Update: On July 8, a security researcher disclosed a serious security vulnerability impacting Zoom’s service putting an estimated 4+ million Zoom users at risk. At the time of publishing, the vulnerability has not yet been addressed. Due to Zoom’s proprietary code base and default settings, customers are advised to follow the steps in this post until a patch is available.
Video communication and collaboration has never been of greater importance to organizations. Gone are the days when video in the workplace was a novelty; it is now not only expected in many instances but a core technology for getting work done. The video communications era has arrived, ushering in with it a wave of new collaboration methods ranging from 4K-quality content to digital whiteboards and more.
At Lifesize, we hear and see this every day through conversations with current and prospective customers, our partners and our colleagues across our ecosystem. Of course, the trend is not isolated to Lifesize, as illustrated by countless analyst reports and market analyses, all of which point to the rapid rise of video collaboration around the world.
Analyst firm Frost & Sullivan projects the video conferencing market will grow an average of 12.1 percent YoY from 2018 to 2023, representing a $13.82 billion industry in the next five years. For an industry 30 years in the making to maintain this trajectory, however, it’s imperative that we collectively address the elephant in the room: security. It’s long past time for video conferencing providers to embrace the fundamental criteria all enterprise-grade, mission-critical applications are expected to deliver — and that they do so with transparency.
Cloud Security: A Hazy Forecast
Information security is a lot like life insurance — important, but not the liveliest topic to discuss.
It’s tempting to assume the technologies we use in our professional and personal lives are secure. Unfortunately, data breaches are all too common, and nearly every technology category — from social media to gaming and retail to communications platforms — has been impacted in recent memory. In recent weeks, the Washington Post wrote a lengthy exposé detailing how simple it is for hackers to compromise “smart” devices using a technique called “credential stuffing,” whereby bad actors combine leaked email addresses and passwords with simple automation to gain access to thermostats, cameras and more. If anything, the sheer volume of data and security breaches has resulted in a culture of becoming desensitized to their impact.
According to Gartner’s 2019 Security and Risk Management Trends, the rapid adoption of cloud technologies is “stretching security teams thin,” putting an even greater share of responsibility on cloud providers to deliver out-of-the-box security capabilities to both protect customers and alleviate the burden on IT professionals tasked with managing an ever-growing number of applications and services. As it relates to usage of software-as-a-service (SaaS) applications, Gartner advises clients to consider whether applications are “appropriately governed and securely used.”
In a February 2019 research note, Gartner analyst Jay Heiser wrote, “The lack of agreement on which corporate role is responsible for SaaS governance and the relative lack of policy requiring more specificity around SaaS ‘ownership’ have helped to mask urgency over SaaS control. The relative lack of visibility and management over this increasingly ubiquitous form of computing leads to security and compliance failures.”
It remains to be seen where organizations will land concerning who is ultimately accountable for enforcing and governing cloud security. However, what’s clear is that vendors should be far more proactive about communicating security practices and features to help buyers and customers understand what they are getting for their investments and what they should expect based on their organization’s security requirements and risk tolerance.
Secure Communications: The Unspoken Truth about Video
Because of the rapid adoption of bring your own device (BYOD) policies and a trend toward line-of-business managers selecting applications that are not managed by IT, many organizations are now struggling to simply stay on top of which applications are being used, let alone the implications on information security.
In a study of IT decision makers conducted by Frost & Sullivan to understand why organizations choose to not use cloud services, concerns about unauthorized access to data was the number one inhibitor to adoption.
In video conferencing, security is often an afterthought. With so much attention paid to protecting PII data, health-care records, financials and more, it’s easy for organizations to forget about the data being transmitted during meetings and among employees, partners and customers inside and outside of the company. After all, video conference calls are hardly as tempting as a database full of sensitive customer records, right?
Unfortunately, this perception has led to complacency, resulting in CISOs and IT decision makers all too often failing to account for the data being shared and who is ultimately accountable for protecting it. Compounding the issue, video conferencing security is multifaceted, forcing organizations to think about a number of key aspects of their infrastructure and governance, including how data is transmitted and stored, access controls, authentication policies, HIPAA compliance, and more.
In many respects, communication services represent the “last mile” in information security.
No one wants to think about the what-if scenario of someone intercepting sensitive information or snooping on a video meeting. However, the increasing volume of data breaches, “man in the middle” attacks and security threats illustrates that organizations should carefully consider whether video communication vendors’ security presets are adequate for the data being transmitted through their services.
Our Commitment to Security, Transparency and Openness
In 2014, Lifesize initiated a multiyear project to rearchitect our cloud video conferencing service from the ground up for security and reliability.
Engineering for Transparency
A critical component of that is the Web Real-Time Communication (WebRTC) protocol, which provides customers transparency and peace of mind about how the service operates. We rebuilt our platform on WebRTC for several reasons.
First, we want video conferencing to be accessible to everyone. To accomplish this, WebRTC was an obvious choice and by far the most reliable, proven and well-performing mechanism for delivering a cohesive video conferencing experience across operating systems, devices and browsers supported by Lifesize. Since we announced support for WebRTC in 2015, it has matured greatly; today nearly all major browsers support WebRTC natively.
Second, we firmly believe openness is good for customers. As with all open source technologies, WebRTC was built (and continues to be improved) in the public, with contributions from thousands of engineers and industry-leading companies like Apple, Google, Mozilla, Microsoft and others. While open source software is not more secure by definition, code that is regularly inspected and tested by multiple entities has been proven to result in more robust, secure technologies.
Through WebRTC, Lifesize is able to deliver a reliable, consistent and secure experience to our customers with no ambiguity about how that experience is being engineered. While we aspire to earn the trust of every customer, we fully expect and encourage them to ask questions about how our service works — as they should with any application or service provider.
Securing the Last Mile
Today, our cloud runs on Amazon Web Services (AWS), which provides a host of added security benefits, including best-in-class network firewalls, robust compliance controls and 99.9% guaranteed uptime delivered through highly secure data centers around the world.
Additionally, Lifesize ensures comprehensive, secure video conferencing for our customers by layering on:
- End-to-End Encryption by Default: 100 percent of communication on the Lifesize platform is secured by enterprise-class, 128-bit AES (Advanced Encryption Standard) encryption for media and TLS (transport layer security) encryption for signaling. By default, every Lifesize customer’s connection is encrypted using single-use encryption keys. Additionally, since Lifesize was architected from the ground up using WebRTC, which mandates secure connections, every call — either through our native apps or browser-based web applications — is secured without exception.
- Secure Data Storage: Recording and playback of Lifesize meetings is encrypted using 128-bit AES while in transit and 256-bit AES while stored. User passwords are always encrypted, and no plain-text passwords are stored in the cloud.
- Secure Authentication: Lifesize integrates with and supports leading single sign-on (SSO) providers, including Okta, Microsoft Azure® Active Directory, OneLogin and Ping Identity, allowing IT administrators to easily configure user permissions and enforce password refresh and complexity requirements, reducing the likelihood of successful credential stuffing or other end user-focused attack methods.
- Meeting Security: Lifesize virtual meeting rooms (VMRs) can be secured, requiring a password to gain entrance to a meeting. Meeting moderators can also easily access a full list of participants and remove individuals, should the need arise. Customers also have the option to use “disposable” one-time meetings to prevent unauthorized guests from joining meetings using details from a previous invite.
- Firewall/NAT Traversal: Our architecture keeps Lifesize room systems and client software safely behind existing firewalls and manages firewall traversal through our global calling nodes. Thus, we do not require any firewall ports to be opened inbound from the internet, nor is there a need for static public IP addressing or complicated static NAT and port-forwarding firewall configurations. Organizations can maintain their existing perimeter posture and protect users and devices from SIP and H.323 nuisance calls that are common on the open internet.
In Search of Security, Transparency and Openness
Security and its companions form a complex and ever-evolving challenge for organizations large and small, but it should be a top priority. IT decision makers and business leaders must take the time to assess the risk profiles of their vendors and understand whether each of their communications tools — regardless of whether it is centrally managed by IT — is built and configured to protect sensitive data.
Unfortunately, many service providers require users to opt in to basic security features rather than abiding by enterprise-grade standards. If vendors don’t prioritize security, transparency and openness by default, businesses would be wise to consider whether their private communications and data are at risk.