Factor #1: FedRAMP Compliance

Is there some standard out there that tells clues you into the security levels of a web conferencing platform? Yes!  A few actually.

Many international organizations look for a platform to be ISO 27001 Certified.  (ISO stands for the International Organization of Standards.)  For those of us stateside, the standard-bearer is the National Institute of Standards and Technology (NIST).

In the last decade, the US government realized that with changing technologies and data sharing, new security measures needed to be put in place for federal agencies.  As a result, the Federal Information Security Management Act (FISMA) was enacted to get the process rolling.

NIST, in turn, developed standards specific for web conferencing security and cloud systems.  The eventual outcome was the Federal Risk and Authorization Management Program (FedRAMP).  

Let’s just say this. If the web conferencing platform you use is FedRAMP certified, you can feel confident you’re well protected.

These standards can be far-reaching.  Here’s a quick run-down on what you need to know about FedRAMP:

• FedRAMP standards are in accordance with legislation outlined by FISMA, and they meet the baseline security controls set out by  NIST in their special publication 800-53.

• As defined by the NIST, security controls are the safeguards and countermeasures used by a particular information system to protect confidential and integral parts of that system.

• In all, there are 18 “families” of security controls that range from system configuration management to physical and environmental protection. Within each family, there are numerous sub-categories with hundreds of specific security controls.

• If your web conferencing platform is FedRAMP compliant, it will hold the “Agency FedRAMP Authorization” title.

Is your web conferencing platform FedRAMP compliant?  If not, you should evaluate how extensive your web conferencing security features are.

To give you a few suggestions of what to consider, here are a few examples of the layers of security that factor into FedRAMP compliance.

Factor #2: Advanced Access Restrictions

Strong security begins with the configuration of gated access. Passwords for hosts before they open a virtual room; codes for participants before they join.  But there are ways to further secure access. 

The following examples are required for FedRAMP compliance:

• Atypical usage: Restrictions that can be set to limit the hours a virtual room can be accessed. By tightening hours of usage, you can minimize the time in which vulnerable information can be viewed and tampered.
• Remote or wireless access: Certain parameters allow you to monitor remote users, and relay only encrypted information to protect from unwanted hands.

To further limit the availability of access, gates such as session locks and credential termination help manage who enters your virtual rooms:

• Session locks: A session lock is set by a host after a sensitive online event begins.  Doing so restricts access to participants who show up late. Locks help avoid unwanted visitors from peeping in on your conversations.
• Credential termination: When a member leaves the hosted space, the credentials they used initially will no longer work.  This functionality is very important if you have participants who join meetings to speak on a topic, but then are required to leave later when the information they aren’t privy to is shared.  You wouldn’t want them joining again, so you prevent readmittance with credential termination.

Factor #3: Define Roles and Privileges

A comprehensive security system allows account administrators to define the roles and privileges of your employees.  These determinations will, in turn, establish the conditions by which a user can interact with a group or virtual room.  You can define these privileges with role-based access controls (RBAC) and dynamic privilege management:

• Role-Based Access Controls: When used in large online event settings, RBACs allow you to define the levels of interaction users can have in a platform.

You wouldn’t want a participant to be able to open up your meeting room whenever they feel like it.  Setting RBACs limit the number of people who have the “clearance” to open your virtual room.  Additionally, if an individual isn’t a set up with the desired role, they won’t be able to join active meetings.  Thus, you prevent people from joining events where they shouldn’t be there.

These controls then translate into room controls.  So having tiers is key.  Minimally, it seems valuable to have Hosts, Presenters, and Participants.  (Note: The level of control descends from most control with Hosts to least with Participants.)  The host owns the room. They can set access requirements.  They manage the content uploaded and the interactions of the room.

Presenters, being a tier down, have some control over the room but less than Hosts.  And participants are limited to interactions with the pre-configured aspects of the room: Polls, Chats, Q&As, and so on.  RBACs serve a great security purpose, both before sessions and while the event is taking place.

• Dynamic privilege management: Through dynamic privilege management, you allow a user to retain their virtual identity when their access privileges are amended. In a similar scenario to the above, a user could have their privileges upgraded for a one-time event, then demoted at the event’s conclusion.  All the while, their virtual identity remains intact.

When it comes to ensuring valuable information isn’t falling into the wrong hands, you need security features that allow account administrators to easily define roles and privileges.  RBACs and dynamic privilege management represent great options for managing the privileges of your users during your online events.

Factor #4: Blacklisting Features

Imagine you’re a low-level operative of the CIA in the 1970s.  You’ve just been assigned to a new case and the files are scattered across your desk.  Trembling with excitement, you peel back the manilla folder to find…a bunch of completely redacted documents?!?! “This is going to be a long case,” you grumble angrily.

Redaction of information serves an important purpose for our government. It helps agencies share records and reports without compromising the most sensitive aspects of those files.  While not a perfect analogy, blacklisting features on a web conferencing platform works in a similar manner.  You get to collaborate and communicate while curbing security vulnerabilities. 

The ability to blacklist features basically means that you – as an account administrator – can limit which features appear in users’ virtual rooms.  Blacklisting can also give you the opportunity to place restrictions on the functionality of those features.

Factor #5: Recording Encryption

Just because an online event concludes without issue, doesn’t mean you’re in the clear yet.  Most web conferencing platforms allow you to record online events, which is great because recordings can be shared with individuals who were unable to attend.  But these recordings may leave you susceptible to information compromise.

What happens to the information in the recording when your web conferencing provider stores it for it to you?  If not encrypted, these recordings can prove a significant vulnerability.  The standard for securing the recordings requires the AES 256-bit encryption.  A good web conferencing provider will encrypt the recording while in storage and transmission.

The best providers also keep logs of interactions with encrypted materials. If your recordings are encrypted, any employee who interacts with them will be identified – their virtual fingerprints will be everywhere. So, on the off chance a recording goes missing, you can figure out who may be responsible!

Factor #6: External Hosting & On-Premise Options

Most web conferencing platforms are SaaS and cloud-based.  This works for most companies.

If you need to go above and beyond the typical security controls because your information has a virtual “burn after reading” stamp on it, you should look into external hosting options or on-premise deployment. 

External hosting is a service some web conferencing providers may offer – to manage the “classified” information of your online events.

An external host can provide you several services.  To begin with, they can monitor and manage content that is uploaded.  Depending upon your needs, these uploads can later be purged to minimize exposure.  If the information is very delicate, the content can be destroyed upon the event’s closure.  The benefits of monitoring limit the potential harm of compromised information.

An external host can also create a metadata backup of the online event.  Such a backup provides you a means to retain some information related to the event, but nothing that will leave you exposed.  Be aware that not all web conferencing providers facilitate external hosting.

External hosting options should be at the top of your list when evaluating web conferencing security.

On-premise deployment is another good option for bolstering web conferencing security.  “On-prem” allows you to place the software behind your firewall and under the supervision of the Technicians, you trust most.

Organizations with high-level security needs and are threatened by hackers and the like, often turn to on-prem deployment.  It gives your IT team the control they need to ensure every aspect of your online events is secure.  Doing so also gives your team the opportunity to run the diagnostics reports that the most important for your organization.