6 minute read
Zooming In: How to Video Conference Securely
from BSA Today Issue 7
by bsatoday
For many organisations, the COVID-19 pandemic has led to a large number of employees working from home. This increase in remote working has resulted in a proliferation of video-conferencing applications.
Video-conferencing services can do a lot to help organisations overcome many of the difficulties they face, but it’s important to perform certain checks when choosing a video-conferencing application and make sure you configure it securely.
Advertisement
Choosing a Video-conferencing Service
If your organisation already has access to video-conferencing applications as part of its a risk assessment (even if it has been done before) to make sure they are suitable for remote working.
If your organisation is considering a new service, you should do risk assessments and perform checks for a shortlist of service providers. The results of these assessments, considered alongside the provider’s terms and conditions (and privacy statement), will give you an understanding of what is required.
For example:
• how the provider implements basic security controls
• where your data is held
• what they can do with it.
If your organisation needs to use video-conferencing for more sensitive meetings, you should follow the National Cyber Security Centre’s (NCSC’s) Cloud Security Principles1 to determine whether a service meets your organisation’s security needs.
Some video-conferencing services implement end-to-end encryption, so that all data is encrypted in transit and can only be decrypted by participants of the meeting. Others encrypt data between user devices and the service, which allows them to provide more functionality.
Many video-conferencing service providers also offer premium options, which provide extra software services, you should do features or levels of service. These may include enhanced security, configuration and privacy options.
Cloud services often store and process data in (and route traffic through) data centres across several countries and jurisdictions. It’s important to know where your data is, who can access it and under what circumstances they can do so. If your organisation is in a regulated industry or handles government data, you should again refer to the NCSC Cloud Security Principles to find out whether a service is secure enough for your organisation’s needs.
Using and Configuring a Videoconferencing Service
When configuring a video-conferencing service, set companywide defaults and controls if this is possible.
Carefully consider which settings to enforce and which to set as a defaults that can be overridden in particular meetings. You should configure the default settings in a way that balances user needs with security. For example, the ability to share screens may be appropriate for some users but not others.
Employees will need to log in to the video-conferencing service to be able to schedule meetings. Some services also allow or require users to authenticate their details before they join meetings. A single sign-on is recommended, which can be done by integrating the video-conferencing service with your existing corporate identity. This means that the service will inherit the identity protections that your other corporate services have. It will provide a better user experience by reducing the number of times that authentication is required.
If it isn’t possible to provide single sign-on, you should configure the service according to your organisation’s password policy and include multi-factor authentication.
Some employees will need accounts It’s important to know where your data is... “ with privileges that allow them to, for example, configure the service or access logs, transcripts or recordings. Apply the ‘concept of least privilege’ by using a rolebased access control to ensure that no one has more privileges than they need.
Being able to control who can join (or start) meetings will help keep the discussions confidential and prevent unwanted interruptions. Usually, participants click on a link or enter a unique code to join meetings that have been arranged in advance. It is recommended that:
• users from your organisation (and guests who were invited to the meeting) are allowed straight into a meeting
• unauthenticated users are required to enter a passcode
• unauthenticated users are held in a waiting area (often referred to as the ‘lobby’), and only admitted to the meeting once their identity has been confirmed by a trusted participant.
Some video-conferencing services allow users to make a call to users inside or outside your organisation without arranging it in advance. If this feature is available, consider blocking calls that originate from outside your organisation if they are not in a user’s contacts list. If you do not block such calls, you should still configure the service to block calls from unidentified or unauthenticated users.
Video-conferencing services often include extra features, such as:
• file sharing
• screen sharing
• instant messenger chat
• automatically generating a transcript of the call
• remote control of another participant’s device.
If employees need to use these features, you will need to decide whether you trust the service enough to protect the extra data that will be sent to (or through) the service. If you do, you’ll need to choose whether to enable these features by default or make them options that need to be chosen for each meeting.
If the service allows you to record calls or save text chats and shared files, make sure you know where this data is stored and who can access it.
Using Video-conferencing Services Securely
Employees who are working from home for the first time might not have used video-conferencing services before, so give them clear guidance on how to use the service securely.
Users should test that the service is working before they use it for real meetings (some include a ‘test’ feature that can help with this). They should know how to mute the microphone and how to turn off the camera. This will give them more control over what they share with others.
You should also advise employees:
• to treat the details explaining how to join a meeting as if they are as sensitive as the meeting itself
• to consider blurring their background or using a background image (if this feature is available)
• how to check when their webcam is active, so they can be confident that it is no longer active when it is not in use
• how the service indicates when the meeting or call is being recorded.
The meeting organisers (and sometimes their delegates) will have more controls than are available to the other attendees. You should ask employees who host meetings with participants from outside your organisation to hold a test meeting to familiarise themselves with controls such as approving participants in the lobby, removing participants from the call and muting individuals.
When setting up the call, the meeting organiser should consider which features (such as screen sharing and file sharing) are appropriate for the meeting and whether to make them available to a subset of participants only.
If meetings are password-protected, the meeting organiser should share that password with participants only. For example, the organiser could send an email containing the password to participants direct, rather than including it in a calendar appointment (which could be seen by everybody in your organisation).
During the video conference, the meeting organisers should be responsible for:
• verifying the identity of all participants on the call
• appropriately approving participants being held in the lobby
• removing participants who have not been successfully identified.
You can find more guidance on using video-conferencing securely on the NCSC website.2
1 National Cyber Security Centre. (n.d.) Implementing the Cloud Security Principles.
https://www.ncsc.gov.uk/ collection/cloud-security/ implementing-the-cloudsecurity-principles (Last accessed November 2020)
2 National Cyber Security Centre. (n.d.) www.ncsc.gov.uk (Last accessed November 2020)
Article by Stuart Walsh Chief Information Security Officer (CISO)
