How secure is your conference call?
Conferencing and collaboration platforms can create an open channel to users’ conferencing systems and users’ computers, often bypassing security within an organization. But are these cloud based services putting your business at risk? And how can you protect your company from unwanted malware in the age of cloud collaboration?
Article by: S Ann Earon, IMCCA Foudning Chairperson
A variety of conferencing and collaboration platforms have become basic tools deemed necessary to conduct business (i.e. Skype for Business, WebEx, etc.) These collaboration tools are designed so firewall, and other security devices, are configured to allow conferencing and collaboration traffic. The tools encrypt the communications between conversation endpoints, but communications are neither blocked or inspected. Users’ common sense is what stands in the way of malicious malware accompanying a download like a PowerPoint presentation or a chat on Skype. Users can unknowingly download malware, which can infect the entire network.
The need to optimize conferencing and collaboration security is growing as organizations look for new ways for employees to be productive, and collaboration and unified communications overtake face-to-face meetings. As an increasing number of employees work from home, or away from the office, organizations are implementing Bring-Your-Own-Device (BYOD) policies to offer employees flexibility and a work-life balance.
What security practices can organizations put in place as they implement conferencing and collaboration solutions?
1. Create a BYOD Policy
An effective BYOD policy should address network access, secure passwords, lost devices, etc. There needs to be a written policy with increased security measures, improved training, and ways to ensure IT can handle new and different devices.
2. Secure Devices and Networks
Put a process in place to ensure devices used to access the in-house network are safe and do not contain spam, malware, or unacceptable applications that could compromise the network. Be sure connections to the network, regardless of user location, are authorized.
3. Manage Passwords
Users need to understand their responsibility when it comes to security and the importance of passwords. There should be written guidelines developed and all employees trained on 2 the implications of an unsecure environment.
A group of experts, involved in the IMCCA AV/IT panel from InfoComm 2017 provide their insight to how best to handle security as it relates to conferencing and collaboration.
Michael Goldman – Crestron
Executive Director, Enterprise Strategies & Development
As companies go through digital transformation, they are deploying presentation and collaboration systems at a rapid pace. In the past, these systems could be free standing, independent of the broader network. To deliver on worker needs today, these systems must all connect to the network and, in some cases, the Internet. This means that as new presentation and collaboration applications and devices (room systems and end points) proliferate, potential security risks do as well. Moving systems to the network in scale adds additional steps to the process which many AV professionals followed for decades. Because of this, they may be failing to address security as a top, and well-warranted, concern at the outset of the initial design.
Presentation and collaboration systems may have previously made companies largely focused on simple connectivity and usability; but now organizations must consider security and centralized management as must-haves. There are two primary concerns:
- Physical security – Anyone can access your network, or network connected equipment, such as disgruntled employees or on-site visitors. If they can put hands physically on devices and change the firmware they can use that device as a launching off point to disrupt service or worse, steal information. This makes it imperative to keep physical security a priority.
- Online security – A greater number of internet-connected collaboration applications and devices means a greater number of potential network entry points for things like hacks and malware. The bottom line is that people designing presentation and collaboration systems need to engage with IT and security personnel at the outset to understand corporate or institutional guidelines and best practices so they may be applied and incorporated.
Today’s typical systems may contain equipment from more than 10 different manufacturers, each offering various level of security and opening the door to a multitude of vulnerabilities – and this gear is now moving inside on the network, behind the firewall. This means that extra thought must be given to how owners, integrators and service providers manage, update and patch systems. Because of scale, it’s no longer possible to take a room-by-room approach with a laptop to update systems.
Taking this a step further, it’s likely that non-network authorized laptops or devices will be allowed to connect to the network to accomplish the task, a big no-no in general. New methods must be considered. Software and firmware updates should come from hardened servers on the network and securely delivered via scheduled or auto updates.
Danny Rogers – AVI-SPL
Vice President Global Channels
The Cyber Security market is projected to reach circa $238 billion by 2022 – and the proliferation of the Internet of Things (IoT), across multiple applications in almost all industry sectors, has stimulated the need for enhanced security solutions.
Most of the critical infrastructure components are now completely dependent on IT systems to perform their missions, and the IT sector provides the foundation for information exchange for all the other sectors, including voice, data, video, streaming and internet connectivity. Cyber infrastructure protection and security is one of the most important and highest priorities in business today.
There is undoubtedly a rising awareness in the Board Room about the business impact of security incidents and attacks. An evolving regulatory landscape has led to continued and increased spending on security products and services, but improving security is not just about spending on new technologies. There is even greater emphasis on getting the basics right and organisations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralised log management, internal network segmentation, back-ups and system hardening.
The digital collection, storage, analysis and distribution of information has created a world of insecurity which has resulted in new opportunities in the global cyber security market. Market analysis suggests that data breaches significantly impact consumer confidence. This is serious for companies who are completely reliant on cloud-based services to run their business, noting that more than half of the global cyber-attacks are reported in the United States, IT systems are part of other key security and emergency preparedness resources and are important components of the overall national critical infrastructure. As technology advances, new security challenges need to be monitored and addressed, most notably around the surveillance and use of user data – exemplified by the current news stories around Facebook.
It is predicted that security services will continue to be the fastest growing segment, especially IT outsourcing, consulting and implementation services, but hardware support services will also see growth slowing, due to the adoption of virtual appliances, public cloud and software as a service (SaaS) editions of security solutions, which reduces the need for attached hardware support overall.
David Buchholz – Intel
Principal Engineer – Enterprise Computing Strategy
Solutions need to comprehend the existing and emerging security models of IT. As AV merges more into IT, it is crucial that these solutions understand the security landscape they land in. IT will be very hesitant to implement concurrent solutions and will instead push to have your collaboration solutions land within their existing bounds. Your solution needs to comprehend many different environments within these controls. There are standard corporate use cases, BYOD, HIPAA, Sarbanes Oxley, PII and much more, to consider when collaborating in these environments.
Ultimately your solution should augment and add to the security footprint that is there. Many solutions today provide holes in the security layers (open AP’s, non-encrypted traffic, etc.), but a good solution won’t rely on things like wireless encryption, but instead do end-to-end encryption on its own. The security aspects of these solutions should also integrate into IT EAM (Enterprise Access Management) systems when possible vs. requiring a separate management console and user list as well.
Mark Strassman – BlueJeans
Chief Product Officer
Cloud Collaboration is the new enterprise “dial tone,” but its security implications go far beyond what was required for voice-only communications. Any enterprise-grade communications solution must include network and data centre security measures, robust in-meeting and administrative features, standards-based media encryption, and comply with multi-national security and compliance standards.
Cloud and Global Data Center Security: The locations and services hosting a conferencing & collaboration service must be secure and proven, either in ISO27001 certified top-tier co-location data centers around the world, with dedicated cages and racks that are protected with 24x7x365 security and multiple levels of biometric access controls, or in secure SaaS cloud providers, such as AWS and Azure.
User Account Security: On top of the cloud infrastructure, a cloud collaboration service must include security features that can be enabled at the user level. This includes accounts secured with a standard username and password, or via SSO SAML 2.0 assertion, authentication requests always sent over HTTPS, passwords that are SHA-256 salted/hashed in the database and can never be viewed in plain text, and passwords that are never sent via email or any other form of electronic transmission.
In-Meeting Security: As important as the infrastructure and user authentication are, the security capabilities that users and enterprises may set as default or enable when required, include the following”:
- Unique meeting ID’s that uniquely identifying a meeting
- Optional or required participant passcodes
- Establishing a second-level of authentication that can optionally be enabled for each meeting
- Options to encrypt meetings, to only allow end points with sufficient encryption capabilities to participate in meetings
- Options to expel participants
- Locking meetings, allowing moderators to lock the session down to only include those participants that are already in attendance
Admin-Level Security: Group Administrators should be able to define and enforce security policies to be for all users in their organization, including:
- User authentication options (standard user password configuration or SAML single sign on)
- User password requirement (change password options, failed Login Notifications, and so forth)
- A secure solution should also offer the option to obscure personally-identifying information in administrative and IT consoles so that IT personnel can monitor and support meetings while respecting the privacy of participants
Privacy and Customer Data Storage
The topic of user data is more important than ever. Given all of the meeting participant information across all meetings, there must be controls on what data is stored, how and where it is stored, who can access it, and how to remove it. Compliance with EU-U.S. Privacy Shield Framework and GDPR are required, and ensure any provider stores and can expunge customer data according to the required guidelines.
Service Organization Controls (SOC) 2
In addition to the security measures taken around a collaboration service infrastructure, as well as the in-meeting security features of a product, any provider must take important steps to ensure the integrity of its internal operations. Completing the Statement on Standards for Attestation Engagements (SSAE16) Service Organization Controls (SOC) 2 Type 2 Report is a very important step, not only for a collaboration service provider, but also for its customers. This attests to the commitment as a service provider to its users that it has implemented formal documented procedures and controls across the organization, including Policy, Communications, Procedural, and Monitoring control activities, as well as Disaster Recovery and EU-U.S. Privacy Shield Framework.
Interested in understanding more about Unified Communications technology and best practice? Integrate 2018 is running a dedicated stream of UC educational sessions. You can view the full program here.
About the Author: S. Ann, Earon, Founding Chairperson, IMCCA
The IMCCA is a non-profit industry association resolved to strengthen and grow the overall unified communications and collaboration industry by providing thought leadership, impartial information, and education. (www.IMCCA.org) For further information, contact Carol Zelkin, Executive Director IMCCA at email@example.com or 516-818-8184.