Executives aren't using their expensive telepresence rooms to chitchat. High-definition (HD) video conferences
tend to handle the juicy stuff -- business deals, acquisitions, legal issues -- making them an attractive target for hackers. But don't pull the plug just yet; the actual risk of attack on any kind of video conferencing system is minimal today, and vendors are focusing on video conferencing security.
"I don't think it's a huge threat because not a ton of people are using video conferencing," said Rob Ayoub, industry manager at Frost & Sullivan. "But no doubt there is a lot of valuable information going across the line. If [a hacker] can eavesdrop on a board meeting where people are [calling in from] a lot of locations, then that's access to some very sensitive data."
Telepresence and video conferencing systems today do offer some encryption for live sessions and access control for the system, which satisfies Domenic Screnci, executive director for the Educational Media and Technology Center at Boston University.
Screnci said other organizations, like financial firms or the military, probably face more risk of a video conferencing security breach than his university, which uses room-based and mobile Tandberg systems for a variety of purposes: meetings, interviews, collaboration, dissertation defenses, distance learning -- all content that would hold little value for hackers.
"I don't think it's going to be a major concern unless you're in an environment [that handles sensitive data]," he said. "We're in academia, and … [even on the medical school campus] we don't do any patient work with it, so HIPAA and those kinds of issues with patient privacy and access to information would not be an issue for us."
Screnci, who also serves as chairman of the Interactive Multimedia Collaborative Communications Alliance, said his system's point-to-point architecture also allays any underlying video conferencing security concerns.
"Our system is not hanging off of a network … which [could] probably create more vulnerability because somebody can use that [video conferencing server] to get a back way into your network," he said. "The irony is [that] what we're doing, which is less sophisticated, is safer on some levels."
What does secure video conferencing entail?
Although desktop video conferencing may expose some vulnerabilities -- a confidential document or image may be inadvertently visible in the background -- posh telepresence and HD video conferencing suites should be the focus of video conferencing security strategies, according to Irwin Lazar, vice president at Nemertes Research.
"The biggest concern from an enterprise perspective would be telepresence because that's the one service their executives are more likely to use and conduct critical business across," Lazar said. "[Enterprises] are also likely relying on service providers for connectivity … and will probably want some guarantee that [the carrier] is not peeking into the video stream."
The risks will rise as more enterprises use video conferencing and telepresence for inter-company meetings of partners, clients and suppliers, he said. Recorded sessions that contain sensitive data must be identified and have restricted access, and live sessions must have safeguards in place to prevent data leaks or denial-of-service attacks, Lazar added.
Collaboration platforms integrated with video conferencing also up the chance for data leakage, particularly if users are sharing desktops or confidential documents through Internet-based services, according to Ayoub.
Session border controllers (SBCs) can complement endpoint- and device-focused security infrastructure with more of a network-oriented approach, according to Jonathan Zarkower, director of fixed line solutions marketing at Acme Packet, an SBC vendor.
"We are more focused on preventing attacks and threats that occur at probably the upper layers [of the OSI model] -- everything really from Layer 3 through Layer 7," Zarkower said. "Those functions are applied to the network as a whole, not specific to certain endpoints or UC servers."
Threat level likely to rise, video conferencing security needs to follow
Attacks on telepresence and video conferencing systems are unlikely today, but enterprises should be prepared for a treacherous future. Video is exposed to the same security issues as other IP- and SIP-based communications that "normal firewalls" don't address, according to Lisa Pierce, president of Strategic Networks Group, a unified communications (UC) consulting firm.
Enterprises typically directly connect their room-based video conferencing and telepresence equipment into a Multiprotocol Label Switching (MPLS) network via dedicated access, with no firewall in between, Pierce said. But "the walled garden approach breaks down," she said, as enterprises accommodate more telecommuters, audio-conferencing-only remote participants and collaboration applications.
"I don't necessarily think it's a big issue right now, but certainly it's a legitimate concern, and better to be prepared than find yourself victimized," Pierce said. "The need for security exists, and now enough businesses are recognizing this to demand solutions. They won't embrace video conferencing without security."
Polycom recently announced that it would partner with security vendor McAfee to identify and rectify potential vulnerabilities, though a spokesman declined to name any specific threats or vulnerabilities the vendors planned to address.
"We have passwords to get into [conferencing platforms] and, from our perspective, that's secure," said Mark Roberts, vice president of partner marketing at Polycom. "But the security guys are like, 'Uh, no.'"
As part of the partnership, Polycom will integrate McAfee's ePolicy Orchestrator software into its endpoints and UC Intelligent Core -- a move intended not only to improve and simplify video conferencing security but also to broaden the industry's approach to UC security as a whole, Roberts said.
"People have done things to address security in video conferencing and unified communications systems like session border controllers and encryption, but … those are pretty [isolated]," Ayoub said. "This is more about tying these UC devices into the actual fabric of your existing security infrastructure."
On August 19, Intel announced plans to acquire McAfee for $7.68 billion in cash. A Polycom spokeswoman said the merger will not interfere with the Polycom-McAfee partnership.
Let us know what you think about the story; email: Jessica Scarpati, News Writer
Dig deeper on Unified Communications Security