The outbreak of the coronavirus disease (COVID-19) is causing people to be isolated from family, friends, and business associates. This situation has a caused a dramatic increase in adoption of video meeting services for many different purposes in people’s business and personal lives. In past times, the personal use of video was primarily done with video chat services like Skype or Facetime. The enterprise use of video was mainly accomplished with more formal, feature rich, and often times complex video conference services. The pandemic is causing most of us to work and be educated from home as well as attend virtual family and social events. As a result, educators and consumers are turning to higher scale, more robust enterprise-grade video meeting solutions to solve for these various use cases. These novice users are learning that some application controls are needed to better assure secure online meetings.
The Situation with Zoom’s Privacy and Security Vulnerabilities
The adoption of enterprise video solutions for personal and K-12 educational use has lead to unintended consequences for one enterprise-grade video meeting vendor in particular: Zoom. Consumers, teachers, yoga instructors, and government officials are Zooming with friends, students, audiences, and colleagues. With this rapid rise in unexpected consumer usage, all has not gone well for Zoom. Negative publicity has arisen about it’s privacy and security vulnerabilities. These vulnerabilities have been mainly exposed through consumer access to its video meeting service. IT leaders are actively evaluating these concerns to determine whether these problems will impact their organizations usage of the service. Zoom has made a public pledge to rectify the privacy and security vulnerabilities by delaying other R&D work for 90 days. It’s also showing greater transparency and utilizing outside testing agencies with security expertise. The next few weeks of progress on these issues are critical for Zoom to gain back the trust of its enterprise customers.
Best Practices for Securing Online Meetings
Security has always been one of many considerations when buying an enterprise-grade video meeting solution. The recent exposure of privacy and security vulnerabilities has amplified security awareness within all organizations. Service providers in the enterprise video solutions market are responsible for systemic level security of its platform and network and the data it collects from its customers. IT leaders and security officers have an equally important role insuring the use of these services meet corporate security policies. The following graphic illustrates several security layers that must be respected to insure a secure online meeting experience.
IT Administrator Controls
The core layer within the organizational control is the IT Administrator layer. The IT Administrator can apply universal settings for all online meetings hosted within their organization. These are the settings to help avoid fraudulent use by unauthorized parties:
- Enable strong meeting pass codes
- Configure separate host pass codes from attendee pass codes
- Avoid fixed meeting IDs – allow them to randomize
- Require all users to authenticate to join meetings
- Enable encryption
Meeting Host Controls
The meeting host needs to manage the next layer of security. This layer gives the meeting host additional controls when the online meeting is being scheduled and during live meeting sessions. The recommendations for the meeting host are:
- Deliver passcodes for sensitive meetings via a separate email
- Avoid sharing files or links in the app chat box – it’s preferable to use secure corporate email or content collaboration platforms
- Park all attendees in a waiting room until the host joins
- Lock meetings once they’ve begun to prevent additional attendees from joining
- For structured meetings, the host should retain control over who can present content
Meeting Attendee Responsibilities
The meeting attendees control the final security layer. This layer typically witnesses the highest number of security vulnerabilities. Meeting attendees do not realize that their choices can have a large impact on whether the meeting experience adheres to corporate security policies. The recommendations for the meeting participants are:
- Don’t forward invitations to others—let the host decide who attends
- Join meetings from secure locations and devices
- Join using an authenticated user id by previously registering with the online meeting service with your corporate ID
- Join via the URL in the meeting invitation rather than dialing directly into the conference bridge – direct dial bypasses user authentication
- Prefer VoIP/PC audio for enhanced privacy as calls over PSTN routes are not encrypted
Hosting and joining meetings will be a bit more challenging for your organization with these security settings in place. However it will allow meetings to take place with a greater assurance of avoiding fraudulent access by unwanted parties. If these controls bring too much complexity to the join and hosting processes, then choose the subset of recommendations that best meet your organizations desired experiences and security practices.
We are interested to hear best practices that have worked well in securing your online meetings.