Security in Video Conferencing and Collaboration

Over the past 5 years or so we have seen video conferencing solutions progress from peripheral corporate technology to mission-critical business applications. The richness of communication available through face-to-face high-definition video conferencing does more than just save money on travel time; it provides the environment for high level discussion on critical business issues. Video conferencing is now used in the boardroom for discussion of legal issues, mergers and acquisitions and other sensitive matters.

AV information flow
In the board room it isn’t only video data flowing these days. Companies have smart boards and other rich communication tools. Strategy meetings are characterised by the sharing of sensitive data; data that could be valuable to competitors. AV technology has facilitated a new type of collaboration that was simply not possible in the past.

More reliance and sensitivity of data equals more security focus
As the technology become more integral to business processes, security concerns have come to the fore. Different organisations require different levels of security control; it is only natural that the more sensitive that information is, the more important it is to protect it.

Our London Office

Educational Media and Technology Centre, Boston University
Domenic Screnci, Executive Director of the Educational Media and Technology Centre at Boston University, explains that they are security conscious, but not worried about security. The organisation utilises video conferencing both in designated rooms and on mobile devices. Their main video conferencing activities include distance learning and collaboration. Screni rightly points out that these activities are not high-profile, high profit targets for hackers.

The White House Situation Room
The situation room in the White House is over 5000 ft². and is a very different case in terms of security. It is an intelligence management centre and conference room; a Sensitive Compartmented Information Facility. There are 6 flat panel display video conferencing displays in the room. There is even a direct secure feed to Air Force One.

The White House recognise that it is people that are the biggest threat to communication privacy; as in most situations. As they enter the room the VIPs surrender their mobile phones, and there are signal detectors installed in the ceilings to detect any rogue communications device.

The other major threat is electronic malware; spying software that could penetrate the firewalls and security protocols and listen in to the most sensitive of information. The situation room runs what is essentially its own internet, cut off from the outside. Extremely sensitive information calls for extreme security measures.

HD Moore, chief security officer at Rapid7
A corporate conference room needs security somewhere between the two extremes above. The New York Times ran a story about how HD Moore hacked into a dozen corporate video conference rooms, and could even move the camera around. Thankfully Moore works for a Boston based company that identifies security holes in technological platforms, and he had no sinister intent.

Moore explains that he has hacked into Oil Companies and even Pharmaceutical Giants. His journey even entered the boardroom of Goldman Sachs. Moore said, “these are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”

Indeed, Moore developed software to scan for video conferencing set ups outside firewalls, and scanned 3% of the internet in 2 hours. He found over 5000 conference rooms that were wide open. He stumbled into some fairly sensitive conversations.

Another major oversight by many video conferencing administrators is that they set up the installation with auto-answer configured. David Morrison, senior product manager at Lifesize, explains that no firewall and auto-answer is like having a lock on your front door but not using it. You are allowing people to just walk in unimpeded. Morrison states that it is very easy to implement basic, but effective video conferencing security, whether you are using an “in Cloud” solution, or “in premises” set up.

A look at security concerns
Security concerns fall into 4 main areas, according to a recent IVCI whitepaper. These areas are confidentiality, integrity, availability and accountability. It is important that all of these areas are tackled when considering the security of your communication and collaboration!

Confidentiality and security
Confidentiality refers to the protection of the information that is processed and stored.

It essentially means limiting the information to the people that are supposed to have access to it. In order to achieve this the administrative settings, configurations settings, security settings and of course user credentials must be strategically implemented and tightly controlled.

These controls should be placed on the video conference environment (hardware/software/firewalls) but also on the users themselves. There should be processes in place for the strength of passwords, the provision of privileges and access, and for the monitoring of unauthorised or inappropriate communications.

Integrity of data flow
Integrity refers to the quality, wholeness and completeness of the communication.

Any information passed through video conferencing needs to be accurate and as intended. Any accidental or deliberate manipulation of the data flow can cause serious impairment to the collaboration process. Therefore, digital signatures and digital certificates should be in place to ensure integrity of data flow.

Availability of functionality
Availability refers to access to the software and hardware.

There can be deliberate threats and attacks, such as the recent denial of service attacks which we have seen on many systems around the world. There can also be environmental conditions and modifications that can cause availability issues, or device malfunctions and failures.

In order to ensure availability the environment must be protected as much as possible. In certain situations the environments are inherently non-secure, but still as much as possible should be done, such as deploying high level firewalls with strict access controls, controlling the number of people that can update and manage hardware and software, putting in place backup procedures and routine maintenance schedules, and strictly controlling the integration of 3rd party applications.

In any situation availability is a balancing act between performance and cost; where the tipping point between performance and cost is related to the importance of the video conferencing function. As the applications become more mission-critical there is bigger lean towards the need for availability outweighing the requirement of cost control. This may mean more expensive hardware, and tighter security protocols.

Accountability driving security
Accountability refers to the ability to log and proactively track managerial tasks, and communication and collaboration sessions.

This involves monitoring user activities, such as logins and file transfers, communication session information, and any violations of security protocols. Tracking functions provide the ability to ensure that people are doing what they should be doing with the technology, and therefore that security is not being jeopardised by user behaviour.

What do you need to do?
The takeaway here really is that you need to understand how sensitive your communications are, and implement an appropriate level of security. If you are serious about security you need to do a security audit regularly of the 4 main security areas to ensure that the protocols that you have in place are fit for purpose. This provides you with a basis for conversation amongst your internal security professionals, or with the third party video conferencing company with whom you engage.

Thankfully, companies like Polycom, Lifesize and Cisco invest heavily in research and development of security capabilities, and we have experts on hand to help you understand what is best for your company.

Shawn Dainas, a Polycom spokesman, explains that auto-answer is normally on by default on their installations; certainly frowned upon by Moore. However, there are password protections, auto-mute and camera control lock functions that enable appropriate security controls. Dainas explains that the “security levels have been designed to make it easy for our customers to enable security that is appropriate to their business.”

When setting up your system you should be clear on the status of auto-answer, and should put your system behind an appropriately secure firewall. If you do that then the security features of installations from the leading suppliers are capable of doing the rest. All you need to do is tell the administrators how secure you want to be.