Video conferencing and other digital collaboration tools make it possible for government personnel to virtually conduct the meetings, conferences and hearings necessary to serve their constituents. As we noted in our last post, however, agencies must use solutions that meet the high standards for security and privacy necessary for conducting sensitive government business.
Security wasn’t always a primary consideration when government entities were forced to rapidly implement team collaboration during the pandemic’s onset. After two years, it has become apparent that some of the solutions chosen to expedite remote work requirements have a multitude of flaws that hackers can leverage to gain unauthorized access to virtual meetings. Here are three common exploits:
- Meeting intrusions. Improperly configured virtual meetings can be disrupted by unauthorized users. Frequently, the uninvited will simply “bomb” meeting participants with unwanted pornographic or offensive content.
- Phishing. Unauthorized users often share malicious links in meeting chat sessions. Once clicked, these links can allow the attacker to steal participants’ credentials and other important information.
- Data theft. Misconfigured settings allow malicious actors to steal sensitive information from message boards, recorded meetings stored in the cloud and even internal servers. Improper file sharing, screen sharing and meeting recording can also expose sensitive information.
The National Institute of Standards and Technology (NIST) has developed tips for securing collaboration platforms. Among other suggestions, the NIST recommends limiting the reuse of access codes, using one-time PINs for sensitive meetings and delaying meetings until the host joins. Organizations should also avoid recording meetings unless it is necessary and disable features such as chat and file sharing unless they are needed.
While those are valuable tips, it’s even more important to use a collaboration platform that is designed to incorporate security at every level. For example, Cisco Webex collaboration solutions are designed from the ground up with security in mind.
Webex is among the few collaboration platforms that adhere to FedRAMP federal security requirements. End‑to‑end encryption keeps messages, documents and whiteboard content encrypted while in transit between devices, and protects data at rest in databases, storage devices and backups. Native multifactor authentication protects user identities and credentials.
These features all contribute to the zero-trust model for Webex meetings. The approach is driven by three guiding principles — verify the identity of every user, validate every device and limit access privileges to the bare minimum. The Webex zero-trust security model features three distinct layers of protection:
- Identity. End-to-end identity management requires that clients have credentials to prove their identity. Single Sign-On authentication allows users to generate a single set of credentials for multiple applications, but the process involves tedious and error-prone manual process for managing digital key certificates. Webex improves authentication through the use of the Automated Certificate Management Environment (ACME) protocol, which automates the process of generating and issuing certificates.
- Key exchange. Clients participating in a meeting need keys to be created for end-to-end encryption without giving the conferencing provider access to those keys. However, it can be challenging to establish keys for group chat settings using traditional protocols DTLS for data streams and SDES for media streams. Webex uses the Messaging Layer Security (MLS), an emerging cryptographic key generation protocol designed to ensure both data and media privacy in group chats.
- Content protection. It’s important to protect the actual media content of the meeting. This has usually been done by encrypting individual data packets using the Secure Real-Time Transport Protocol, but packet loss and latency cause problems for real-time media transmissions. Webex eliminates this issue by using the Secure Frames (SFrames) to encrypt entire media frames instead of individual packets. That enables much faster encryption of real-time media by reducing the number of individual encryption operations.
In a new survey of government cybersecurity decision-makers, 73 percent said their Agencies are “aggressively adopting” zero-trust principles, while another 26 percent are adopting those principles where they feel it makes sense. Those using Webex to conduct their virtual meetings are already ahead of the game. Give us a call to learn more about creating a zero-trust collaboration environment with Webex.
Collaboration Security with Webex
Contact us to learn how Webex team collaboration solutions can create a zero-trust environment for your virtual meetings.