Amid the coronavirus pandemic, video conferencing encryption and security are hot topics as more people work from home and collaborate with colleagues via video meetings. Businesses, government agencies, schools and everyday consumers have flocked to video calling to collaborate, learn and simply socialize.
In that sense, unified communications (UC) and video collaboration have become mission-critical. But that heightened focus on video conferencing also means enterprises must vet vendors carefully and pay particular attention to security features. Once a product is picked, IT administrators and end users should be keenly aware of video conferencing security features and best practices as they conduct meetings.
As businesses evaluate video vendors, proper security is not only a must-have component, but it's also becoming a differentiator among vendors. In other words, features like virtual backgrounds in video meetings are cute, but proper encryption and data storage are critical and far more important.
Understanding video conferencing encryption
The recent security issues around Zoom, the popular video conferencing provider, have been well documented. Hackers found ways to disrupt Zoom meetings, and the vendor said it offered end-to-end encryption. Users and investors, however, disagreed with Zoom's definition and interpretation of end-to-end encryption. Now, the vendor faces lawsuits over its encryption claims.
A main component in video security is encryption keys, which vendors use to offer such features as recordings and transcriptions, according to Irwin Lazar, analyst at Nemertes Research. But these keys also give vendors wide latitude in what they can do -- for example, enabling suppliers to decrypt traffic at any time or even tap in to a meeting if the vendor is responding to a government subpoena.
Meeting recordings can be especially problematic, according to a recent Aragon Research report on web and video conferencing. For example, is a meeting recording at risk if it's stored in the data center of the video conferencing provider? Because of individual requirements, enterprises may choose to keep their meetings and recordings in locations they choose, including their own data center, the report said.
As companies shop for video calling services, especially companies in highly regulated industries, video conferencing encryption could become a central issue. Organizations need to know if video conferencing data is encrypted during the call and where the information is stored after a call. All media in the meeting should be encrypted, both the session itself and the content, the Aragon report said.
Do you even need end-to-end encryption?
For added security, enterprises should investigate whether they can control their encryption keys to protect themselves from potential third-party access to their data. The only way to prevent eavesdropping is to enable customers to manage their own encryption keys, Lazar said.
In general, to have true end-to-end encryption, Lazar said, only the endpoints should be able to decrypt a stream, which would mean the vendor has no way of decrypting video at any point during the transmission. Zoom no longer claims to support end-to-end encryption, but the vendor said it's taking steps to enable customers to manage their own encryption keys.
"In my opinion, few enterprises outside of those handling national security information truly need [end-to-end encryption] for meetings," Lazar said.
For businesses evaluating UC and collaboration products, security is a fundamental consideration, according to Chris Steffen, research director of information security at Enterprise Management Associates. Since many of the leading video conferencing vendors provide a similar slate of standard features, the strength of their security offerings is an important differentiator and should be top of mind. Evaluating UC products based on their ability to protect employees and the enterprise is the best way to narrow down the list of potential providers, Steffen wrote in a recent blog.
Prioritizing video conferencing security
Many UC services emphasize UX, UI and ease of use at the expense of security, Steffen said. He advised organizations to look for vendors that focus on security first and can back that claim up with millions of secured installs.
Customer support is another consideration. Free video conferencing services, for example, often don't provide customer support. But enterprise-grade UC services should have seasoned and dedicated support staff that can respond to customer requests. Steffen advised organizations to consider how long it takes for a vendor to respond to vulnerabilities and how quickly they can resolve security gaps.
Organizations should also ensure their selected UC service aligns with their data privacy goals. When organizations transmit data, including chats, during a video conferencing session, they'll need to consider how the data is stored, maintained and used.
While vendors are certainly responsible for providing secure products, an organization's IT administrators and end users also need to do their part to ensure secure video meetings. Video conferencing security requires a multilayered organizational effort, Gartner analyst Mike Fasciani wrote in a recent post.
The coronavirus crisis has spurred companies to select and deploy video collaboration tools to ensure business continuity, but that need shouldn't outweigh careful consideration of a vendor's security portfolio, Steffen said. More emphasis should be placed on security, he said, rather than on a UC service's other features.