6 Factors of Web Conferencing Security You Need to Consider

What features do you look for in a web conferencing platform?  

Most of us first look at conferencing tools, like chat features, screen and document sharing options, editable meeting spaces, and so on.  Then we move on to the real meat – platform components: reporting and analytics options, the ease of access for participants, branding and customization opportunities, etcetera, etcetera.  That’s all very important, but what if the most vital aspect of web conferencing is what you can’t see?

I’m talking about web conferencing security. 

If you aren’t making security a focal point of your appraisal, you may be putting yourself, and your business, at risk.  Web conferencing platforms are susceptible to several major security threats, such as:

• Snooping: If not properly secured, an outside party can listen in on your online meetings and exploit your business’ information.

• Compromise of sensitive information: Personal information shared over web conferences is vulnerable to internal and external leaks or theft. The consequences of an information compromise can have serious legal ramifications, including imprisonment.

• Denial-of-Service attacks: Through Denial-of-Service attacks, external threats can prevent you from accessing important online events that require your attendance.

There have also been Federal legislations that require personal information be secured.  Some of these legislations have been specific to industries of the private sector, as with the Healthcare and the Financial industries, while other laws pertain to how the government operates.  Consider the following:

• If you’re in healthcare, I’m sure you’re well aware that the Health Insurance Portability and Accountability Act (HIPAA) makes it criminal to not appropriately secure patient information.

• In the financial sector, the Gramm-Leach-Billey Act (GLBA) requires businesses to be transparent about the protection they are providing consumers. Violation of the GLBA can lead to severe fines and potential prison time.

• For most of you in the Federal government…well, the restrictions are tight – you can only work with web conferencing vendors who have been granted FedRAMP Agency Authorization (more on this below).

Even if you work at a law firm or for a management consultant group, you may be at risk.  Any time you share strictly confidential information through web conferencing platforms (like during your annual business reviews), security is a necessity.

Below, we’ve outlined six factors you need to consider when evaluating web conferencing security.

---

Web Conferencing Security: 6 Crucial Factors

Factor #1: FedRAMP Compliance

If you want to know what makes a web conferencing platform secure, you need to learn about the Federal Risk and Authorization Management Program (FedRAMP).  Although FedRAMP is specifically related to government security requirements, a web conferencing platform compliant with those national standards will indeed meet your business security needs.

To ensure that Federal proprietary information is secured over cloud systems, such as web conferencing platforms, the U.S. government determined it was necessary to establish standards of regulation with FedRAMP.

---

These standards can be far-reaching.  Here’s a quick run-down on what you need to know about FedRAMP:

• FedRAMP standards are in accordance with those outlined by the Federal Information Security Management Act (FISMA), and meet the baseline security controls set out by the National Institute of Standards and Technology (NIST) in their special publication 800-53.

• As defined by the NIST, security controls are the safeguards and countermeasures used by a particular information system to protect confidential and integral parts of that system.

• In all, there are 18 “families” of security controls that range from system configuration management to physical and environmental protection. Within each family, there are numerous sub-categories with hundreds of specific security controls.

• If your web conferencing platform is FedRAMP compliant, it will hold the “Agency FedRAMP Authorization” title.

Is your web conferencing platform FedRAMP compliant?  If not, you should evaluate how extensive your web conferencing security features are.

To give you a few suggestions of what to consider, here are a few examples of the layers of security that factor into FedRAMP compliance.

---

Factor #2: Gated Access

Strong security begins with the configuration of gated access.  Gated access refers to the many security options that manage entrance to and usage of virtual rooms housed within a web conferencing platform.  To give you some ideas of how it can work, we’ve chosen a select few examples:

• Atypical usage: Restrictions that can be set to limit the hours a virtual room can be accessed. Through tightening hours of usage, you can minimize the time in which vulnerable information can be viewed and tampered.
• Remote or wireless access: Certain parameters allow you to monitor remote users, and relay only encrypted information to protect from unwanted hands.

To further limit the availability of access, gates such as session locks and credential termination help manage who enters your virtual rooms:

• Session locks: Used at the beginning of a sensitive online event, a host can restrict access to late-coming users. Locks also help avoid unwanted visitors peeping in on your conversations.
• Credential termination: When a member leaves the hosted space, the credentials they used initially will no longer work.

All of the above options are ideal for preventing the threats mentioned earlier.  Making sure your platform has the appropriate gates is the best means to prevent Denial-of-Service attacks.

---

Factor #3: Define Roles and Privileges

A comprehensive security system allows account administrators to define the roles and privileges of your employees.  These determinations will, in turn, establish the conditions by which a user can interact with a group or virtual room.  You can define these privileges with role-based access controls (RBAC) and dynamic privilege management:

• Role-Based Access Controls: When used in large online event settings, RBACs allow you to filter which individuals enter what virtual rooms. As an example, you may have an employee who needs to share information, but their presence is not required in the larger meeting.  You could set their RBACs so they can only enter a sub-conference room, where someone else with greater privilege could meet them, get the run-down, and return to the larger meeting.  (No dark alleyways and manila envelopes required.)  Using RBACs in this way helps you avoid internal leaks of sensitive info.

• Dynamic privilege management: Through dynamic privilege management, you allow a user to retain their virtual identity while their access privileges are amended. In a similar scenario to the above, a user could have their privileges upgraded for a one-time event, then demoted at the event’s conclusion.  All the while, their virtual identity remains intact.

When it comes to ensuring valuable information isn’t falling into the wrong hands, you need security features that allow account administrators to easily define roles and privileges.  RBACs and dynamic privilege management represent great options for managing the privileges of your users during your online events.

---

Factor #4: Individual Access Codes

Individual access codes (IAC) allow businesses a way to pair a person with unique authenticators that will customize their privileges.  Also, with these codes, your employees will have the means to access online events.

IACs are, basically, your employees’ web conferencing fingerprints.  In the same way a fingerprint scanner grants you access to a secured room, an IAC opens the door to a virtual space.

To get an idea of the value of IACs, let’s play out a worst case scenario: information that was not intended to be shared, has been leaked by an employee.  You’re freaking out because numerous employees interacted with the room.  But who was the actual culprit?  Functioning like a fingerprint, an IAC leaves a trace of the offender’s presence.  A good security system can generate a report that indicates who accessed a virtual space and when.  With that report in hand, the responsible party can be pinned down, and the leak plugged.

The above three factors reflect critical layers for web conferencing security.  Although still immediately relevant to and important for web conferencing, these final two factors also pertain to the security measures taken by web conferencing providers.

---

Factor #5: Recording Encryption

Just because an online event concludes without issue, doesn’t mean you’re in the clear yet.  Most web conferencing platforms allow you to record the online events, which is great because recordings can be shared with individuals who were unable to attend.  But these recordings may leave you susceptible to information compromise.

What happens to the information in the recording when your web conferencing provider stores it for it to you?  If not encrypted, these recordings can prove a significant vulnerability.  The standard for securing the recordings requires the AES 256-bit encryption.  A good web conferencing provider will encrypt the recording while in their storage, and in transmission to you.

Let’s replay the above “worst case scenario”, only this time, someone’s hacked into a recording loaded with sensitive information.  If the recording were encrypted, any employee who interacts with the encryption will create a clue your web conferencing provider can follow (in the form of an access record).  Pair your findings with IAC fingerprints, and you’ll have your perpetrator.

---

Factor #6: External Hosting Options

If you need to go above and beyond the typical security controls because your information has a virtual “burn after reading” stamp on it, you should look into external hosting options.  External hosting is a service some web conferencing providers may offer – to manage the “classified” information of your online events.

An external host can provide you several services.  To begin with, they can monitor and manage content that is uploaded.  Depending upon your needs, these uploads can later be purged to minimize exposure.  If the information is very delicate, the content can be destroyed upon the event’s closure.  The benefits of monitoring limit the potential harm of compromised information.

An external host can also create a metadata backup of the online event.  Such a backup provides you a means to retain some information related to the event, but nothing that will leave you exposed.  Be aware that not all web conferencing providers facilitate external hosting.

---

Conclusion

What good is a web conferencing platform that allows you to share valuable information if it doesn’t have the security measures to ensure the info will remain protected?

If you can find a web conferencing platform whose features meet FedRAMP compliance, you’ve probably found a winner.  Couple that platform with a provider who offers external hosting options, and you can feel confident they truly are covering all your web conferencing security needs.

At MeetingOne, we would be more than happy to discuss your security needs. 

---