Security remains at the heart of a successful enterprise strategy. Today’s escalating cybercrime places an enormous strain on resources and the threat of a data breach is not only damaging to the business, but it can also have a tremendous negative impact on customer trust.
Communications solutions and cloud-based services need to be integrated and built with security by design to scale your collaboration aspirations in line with business growth. As the workforce requires more integrated collaboration tools, users need to be confident that they can safely join meetings from any room or device.
It is relatively simple to manage security within the boundaries of your own enterprise. However, vulnerabilities can occur when there is a need to communicate outside of your own network perimeter, especially if you do not have a robust security posture or cloud architecture in place.
A recent example was witnessed in November 2018 where Tenable announced that its research team had discovered a serious vulnerability in a Desktop Conferencing Application from a US-based video communications company that allowed a remote attacker or rogue meeting attendee to hijack screen controls, impersonate meeting attendees via chat messages, and kick attendees out of meetings.
The vulnerability [CVE-2018-15715] used an unauthorized command execution via their event messaging pump and exposed up to 750,000 companies around the world that used the solution to conduct day-to-day business. The company was notified about the vulnerability in October 2018 and issued patches in late November.
Vulnerabilities in infrastructure and in the cloud are playgrounds for hackers to infiltrate a virtual meeting room and cause disruption but there are ways businesses can protect themselves. Here are five disciplines that enterprise leaders should consider when formulating a successful collaboration strategy and planning a robust cloud security posture.
- Security by design - When considering video conferencing and collaboration solutions, buyers should stipulate to vendors that their data must be encrypted from end to end, so that malicious intruders cannot access it at any point. Buyers should check that the system software is designed, coded, and maintained by the cloud service provider in a secure, compliant environment. While using a private cloud will not always a guarantee complete cybersecurity, it is certainly a good step on the road to a more secure AV environment. Software design and development should not be outsourced, as this adds time and inefficiencies into the coding, testing, and release processes. New disruptive technologies and threats are emerging daily, and an enterprise needs to be assured that any vulnerabilities can be identified, contained, and neutralized as quickly as possible.
- Location security - The crucial differentiation for organizations when standardizing on video conferencing and messaging solutions is to work with a vendor who entirely owns the platform infrastructure in secure locations. Check for compliance with industry standards, such as ISO 27001. This certification includes all legal, physical, and technical controls involved in an organization’s information risk management processes. Whether using on-premises, public cloud or hybrid platforms, an advanced firewall and two-way encrypted traffic are essential to protect valuable assets and sensitive information.
- Always on - Ask for statistics with respect to system availability and disaster recovery options from the provider. Data centers need to be fully redundant in terms of information backup, power supply, and server hardware. Failover in an emergency should be to another secure location within the same data jurisdiction. Cloud software updates need to be managed in a controlled fashion, such that enterprises are not subject to unofficial releases, unplanned or unauthorized beta tests. Enterprises need to ensure they have an SLA that provides a minimum of 99.9% uptime.
- Data Security - After establishing security practices at the data center, ask the cloud provider how they protect meetings that are in progress. Encrypting the video transmission and data, strengthening the authorization process, and implementing an advanced firewall are techniques that providers need to adopt to create a safer environment for the operation and users. Both media and signaling must be encrypted in order to prevent toll-fraud or unauthorized persons eavesdropping on meetings.
- Privacy - Ensure that there is a clear statement by the cloud service provider on compliance with Privacy Acts such as GDPR, the pending California Privacy Act, and ePrivacy regulations.
Communicating safely with a global, dispersed workforce is essential for enterprise business continuity today. Although patches were issued to protect against the hacks which occurred in the case referenced earlier, trying to patch all the vulnerabilities in a solution totally reliant on third-party vendors whose technology is out of the vendor’s direct control, does not provide full security.
Therefore, trust in cloud-based solutions can only be gained when the vendor fully owns the global points of presence (data centers) within each jurisdiction to ensure data is stored with geographical redundancy.
In addition, their services must be secure-by-design, managed efficiently, and offer appropriate failsafe support in the event of an incident. Security is a shared responsibility. Buyers need to be diligent in their approach to find the best-of-breed products that address their collaboration requirements. Ultimately, solution providers should design and develop all products with built-in security as a priority to safeguard users’ data from cyber-criminals.