Collaborative Strategies LLC
Home Home About Us About Us publications Publications News & Events Consulting Services about us News and Events contact us Contact Us search Search

E-Meeting Security

By Rick McConnell and David Coleman

 

In past editorials we have talked about the 15 criteria we have developed for “e-meetings,” one of which is security. E-meetings, unlike a web conference, are usually small and intensely interactive and both the content and the interaction need a higher level of security. But what do we mean by security? Is supporting SSL really secure? What about implementing a password to get into an interaction? Different vendors in this space seem to define “secure” differently.  (David Coleman)

 The Risks of Web Conferencing

Web Conferencing really extends some of the security risks an organization already takes rather than creating any new ones and these vulnerabilities are specific to its architecture and usage patterns. So what are some of the common risks?

  • Stolen critical or confidential information: projected financials or sales figures, human resource records, trade secrets, and product specifications.
  • Compromised Systems : collaborative systems require content and often are integrated with other enterprise systems that supply that content. These overlapping systems make the whole enterprise network vulnerable to a hacker “denial of service” attack, and worse enable a hacker to use this system as a springboard into the corporate network.
  • Fraudulent Use: Applications like Web Conferencing are often configured to provide maximum access, even in a public environment. This can lead to abuse and fraud by former employees, or the ability of those not authorized to use the account and even worse, steal data.
  • Disrupted Meetings: There is nothing worse than someone out of the blue stumbling into your meeting and disrupting it with inane questions. We have all had this happen to us on a cell phone. Imagine what it would be like if it happened in a critical product planning or budgeting meeting online. Not only is the data compromised but the interaction (meeting) itself is now suspect.

E-Meeting Vulnerabilities

In any e-meeting, there are two aspects that require security: content and interactions between people. There are six basic areas of vulnerability for an e-meeting:

  • Physical (i.e. where the server is hosted and who might have access to it)
  • Architectural (i.e. what is the software architecture of the application and how do its features and functions make it more or less vulnerable)
  • Infrastructural (i.e. is it inside or outside the corporate firewall, the OS it sits on, relevant standards, network design, firewalls, DMZ, WAN, VPN, etc.)
  • Access – People : (who are workers allowed to interact with and when and how)
  • Access- Content : (what content are participants allowed to see or change)

Administrative - how does the e-meeting system integrate with a corporate directory, what are the policies for changes and additions to attendees and who can make them? Is there an audit trail for this? For an e-meeting to be secure, at what level does a vendor need to implement security? Is password protection enough, or does everything have to be encrypted?

Instant Messaging and Web Conferencing

Not all meetings support Instant Messaging, but those that do increase the vulnerability for their companies. Many enterprises have policies on the use of consumer-based IM systems like AIM, Yahoo, and MSN, but a recent IDC report notes that by 2005 over 70 percent of corporate employees will be using one or more of these systems. Viack, Linqware and FaceTime offer solutions for IM security and management. Viack, for instance, offers end-to-end encryption, but you must use its proprietary IM. LinqWare's Collabrix uses the Citrix MetaFrame infrastructure for additional security. And FaceTime bridges across all popular public and private IM systems and supports security through granular management.

Along with IM come critical functions for e-meetings: “presence detection,” instant interaction and the ability (with Linqware) to find expertise based on the way the presence list is grouped and set up.

Critical Conferencing Situations

Below are a number of scenarios that deal with critical data, for which a security breach would be disastrous.

  • A defense contractor discussing product specifications with a military agency
  • Employees of a pharmaceutical firm discussing clinical trial planning and logistics with contractors and hospitals in parts of the world that will host the trials
  • A financial advisor reviewing account data and investment strategy with a client
  • The VP marketing sharing competitive data on a new product with the sales force
  • A legal team discussing trial strategy, exhibits and depositions with a client
  • An investment banker working with an executive of a firm targeted for acquisition by the bank's client company

Deal With It!

The above scenarios require collaboration because of short cycle times, cost or both. There are two ways to deal with security for e-meetings and web conferencing and both have the same general solutions: behavior (policy) and technology. Below, we have suggested ways to deal with each specific risk detailed above.

  • Stolen Critical or Confidential Information: Make it a policy that this information is on a “need-to-know” basis and keep a list of who has access to it. Often, a web conferencing service will post a client company's data to a public web site and host the content and the meeting from that site on a shared Internet server, increasing the risk of information theft. Although you don't need your web conferencing server to be located in-house to be secure, it is ideal to deploy conferencing on a dedicated server on a company's own network, regardless of where the equipment resides. Another alternative, albeit less secure, is to arrange for a hosted service to host your critical data on a separate server.
  • Compromised Systems: It is much harder for a hacker to compromise a standalone system and the damage done is generally much less. The downside is that it may be more difficult for users to get to the system and to place content into it, which may lower usage. With a hosted web conferencing service your IT group can do a security audit, even using a “friendly” hacker to check for vulnerabilities before committing critical data to it. For IT organizations it is critical to maintain control of the architecture and how the technology is implemented.
  • Fraudulent Use: This is more of a nuisance, but in one instance a law firm using a hosted service on the publicly available Internet had a lurker who stayed in the session after the meeting ended and was able to access the law firm's web conferencing account, holding meetings for days afterward. It's critical to enact policies that clear and shut down a meeting at its conclusion. Also, the extended use pattern in the above story should trigger an alarm to an administrator.
  • Disrupted Meetings: Isolating the meeting system is one way to avoid disruption. Using a directory for authentication as well as role and name-based access and password protection for a critical e-meeting should ensure that no one wanders into your web conference.

Best Practices in e-Meeting Security

  • Determine usage and security scenarios and make sure your network (or the hosting service) and architecture support these scenarios.
  • Use Standards such as SSL, HTTP, and T.120, which can create behavioral conventions that, combined with the standards, lead to safer meetings
  • Isolate critical meetings
  • Consider deploying web conferencing servers both inside and outside the corporate firewall to address the individual security requirements for each e-meeting, from the most secure to the most public
  • Don't publish all meeting titles on a server where anyone can see them
  • Authenticate web and audio conference access, preferably tied to a directory, for easier maintenance and to set security policies by company or selected groups
  • Authorize attendance: this pre-validation will significantly prevent attacks
  • Limit authentication attempts: To prevent brute force hacking, allow only three attempts to access an account, and then lock it and notify the administrator.
  • Use role or name-based access. A meeting host might be able to edit documents or content shown in a meeting, while other attendees have read-only access. Or the scribe might have access to the “notes” feature, while others do not and cannot to see the “notes” until the meeting report is published.
  • Determine who can access content before, during and after the meeting
  • Secure the transmission: use SSL encryption. Vendors like Viack ensure full end-to-end encryption. Latitude supports private network (whether on-premise or off-site) hosting and a VPN for access, and stronger encryption for transport.
  • Monitor and manage meetings: study meeting activities for anomalous behaviors. Use real-time reporting to identify and collect data dynamically and see usage patterns as they happen. Set security alerts to notify administrators immediately.

For an e-meeting to be successful, it is important to strike the right balance between collaboration and security. Although nothing can be made absolutely secure, with prudent policies and good technology, you can make illegal access at least “ very difficult.”

Rick McConnell is Chief Executive Officer at Latitude Communications, a leading provider of fully integrated “on-network” web and voice conferencing solutions for enterprises that make remote collaboration as productive as meeting in-person. Customers choose Latitude's flagship solution, MeetingPlace ® , for its “on-network” deployment, which allows them to use their own networks to deploy conferencing, regardless of whether the system is located in-house or is hosted. This deployment, along with seamless integration with desktop applications such as Outlook, results in cost savings, security and ease of IT management. Contact Latitude at info@latitude.com or 800-999-7400.

David Coleman is the Founder and Managing Director of Collaborative Strategies LLC (CS) and the editor of " Inside Collaboration ". CS is the leading analyst firm covering collaboration technologies and its use. Serving both vendors and end-users of these technologies, CS provides a variety of publications and services that help these populations in being more successful in selling or using collaboration technologies. Collaborative Strategies can be reached by e-mail at davidc@collaborate.com , or by telephone at 415/282-9197.

 

Collaborative Strategies makes every effort to bring you timely, accurate information on collaboration and knowledge management. However, we are part of a rapidly evolving market ourselves and events occur during the publication of this newsletter every month that we do not become aware of or that happen post-production. If you know of such events please contact us at davidc@collaborate.com so we can note these key events in the next edition of this newsletter.

Copyright © Collaborative Strategies LLC. 2003. All Rights Reserved. This site is protected by copyright law and international treaties.[Privacy Statement]