4 Key Elements of a Secure Cloud Meeting Platform
In this article
When the COVID-19 pandemic hit, many organizations were forced to rapidly deploy cloud-based meeting platforms. Unlike "normal" times, organizations didn't have time to evaluate every aspect of their new solution before welcoming it into their technology stack. They needed a new solution fast to maintain business continuity.
Now, after nearly 18 months since the start of the pandemic, organizations are starting to prepare for a new era of hybrid work. IT and Facilities teams are considering the technology they'll need to safely welcome employees back to the hybrid office and questioning whether the solutions they implemented on the fly during the pandemic are the right fit for their long-term strategy. After all, many of the features and capabilities that were important in 2020 are irrelevant or obsolete today.
Moving forward, we know video meetings are necessary for modern communication and enabling employees to work from anywhere. Employees want to work from home, coffee shops, neighborhood parks, airplanes, the car and everywhere in between. This kind of free-flowing communication introduces glaring concerns related to information security.
It's important that organizations take time to reassess the features and architectural benefits of their meeting platforms to ensure they can not only enable collaboration for a hybrid workforce but protect and secure valuable meeting data.
How to choose a secure meeting platform
When evaluating the security of meeting platforms, you'll need to understand the features related to data security, compliance visibility and control.
Consider asking these top four questions related to meeting platform security:
- How secure is the platform?
- How compliant is the platform?
- Does the solution include any nice-to-have security features?
- How will the platform respond and recover from an attack or threat?
How secure is the platform?
Securing users and identity
Your meeting platform is one application in a long list of many others. Authentication and authorization workflows must align with how end users are already working and using their existing apps.
Additionally, there can't be any loose ends related to the lifecycle management of user accounts, from secure provisioning using SCIM standard to de-provisioning using risk-based engines.
Tip: Be sure your meeting platform includes an out-of-the-box capability to federate authentication to your existing Identity Providers (IdPs) – both on-premises and cloud. This might include Active Directory Federation Service (ADFS), Ping Identity, Azure Active Directory (AD), Okta, etc.
Securing apps and devices
From an IT administration perspective, you'll want to make sure your meetings platform doesn't invite the wrong attention compared to other apps and devices being managed via mobile application management (MAM) and mobile device management (MDM).
Tip: Be sure your meeting platform offers support for application wrapping under your existing MAM as well as MDM control for functions like copy/paste, remote deletion of application, sign-in methods, remote wipe, pin-lock, etc.
Securing content
Encryption for meeting signaling and media is now table stakes. Typically, SRTP (Secure Real-time Transport Protocol) with some variation of AES (Advanced Encryption Standard) is employed. However, depending on your organization's need for a higher media encryption capability, you may want to see if your solution allows for end-to-end encryption, in which even the meeting provider cannot decrypt your steam.
Additionally, check your meeting platform for encrypted cloud recordings using HSM (Hardware Security Modules). If you are a high-security organization, you may also want to explore if HSM operations are managed by a team outside of your meeting provider. This will ensure added security and avoid the possibility of conflicting interests.
Finally, be sure to look for options to exercise surgical level controls on sub-content such as whiteboard, files, password enforced downloads and more.
Tip: Ensure your meeting platform includes encryption capabilities that meet your security requirements.
Data center security
Your meeting platform's data is designed to be hosted at a designated data center where your content will either transit or get stored.
Tip: Be sure to verify basic hygiene of these data centers, including physical security, support system continuity, system hardening, frequency of pen tests, vulnerability scans, security patching, secure personal data processing (ISO 27018) and geo-redundancy.
How compliant is the platform?
Apart from regular hygiene checks on data center information security under ISO 27001, it's also important to have availability of:
- Certifications for internal controls on integrity, confidentiality of data center systems as per SOC 2 Type II and SOC 3.
- Cloud service security certifications under ISO 27017.
- Specific security and privacy certifications as well as regulatory compliance, such as HIPAA, COPPA and FERPA, depending on your industry.
- Compliance to cross-border data transfers such as APEC cross-border, EU-US privacy shield and EU GDPR, as needed.
Organizations may also have a data residency goal of retaining data within the region they are located.
Tip: Make sure compliance and certification documentation is readily available from your meeting platform vendor.
Data residency
There are many types of data to protect within your meeting platform, including personally identifiable information (PII), key management data used for encryption/decryption, administrative, telemetry and support to user-generated content.
It's important to find out where this data is processed and stored. Is it at a regional data center of your choice or at a global location?
For example, administrative data might be processed at a global data center while user-generated data is processed and stored at a regional data center. There could also be instances where calendar and other service integration data is handled regionally with copies published globally. These are all valuable details that you need to understand.
Secondly, be sure to gather information on who the above information is shared with, such as compliance officers, external organizations, etc. Can you toggle the control buttons for this data sharing if need be?
Tip: Be sure to understand what data needs to be protected within your meeting platform, where it's located and who has access to it.
Does the solution include any nice-to-have security features?
Compliance for audio, visual and whiteboard content
With hundreds of meetings hosted daily with external parties, there needs to be a scalable method to prevent data leaks and misconduct in audio, visual and whiteboard content.
Employing a team to go through every meeting recording is neither feasible or efficient. At the same time, if your organization belongs to a regulated industry driven by CCPA, Dodd-Frank or MiFID II, then adhering to content scanning for regulatory and corporate compliance risks is a must.
To address this mandate, organizations must ensure their meeting platform includes tested and certified integrations with external compliance solutions. Compliance solutions ingest all recordings for AI/ML intelligence, assess and assign a risk score to content, and alert compliance staff of medium- and high-risk recordings for further review.
Tip: Avoid lengthy manual processes for content scanning and choose a meeting platform that integrates with an external compliance solution.
Data loss prevention and protection
A modern communication canvas is characterized by the following traits:
- There are no corporate boundaries.
- There is a high volume of B2B information sharing with low to no visibility.
To ensure only appropriate information is being shared, organizations must integrate their meeting platform with the data governance layer. Cloud Access Security Broker (CASB) and data loss prevention (DLP) solutions use intelligence to identify data exchange violations and block communications.
Tip: To save time and money, choose a meeting platform that has integrations available with leading CASB and DLP solutions that can expose data violations using APIs.
How will the platform respond and recover from an attack or threat?
No meeting platform is 100 percent fool-proof when it comes to security but it does need to be backed by a set of actions that reflect the security culture of the vendor. Research past traces of a vendor's security culture and how it has handled situations. Examples of these traces include:
- Application of threat modeling during the development lifecycle.
- Privacy impact assessment.
- Secure coding standards.
- Availability of a security incident response team to take action on critical security defects.
- Public disclosure of security vulnerabilities.
Tip: Do your research on meeting platform vendors to understand their security culture, how they've responded in the past to threats and attacks, and their security roadmap moving forward.
Conclusion
As a new era of hybrid work begins, choosing a secure meeting platform will become increasingly important for organizations to protect their valuable data. Answering these four questions before choosing a meeting platform will allow your organization to break free from reactive governance and compliance and realize the full potential of next-gen meetings.