Video conferencing security isn't just for the government anymore. Concerns over information protection, such as keeping sensitive product plans or designs out of the wrong hands; avoiding leakage of privileged conversations to YouTube or the evening news; and protecting personal privacy in accordance with regulations such as HIPAA (Health Insurance Portability and Accountability Act) are raising awareness of video conferencing security...
in the enterprise, especially as video proliferates across video sharing platforms and mobile devices.
But without military-grade encryption, hardened facilities and top secret clearances for meeting participants, how do corporations secure their own meetings from prying eyes and protect sensitive discussions from leaking into the wrong hands? Common approaches include presence and identity management, encryption and the institution of acceptable use policies (AUP).
Presence and identity-based access controls allow companies to control who has access to live conferences and pre-recording sessions. Identity controls such as multifactor authentication (MFA) against an access control system enable companies to both allow specific individuals to access conferences, as well as track their access.
Presence awareness allows conference administrators to see exactly who is on the conference. Identity management can be either user-based -- e.g., Joe Smith can access conference x, y and z -- or role-based, such as anyone in product development being able to access conferences hosted by other product development managers. Access controls can also extend to video conferencing facilities -- requiring the use of a pass card to enter a video conferencing room, for example. By instituting presence and access controls, companies solve the challenge of knowing who is on a call, allowing only authorized individuals to participate in a call and creating an audit trail of conference access.
Encryption is the second key to a successful video conferencing security architecture -- not just encryption of the underlying transport, but also encryption at both the endpoint and stored video. Encrypting video streams at the application layer -- while decryption occurs at endpoints -- solves the problem of an unauthorized person getting access to the data network and thus the ability to capture video streams. Even if someone can capture a stream, he or she wouldn’t be able to decode it without proper keys. Encryption of stored video means that unauthorized access to video files won’t result in exposure of sensitive data. Be aware that encryption at the endpoint is resource intensive. We find that companies requiring encrypted video streams typically deploy dedicated endpoint hardware.
Finally, no security architecture is viable without user buy-in. With regard to video conferencing security, an acceptable use policy can mandate the proper uses of video conferencing -- such as using "do not record" for certain conferencing, mandating the use of endpoint encryption if its use is optional, determining what is allowable and not allowable to discuss over video, and even governing the use of emerging softphone or mobile endpoints. For example, an AUP could mandate that mobile video conferencing via laptop or tablet is only allowable over private networks, and from locations where there is a reasonable expectation of privacy -- no airports or coffee lounges.
Securing video conferencing sessions and stored video from unauthorized access is viable, but requires careful attention to access, media transport and end-user behavior.
About the author: Irwin Lazar is the vice president for communications and collaboration research at Nemertes Research, where he develops and manages research projects, develops cost models, conducts strategic seminars and advises clients. Irwin is responsible for benchmarking the adoption and use of emerging technologies in the enterprise in areas including VoIP, unified communications, video conferencing, social computing, collaboration and advanced network services.