Zero Trust

Although video conferencing technology is not new, its use and significance have risen exponentially as more and more organizations convert to remote working practices. Even if it is very convenient, one should pause before registering for new video conferencing solutions. A video conferencing tool must be safe and reliable to be used regularly for interactions.

Unfortunately, many video conferencing solutions do not offer optimal security to users, even though the tool must be safe and reliable to be used regularly for interactions. Using video conferencing tools with poor security, carries the risks of having meetings interrupted, or even the loss of confidential information.

Most modern video conferencing solutions have built-in security, but that does not mean that it is enabled – misconfigurations stemming from too many security options is a huge risk factor. A good example is two-factor authentication (2FA), which is perhaps the most critical security feature consumers and organizations of all sizes can enable in order to improve their security posture. Chiodi (2022) highlights a key point from his analysis. “In our recent research, we found out that 15 % of users only enable 2FA when it is absolutely required.” The same research also shows that 46 % of users say that it is a hassle, and that this is why they do not bother. This is very alarming news from a security perspective! Two-factor authentication should not be a user choice – it is an important security feature that needs to be enforced unilaterally and consistently!

Securing online meetings
Each video conferencing vendor publishes its own best practices for security, and e.g. the nonprofit Center for Internet Security (CIS) offers security benchmarks that can be implemented. It is however up to IT and security teams to ensure that these practices and benchmarks are enabled and consistently enforced (CIS 2022).

An example of good practices is to eliminate trust from the solution that needs to be protected. The video conferencing surface that needs to be protected must only cover the data, the applications and services that are critical to business at hand. Online meetings should be made as secure as physical meetings! If one e.g. needs to navigate through locked gates and guards with weaponry in order to attend a meeting in person, then online meetings should be no less secure. A connection to an online meeting must be validated to ensure that the connection is secure and from a source that has met the requirements defined by the security and IT teams – trust must be validated, never assumed!

But what if the solution is not safe and it does not accept zero trust?
If the solutions do not support common identity standards like single sign-on (SAML) and SCIM (systems for cross-domain identity management) for adding and removing user access, then it is almost impossible to include the video conferencing solution in zero trust. Without support for these standards, the underlying applications will be ripe for attackers, and zero trust principles will be very difficult to apply.

Conclusion
With all that said, one should keep in mind that no software is completely bulletproof. Even the most popular video conferencing solutions are built by organizations with very mature and secure software development practices, and still bugs appear. We can e.g. all remember the whirlwind of reported Zoom security bugs in 2020 (Beardsley 2020). These Zoom addressed quite well. So, in order to assure comprehensive safety and security, more is needed than simply training and monitoring at the consumer and organizational levels. Consumers and organizations need to be confident in their ability to deal with cyber-related dangers and difficulties that lie ahead. Therefore, zero trust must be implemented in order to do the necessary block-and-tackle work that will keep all of us safe and secure.

Read this article in Centria Bulletin

References

Beardsley, T. 2020. Dispelling Zoom Bugbears: What You Need to Know About the Latest Zoom Vulnerabilities. Available at: https://www.rapid7.com/blog/post/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/. Referenced 22nd September 2022.

Chiodi, M. 2022. COVID hangover. Available at: https://www.cerby.com/resources/blog/covid-hangover-employee-perceptions. Referenced 21st September 2022.

CIS 2022. CIS Videoconferencing Security Guide. Available at: https://www.cisecurity.org/insights/white-papers/videoconferencing-security-guide. Referenced 21st September 2022.