Why Zero-Trust in Video Conferencing is Crucial
By now you’ve likely heard the term “zero-trust” and how it relates to cybersecurity. A few years ago, it was in more of a conceptual stage, two attached words floating about like a bobblehead, murky and undefinable. When asked what exactly it meant back then, you weren’t as articulate as you would have hoped. What did zero-trust entail? What were the specifics? The answer would come in time and on the heels of major breaches to national security, most notably the SolarWinds breach. That infamous breach was one catalyst for technologists to prioritize the development of architecture and a set of guidelines to optimally protect data. A clearer definition of zero-trust was then put into writing by the NIST.
Defining Zero-Trust
Zero-trust is about ensuring that every user is highly vetted and pre-authorized before every single digital interaction. The guidelines mentioned above are incorporated in NIST’s Federal Information Processing Standards (FIPS) and are often recommended by regulatory compliance regulators. To ensure this element of cybersecurity, companies are starting to take highly specific, customized and proactive steps, which involve verifying every person from every possible device. The goal is to prevent bad actors from accessing critical assets and to protect private data from being breached.
Where is Zero-Trust Applied and Where is it Forgotten?
President Biden signed an executive order in January 2022 to improve the nation’s cybersecurity. But wait … does that apply to the nation’s cybersecurity overall? We try to ensure our networks are secure for emails and we spend significant time worrying about viruses that may arrive in our inboxes, but there are other ways attackers breach networks in an age when communications are conducted collaboratively.
COVID-19 ushered in new security problems as the pandemic led to a rise in remote work. With people conducting video conferences from multiple unknown devices and locations, shoring up the popular meeting platforms because critical. It was apparent that all industries would be relying more and more on conducting high-level business virtually. Every industry, from health care, finance, state/local government, disaster relief and other sectors faced the same problem, no matter which of the popular video conferencing platforms they used.
To create a safe platform, every user (from whatever location and whichever device) would have to be individually authorized and authenticated prior to every single type of conference. Contrary to how the name zero-trust may sound, it is truly about elevating trust rather than eliminating it.
Hackers are clever, and they know to “follow the money.” They quickly realized that there was profit in arenas like collaborative communications. They salivated at the notion of obtaining proprietary information about mergers and acquisitions before the news became public. Then there were the clowns; those intent on pulling pranks during serious video conferences wherein private information is discussed. You may remember hearing about “Zoom bombings” last year, including incidents where attackers interrupted a school board Zoom meeting to scream obscenities. Although a prank may seem benign, it can throw a school administration completely off kilter and have teachers and principals extremely concerned that private information was overheard by students or others outside of the school.
Prior to COVID-19, people used video conferencing for presentation purposes, but now companies are relying on these virtual meetings to conduct serious high-level organizational discussions across critical industries and those that require compliance (i.e., HIPAA regulations in health care). Video conferencing is the fabric of all companies today as they’ve transitioned to remote and hybrid work environments.
The Importance of ‘Layering’ and Other Recommendations
Layering defenses is key to security in collaborative communications. Most of the popular video conferencing companies that really gained traction during the pandemic asked that you download desktop client software, which is actually quite problematic when it comes to protecting critical data. Bad actors can easily seize and steal information from desktops, video streams, microphones and audio equipment. They can also craftily capture a user’s keystrokes. They can sneakily steal screenshots. Good cybersecurity measures assure that these hacking methods don’t happen.
Some recommendations for establishing cybersecurity in video conferencing include the following:
● It is optimal to have no desktop; instead, have entirely web-based conferencing, eliminating exploitable desktop clients
● Ensure that there is foolproof, two-factor authentication
● There should be keystroke encryption (a method of protecting everything typed into a keyboard)
● Establish out-of-band authentication so communication channels used to authenticate each and every single one of the users are separate from the channels used to sign in
● Verify users with biometric technology (i.e., fingerprint identification and facial recognition)
● When looking at video conferencing vendors, other things to consider include: Assessing the platform’s ability to prevent screenshot capture and protect cameras, microphones, speakers, keyboards and clipboards.
Triaging Video Conferencing Based on the Level of Data Privacy
The best practice is to categorize sensitivity levels of conferences according to tiers of importance to truly protect essential and private data. A social meeting, for example, like one announcing the return of an employee after maternity leave, would be classified as a ‘level one’ meeting. That would not necessitate all of the same specialized controls that a ‘level four’ meeting would entail.
The future of global business is in trouble across critical sectors, including the very government sector that made cybersecurity a key focus in the first place. Since video conferences have become the fabric of corporate America and of business interactions worldwide, it behooves the government and the private sector to heavily consider these platforms’ security features, ensuring complete organizational cybersecurity hygiene.
Growth of Video Conferencing
The video conferencing space has grown from $2 billion before COVID-19 to $60 billion to $100 billion in just the last two years, a staggering statistic. We now need to go beyond the early best practices laid out by CISA to layer on extra measures for employees. It is my hope that the Biden administration places a special focus on video conferencing, highlighting it as a priority under the umbrella of cybersecurity initiatives. Virtual collaborative communications are here to stay. Companies have realized that they can save time and money on business travel and that meetings can take place from anywhere in the world. Therefore, these types of virtual meetings need to be assigned to their appropriate security tiers, with specific measures delineated for particular meetings, ensuring the highest level of protection for the most critical and proprietary data.
Image source: Chris Montgomery (Unsplash license)
