Cloud: Choosing the right videoconferencing service

I have been asked, “Which is the best collaboration and videoconferencing service?” many times in the last few days as we need to communicate with our colleagues, business partners and customers when working remotely. 

Just like there’s no “best” car, there’s also no best collaboration service, but here’s a few suggestions around security and privacy to consider when deciding which services to support and use in your organisation.  Remember, your employees are also receiving requests from your business partners to join their services, so it’s a good idea to not only define your approved services, but also to make recommendations to your users about others they may come across. 

I have just reviewed the MVISION Cloud Registry, where we list and rate over 250 different Online Meeting services. Although there are some that may offer online meeting as one part of a wider set of applications, there’s no shortage of possible options 

I won’t discuss functionality in this blog – there are many places to find those comparisons, instead I will focus on the information you should review from a security and privacy point of view. Don’t forget also to educate your employees that they will never know whether someone else is watching over the shoulder of an attendee and treat each online conversation as if it is taking place in a bar and could potentially be overheard. 

Let’s review some of the possible security and privacy problems. Only you can decide whether they are concerns based on your business context and data you are sharing. 

Recording. Many of the apps allow recordings to be made in the app – though some alert all the attendees if recording is occurring. Whatever security the service offers, do remind your users that anyone they are connected to can record the screens and audio outside the app, so all conversations should be conducted on the assumption that you do not have complete security. 

Logging. You may want logging for future forensics work, on the other hand you may want no logging performed to ensure that the cloud service doesn’t lose that data if it gets hacked. 

Sharing Methods. You may prefer to use a service that only allows voice and data sharing but not video or supports video only in one direction, especially if in a teaching environment. 

Intellectual Property Ownership. Surprisingly, some services lay claim to the intellectual property in any communications – though with the recent uptick in scrutiny, some license agreements have been changed to remove that clause. Make sure to read the fine print! 

Encryption. To ensure data is not intercepted, you may prioritise those services that encrypt all data in transit – though it is worth checking the encryption methods used (SSL, TLS versions etc.) 

Privacy. Does the service itself track each individual user and does it share some of this information with 3rd parties (some share with Facebook, Google and other services)? 

You may decide to support just one service, though you may decide that one size doesn’t fit all requirements – perhaps more sensitive discussions use a different service than general team updates and collaboration. 

To dig into the details, I recommend you consider each of the attributes below and decide the importance of each based on your priorities and then review each of the services against that list.  This is possible within MVISION Cloud where we track each of these attributes (and many others) and admins can change attribute weightings and therefore compare different services. Without MVISION Cloud or a similar service it is probably a manual process. 

Does the service… 

  • Encrypt data in transit (yes/no and methodology SSL, TLS & versions) 

  • Encrypt data kept at rest at the service (such as recordings) & key strength 

  • Allow encryption using your own keys 

  • Does the service allow anonymous use?  

  • Offer support for multi-factor authentication 

  • Offer Identity federation (SAML & OAUTH for example) to integrate with your authentication systems 

  • Provide admin, user and data access logging 

  • Hosting locations (in case you are concerned about which country hosts the data) 

  • Have cyber vulnerabilities such as Freak, Poodle or Heartbleed. 

 

Do they… 

  • Publish penetration test results 

  • Deploy application security vulnerability protection (WAFirewalls) 

  • Comply to global compliance certifications (ISO27018, SOC2, FedRAMP etc.) 

  • Publish infrastructure reporting and uptimes. 

 

Has there been… 

  • Any known malicious use of service 

  • Any previous breaches identified 

  • Published Common Vulnerability & Exposures (CVE) vulnerability 

  • Leaks of data to the Darknet 

 

What is their… 

  • Privacy policy (sharing with 3rd parties) 

  • IP ownership policy 

  • Jurisdictional location 

  • Company HQ country 

  • Risk rating for GDPR, CCPA or other regulations 

Once a decision has been made on the appropriate services(s) for your organization, communicate with your employees and business partners and consider blocking those services you do not trust.  This can be achieved by using a CASB for cloud evaluation and closed-loop remediation by integrating it with your proxies, firewalls or endpoint proxy capabilities. Consider splash pages to users to help direct them to the best services and ensure best practises. 

This is a fast-moving space as many of these services are now under scrutiny as never before. Keep track of news stories – there have been a lot in the last few days either when lawyers are reviewing the service privacy policies and end user license agreements, or vulnerabilities in the apps or service. The app developers regularly bring out new versions, so employees should be recommended to ensure that they keep the apps up to date to minimise these concerns. 

Finally, the obvious best security practice is not to share images of the discussions on social media – attackers can find out usernames or meeting IDs and if those are static IDs, potentially try to break into the meeting in the future. 

 

This insight is part of techUK's Cloud Week 2020. You can find related news and insights here.

  • Sue Daley

    Sue Daley

    Associate Director | Technology & Innovation
    T 020 7331 2055

Share this

FROM SOCIAL MEDIA

Thank you, and thank you to everyone that contributed to our #PlaceLedInnovation week! You can catch-up with all th… https://t.co/pipMh0Gr1v
Mayor of London calls for an Emerging Technologies Charter, with @LDN_CDO & Smart London Board tasked with developi… https://t.co/GMlOlCKGr4
Guest blog: New Tech Solutions to Old Tech’s Environmental Problems by Mohit Joshi @Infosys President as part of ou… https://t.co/1D4ecmKXhF
Guest blog: Don’t take digital access for granted by @NatMitch1 CEO @intechnologySC & Vice-Chair of techUK's Local… https://t.co/Rj0S2xJz4c
On 16-17 September we'll be hosting the first virtual edition of the #techUKSmarterState conference. Delegates an… https://t.co/pTBpTzBRBR
Great to see the Government announce £20 million in new grants to help SMEs adopt digital technology and access adv… https://t.co/LdswpdgSfM
Guest blog: Neil Manthorpe, Associate Director of Design at @atkinsglobal explores how technology and big data can… https://t.co/RoLYmL1tnS
Guest blog: The shared challenge for councils, and why tech is the solution by Robin Barber, Product owner of built… https://t.co/YM14AJp4Nc
Guest Blog: Recovery and building back by leveraging Digital tech by Bhupender Singh Tuteja, @hcltech as part of ou… https://t.co/gQWiLx7z5W
Become a Member
×

Become a techUK Member

By becoming a techUK member we will help you grow through:

Click here to learn more...