easily define roles and privileges.  RBACs and dynamic privilege management represent great options for managing the privileges of your users during your online events.

Factor #4: Blacklisting Features

Imagine you’re a low-level operative of the CIA in the 1970s.  You’ve just been assigned to a new case and the files are scattered across your desk.  Trembling with excitement, you peel back the manilla folder to find…a bunch of completely redacted documents?!?! “This is going to be a long case,” you grumble angrily.

But then again, you are a low-level operative in this scenario.  😉

Redaction of information serves an important purpose for our government. It helps agencies share records and reports without compromising the most sensitive aspects of those files.  While not a perfect analogy, blacklisting features on a web conferencing platform works in a similar manner.  You get to collaborate and communicate while curbing security vulnerabilities. 

The ability to blacklist features basically means that you – as an account administrator – can limit which features appear in users’ virtual rooms.  Blacklisting can also give you the opportunity to place restrictions on the functionality of those features.

How does this help? Well, let’s consider a few examples.

Disabling Features

Web conferencing platforms are often loaded with features.  Chats, notes, Q&As, screen shares, file shares, whiteboards, and many more.  These tools are great for maintaining productive conversations and collaborating efficiently over the web.

That said, heavily regulated industries may find that some features problematic.  While we shouldn’t start donning tin-foil hats and eyeing everyone with suspicion, it is important to note that these features could be used to leak information – accidentally or maliciously.  Links shared in chats, information added to a notes features, or the documents uploaded to a file share can all wind up leaked if hosts are not being careful.  

For some organizations, these possibilities may seem too dangerous.  So, the ability to completely disable features may be desired.  Make sure the platforms you consider offer this type of control.

Disabling Functionality

Disabling the functionality of certain features can is a big boon for secure web conferencing. Especially when screen sharing.  Many of us have those stories where someone made the unfortunate mistake of accidentally sharing their web browser – and the cat video they were watching.  Working hard, Joe, or hardly working?

Of course, the security implications can be significant for regulated industries.  What if someone accidentally shares an internal financial record during a meeting with customers? Or a trade secret? Or a classified document? Even if it’s only seen for five seconds that’s exposure many organizations can’t afford.

Certain platforms allow you to actively disable desktop, window and application sharing.  The most secure web conferencing platforms (and it’s a small group) take it up another level – they even allow you to block the screen sharing of certain applications or programs.    

What types of programs can be blocked? Any that you feel would be relevant, but it does have to be operating system specific.  For example, you could block the sharing of Microsoft Word, Excel, PowerPoint, Notepad, and so on. The same can be done for Macs.

By blacklisting certain programs and applications, you can reduce the likelihood confidential information will be shared by mistake.

(Alternatively, you can “whitelist” certain processes.  This can be a better option for many organizations, as they can more quickly limit the number of shareable processes.  Instead of singling out two dozen for exclusion, you can pick a few that you know you’ll need and limit screen sharing to those.)

The above three factors reflect critical layers for web conferencing security. 

Although still immediately relevant to and important for web conferencing, these final two factors also pertain to the security measures taken by web conferencing providers.

Factor #5: Recording Encryption

Just because an online event concludes without issue, doesn’t mean you’re in the clear yet.  Most web conferencing platforms allow you to record the online events, which is great because recordings can be shared with individuals who were unable to attend.  But these recordings may leave you susceptible to information compromise.

What happens to the information in the recording when your web conferencing provider stores it for it to you?  If not encrypted, these recordings can prove a significant vulnerability.  The standard for securing the recordings requires the AES 256-bit encryption.  A good web conferencing provider will encrypt the recording while in storage and transmission.

The best providers also keep logs of interactions with encrypted materials. If your recordings are encrypted, any employee who interacts with them will be identified – their virtual fingerprints will be everywhere. So, on the off chance a recording goes missing, you can figure out who may be responsible!    

Factor #6: External Hosting & On-Premise Options

Most web conferencing platforms are SaaS and cloud-based.  This works for most companies.

If you need to go above and beyond the typical security controls because your information has a virtual “burn after reading” stamp on it, you should look into external hosting options or on-premise deployment. 

External hosting is a service some web conferencing providers may offer – to manage the “classified” information of your online events.

An external host can provide you several services.  To begin with, they can monitor and manage content that is uploaded.  Depending upon your needs, these uploads can later be purged to minimize exposure.  If the information is very delicate, the content can be destroyed upon the event’s closure.  The benefits of monitoring limit the potential harm of compromised information.

An external host can also create a metadata backup of the online event.  Such a backup provides you a means to retain some information related to the event, but nothing that will leave you exposed.  Be aware that not all web conferencing providers facilitate external hosting.  

External hosting options should be at the top of your list when evaluating web conferencing security.

On-premise deployment is another good option for bolstering web conferencing security.  “On-prem” allows you to place the software behind your firewall and under the supervision of the Technicians, you trust most.

Organizations with high-level security needs and are threatened by hackers and the like, often turn to on-prem deployment.  It gives your IT team the control they need to ensure every aspect of your online events is secure.  Doing so also gives your team the opportunity to run the diagnostics reports that the most important for your organization.

Conclusion

What good is a web conferencing platform that allows you to share valuable information if it doesn’t have the security measures to ensure the info will remain protected?

If you can find a web conferencing platform whose features meet FedRAMP compliance, you’ve probably found a winner.  Couple that platform with a provider who offers external hosting options, and you can feel confident they truly are covering all your web conferencing security needs.

At MeetingOne, we prioritize security.  We work with Adobe Connect, who is FedRAMP compliant & ISO 27001 certified and a leader in web conferencing security.

We also offer industry-leading security for our audio conferencing services.  Check out the security overview of MeetingOne features.

This blog was originally published in July of 2016; then republished on February 26th, 2018.