I have been asked, “Which is the best collaboration and videoconferencing service?” many times in the last few days as we need to communicate with our colleagues, business partners and customers when working remotely.
Just like there’s no “best” car, there’s also no best collaboration service, but here’s a few suggestions around security and privacy to consider when deciding which services to support and use in your organisation. Remember, your employees are also receiving requests from your business partners to join their services, so it’s a good idea to not only define your approved services, but also to make recommendations to your users about others they may come across.
I have just reviewed the MVISION Cloud Registry, where we list and rate over 250 different Online Meeting services. Although there are some that may offer online meeting as one part of a wider set of applications, there’s no shortage of possible options
I won’t discuss functionality in this blog – there are many places to find those comparisons, instead I will focus on the information you should review from a security and privacy point of view. Don’t forget also to educate your employees that they will never know whether someone else is watching over the shoulder of an attendee and treat each online conversation as if it is taking place in a bar and could potentially be overheard.
Let’s review some of the possible security and privacy problems. Only you can decide whether they are concerns based on your business context and data you are sharing.
Recording. Many of the apps allow recordings to be made in the app – though some alert all the attendees if recording is occurring. Whatever security the service offers, do remind your users that anyone they are connected to can record the screens and audio outside the app, so all conversations should be conducted on the assumption that you do not have complete security. Additionally, please note that local laws vary as to whether or not the consent of all users must be obtained prior to hitting record. Advise your teams to check with legal, but as a best practice ask attendees for consent prior to hitting record.
Logging. You may want logging for future forensics work, on the other hand you may want no logging performed to ensure that the cloud service doesn’t lose that data if it gets hacked.
Sharing Methods. You may prefer to use a service that only allows voice and data sharing but not video or supports video only in one direction, especially if in a teaching environment.
Intellectual Property Ownership. Surprisingly, some services lay claim to the intellectual property in any communications – though with the recent uptick in scrutiny, some license agreements have been changed to remove that clause. Make sure to read the fine print!
Encryption. To ensure data is not intercepted, you may prioritise those services that encrypt all data in transit – though it is worth checking the encryption methods used (SSL, TLS versions etc.)
Privacy. Does the service itself track each individual user and does it share some of this information with 3rd parties (some share with Facebook, Google and other services)?
You may decide to support just one service, though you may decide that one size doesn’t fit all requirements – perhaps more sensitive discussions use a different service than general team updates and collaboration.
To dig into the details, I recommend you consider each of the attributes below and decide the importance of each based on your priorities and then review each of the services against that list. This is possible within MVISION Cloud where we track each of these attributes (and many others) and admins can change attribute weightings and therefore compare different services. Without MVISION Cloud or a similar service it is probably a manual process.
Does the service…
- Encrypt data in transit (yes/no and methodology SSL, TLS & versions)
- Encrypt data kept at rest at the service (such as recordings) & key strength
- Allow encryption using your own keys
- Does the service allow anonymous use?
- Offer support for multi-factor authentication
- Offer Identity federation (SAML & OAUTH for example) to integrate with your authentication systems
- Provide admin, user and data access logging
- Hosting locations (in case you are concerned about which country hosts the data)
- Have cyber vulnerabilities such as Freak, Poodle or Heartbleed.
- Publish penetration test results
- Deploy application security vulnerability protection (WAFirewalls)
- Comply to global compliance certifications (ISO27018, SOC2, FedRAMP etc.)
- Publish infrastructure reporting and uptimes.
Has there been…
- Any known malicious use of service
- Any previous breaches identified
- Published Common Vulnerability & Exposures (CVE) vulnerability
- Leaks of data to the Darknet
What is their…
- IP ownership policy
- Jurisdictional location
- Company HQ country
- Risk rating for GDPR, CCPA or other regulations
Once a decision has been made on the appropriate services(s) for your organization, communicate with your employees and business partners and consider blocking those services you do not trust. This can be achieved by using a CASB for cloud evaluation and closed-loop remediation by integrating it with your proxies, firewalls or endpoint proxy capabilities. Consider splash pages to users to help direct them to the best services and ensure best practises.
This is a fast-moving space as many of these services are now under scrutiny as never before. Keep track of news stories – there have been a lot in the last few days either when lawyers are reviewing the service privacy policies and end user license agreements, or vulnerabilities in the apps or service. The app developers regularly bring out new versions, so employees should be recommended to ensure that they keep the apps up to date to minimise these concerns.
Finally, the obvious best security practice is not to share images of the discussions on social media – attackers can find out usernames or meeting IDs and if those are static IDs, potentially try to break into the meeting in the future.
For more information on MVISION Cloud, McAfee Web Gateway and our DLP solutions, please follow the link below or contact any McAfee partner or local office. https://www.mcafee.com/enterprise/en-us/solutions/cloud-security.html
About the Author
Categories: Cloud Security