The security flaws inherent in video conferencing and in particular with certain offerings have been well documented over the last few months while the world at large has limped from one crisis to another. When security firms started predicting what would be the main security concerns for 2020 the increased use of video conferencing tools to support remote work did feature predominantly, however, they had no idea how the current pandemic would create an environment where the prediction became reality almost overnight.
Flaws And Threats
While businesses rapidly adopted video conferencing solutions or look to find the best HD conferencing API, the scramble to remain operational left the important security questions unanswered. Security researchers were quick to point out flaws including those that would allow unauthenticated users joining meetings or poor password management that would see gate crashers arrive to spoil the party. The good news is that steps can be taken to secure video conferences and these should be implemented as part of an organization’s security policy.
Understanding Your System
This step can be done when choosing a solution or even when one has been chosen. Of importance here is to ask what type of data encryption does the solution provide, how the data is managed, and the security features presented to users before they log in. Also, the age of the current solution should be looked at, if the product is older than five years it might not offer the required security measures to help combat modern threats.
Have A Policy in Place
As with policies that dictate how employees are to use personal devices in the workplace, whether in the office or, ever increasingly, remotely, a policy for video conferences needs to be done, if not already in place. Ideally, the policy needs to clearly list the boundaries and expectations of both the company and the employee. Requirements for recording meetings, what information can be discussed, how to use the camera and mute functions following policy guidelines, and what devices may be used are important considerations when drafting a policy.
Too often is the case that these tools are connected directly to the Internet with no firewall in place. This is simply begging a hacker to compromise the company network. A far better approach is what researchers have termed Domain-based security and involves placing video conferencing solutions within the protective barrier of the company network and allows administrators to control access to the tool. As an example, if a video conference is set up between an outside stake-holder and an employee, an employee with the correct privileges will need to allow the outsider to join the call and authenticate their access.
Closely linked to the above step is controlling who has access to calls. Technology has provided a handy tool to help manage this in single sign-on (SSO) systems. These systems are tied to users’ privileges and authorization level so that credential theft is made much harder. Further, these systems generate log data that tracks where, when, and how the user accessed the system.
Concluding this article is a note on encryption. By using 128-bit AES as a company’s encryption standard for all things including video-conferencing the company has gone a long way to harden their data and keep it away from prying eyes. When using this standard to generate an encryption key for a video conference, it would take a supercomputer billions of years to try and break the encryption key.