WebRTC's ability to embed video and voice communications within a Web browser -- without plug-ins -- is an exciting proposition, especially for business that communicate directly with consumers and enterprises whose employees need to collaborate with external partners. However, there are WebRTC security implications that enterprises must first address.
WebRTC-enabled applications could open enterprises up to new vulnerabilities.
"WebRTC is the logical next step for communications on the Internet, but it could open the door for both good and bad applications," said Michael Brandenburg, industry analyst at Mountain View, Calif.-based Frost & Sullivan Inc. "As soon as users are able to click Web links and agree to that communication, [WebRTC] is potentially exposing the internal network if enterprises aren't prepared from a security standpoint."
WebRTC security is a priority for all enterprises
Most Web browser developers have focused on consumer experience, but they haven't necessarily thought about enterprise requirements and what it will take for WebRTC to work through a firewall. Enterprise security and privacy, however, is still top of mind for the developers of the WebRTC protocol, said Cullen Jennings, distinguished engineer and fellow at Cisco.
"The [WebRTC specifications] have to support what enterprise users need, and make sure the [developers of] browsers correctly implement those standards," Jennings said. The standards work for WebRTC is a joint project by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF). Jennings is a co-author of the W3C specifications for WebRTC, and is a co-chair of the IETF WebRTC working group.
Many enterprises are looking forward to WebRTC applications, but IT teams are uncertain about the security of browser-based communications. "Organizations are still concerned with little things -- like accidently enabling someone else's camera when it's not supposed to be on, all the way up to corporate espionage level," Jennings said.
More on WebRTC security and secure video conferencing:
Enterprise SBCs translate WebRTC protocols
Using Web browsers for video conferencing
What WebRTC will and won't do for the enterprise
There are already some fundamental WebRTC security techniques in place. WebRTC will encrypt data, voice and video as it travels from a website to a user, or between users, he said. WebRTC-enabled browsers will notify users that a website wants to access a device's camera and microphone, and the user will have the ability to deny permission.
Some websites currently have a "long-term permission model." Users who permit to a site once to access their camera or microphone one time may not realize the site still has access even after their session is complete. "We want to develop ways of indicating to the user that this is happening … and what could happen if those websites are compromised," Jennings said. "If hackers can use those permissions to access information, then it's definitely a risk that enterprises need to be concerned about."
Even though WebRTC will be standards-based and will be reasonably secure, for every system that gets built, there is someone else trying to break it, Frost and Sullivan's Brandenburg said.
The WebRTC working groups are also working on desktop-sharing options, which would have strong permission models in which users would have to grant permission to share their desktops with another user, he said.
SBCs can promote secure video conferencing and collaboration
Enterprise IT teams have to strike a balance between giving users the tools and applications they want while protecting the corporate network. Though WebRTC is not finalized, some vendors are already developing edge monitoring systems that will allow enterprises to understand what traffic is flowing over their network.
Session border controller (SBC) vendors like Acme Packet, Dialogic and Sonus are working toward delivering platforms that can apply policies to WebRTC sessions, said Irwin Lazar, vice president and service director at Mokena, Ill.-based Nemertes Research Group Inc.
"WebRTC is another signaling mechanism for a real-time protocol, and it's the responsibility [of the SBC vendor] to protect the application against a denial-of-service attack, and also to encrypt WebRTC sessions from the end client, all the way to the host," said David Tipping, vice president and general manager of Sonus' SBC business unit.
Once the standard is finalized, Sonus' SBCs will have the ability to authorize WebRTC sessions the same way other voice and video sessions are authorized, Tipping said.
"I suspect that once WebRTC is fully baked, most enterprises will require routing of all WebRTC sessions through a [SBC] to manage policies and security," Lazar said.