Freedom generally entails risks, and Web conferencing is no exception. While virtual meetings liberate companies from the financial and logistical complications of face-to-face conferences, they also place confidential company information in an environment vulnerable to rivals and hackers.
Trade secrets, employee records, product knowledge and earnings projections are some of the information commonly shared during Web conferences [source: Cisco]. Sharing this information online makes it vulnerable to theft.
And security problems do happen. In October 2006, for example, Adobe Connect Web meeting software announced it had discovered a security breach that could lead to information access by unwanted third parties. [source: The Web Conferencing Blog].
However, there are numerous ways that companies can protect data while enjoying the freedom and cost-cutting offered by Web conferencing.
Some companies have found that switching to Web conferencing leads to a substantial Return on Investment (ROI). The Chicago-based Web firm Fieldglass has estimated that the use of Web conferencing saves it more than $1.9 million every year. [source: Communications News].
In this article, we'll learn how Web conferencing security works, explore the architecture of Web conferencing security and provide tips for holding secure Web conferences. Finally, we'll consider the host's role in regulating the Web conference.
Network Security for Web Conferencing
During a Web conference, data is temporarily stored on a shared Internet server. The primary risk of Web conferencing is the possibility that this data will leak beyond the realm of the conference and become accessible to hostile parties.
That's why measures such as Secure Socket Layer (SSL) encryption, non-persistent data flow and intrusion control are essential to protecting data transmitted during a Web conference. Using this three-pronged approach dramatically minimizes the likelihood of an information leak.
First, the data itself is encrypted with SSL technology, ensuring that it'll be unreadable by anyone other than the intended recipients should it fall into the wrong hands.
To prevent its falling into the wrong hands in the first place, the encrypted data can be placed in a constant state of migration, or switching, from the conference host's computer to the attendees' computers, rather than being persistently stored on one server. This non-persistent data transfer is similar to a telephone network, where data originates on the network but doesn't remain there [source: WebEx].
Finally, intrusion control works like a security guard with his search light, who constantly scans the network for non-authorized users and denies access to these users by shutting down a transfer port.
More than a dozen companies currently provide Web-conference-hosting services. While each company has its own version of a security architecture, they have more commonalities than they do differences.
It's standard in the Web-conferencing industry to view security architecture as a stack that has user controls on the top and data storage on the bottom, with meeting controls in the middle. Here's how WebEx, a leading provider of Web conferencing services, models its security architecture:
- Site Security
- Meeting Security
- Network Security
- Physical Security
- Third-party audits.
Microsoft's Live Meeting illustrates its security model as a building with three vertical pillars of equal value:
- Access Controls
- Content Storage
- Data Transmission
Next, we'll give you some tips on ensuring security during Web conferences.
Web Conferencing Security Tips
Protecting your confidential data during a Web conference requires vigilance on multiple fronts before, during and after the meeting. A research report on Web conferences in 2003 identified three overarching goals in assuring Web conferencing security:
- Take ownership
- Comply with standards
- Secure the environment
Here are some more specific tips on how to hold a secure Web conference. They fall under three categories:
- Entrance Requirements
- Information Access
- Data Protection and Storage
Before your conference begins, you need to make sure that only the people you want to attend are able to attend. It's important not to publish meeting titles or otherwise publicize your conference, so as not to tip off hostile parties that the conference is happening. Here are some other tips on entrance requirements:
- Send e-mail invitations over a secure e-mail server to make sure they're not intercepted. Secure invitations are your first line of defense against unwanted intrusions
- Maintain a strict policy regarding passwords for entrance into the conference. Most Web conferencing services allow you to require two separate passwords for especially confidential meetings.
- Limit password authentication attempts to stymie would-be hackers.
- Authenticate both voice and Web access to the meeting.
Not all the information presented during your conference needs to be made available at all times, nor to all parties. Before the conference begins, your company should agree what information is confidential and what information isn't. Here are tips on handling information access:
- Assign different participants different access levels based on their need-to-know status, agreed on before the meeting.
- Don't make all the information available at once; release access to information at different points in the meeting.
- Don't pass information via an instant-messenger service.
- Don't allow video recording of the conference.
Data Protection and Storage
Your data is the lifeblood of your company and needs to be protected at every stage of the Web conferencing process. If you're using an outside hosting service, make sure that the vendor's security policy is in line with your company's needs.
Hosting the conference on your own server is ideal, but not always possible. As the number of vendors offering Web conferencing services has increased, they have begun to make security a priority. Here are some ways to protect your data:
- Comply with corporate standards for Web conferencing. Over time, such compliance strengthens meeting security. Look to XCON for these standards.
- Use the highest level of encryption possible for your data.
- If you're using a third party service as a host, avoid placing confidential data onto their server.
- If you must place confidential data onto a third-party server, delete it immediately after the meeting.
Turn to the next page to learn about third-party audits.
Third Party Audits for Web Conferencing
Companies want to know without a doubt that the data that may temporarily reside on a vendor's server during a Web conference is not being accessed by unwanted parties.
Web-conference-hosting services make a lot of promises about security, but to be certain that your data is being handled properly, it's important to know that the service has the oversight of a third-party auditing body. Third-party auditors are certified accountants hired by the vendor to come in with a checklist and determine, in an unbiased fashion, that the vendor is making good on its security promises. The auditor annually reviews the procedures of the hosting service, and awards it with a seal of approval if it meets security standards.
Ernst & Young, which provides WebTrust and SAS-70 Type I & II certification, holds companies to the following security standards.
First, the company must identify and document its specific security measures. It also must explain how it allows access to authorized users, what kind of access it allows, and who authorizes that access. Here are some other areas reviewed by Ernst & Young in its security auditing process:
- Preventing unauthorized access
- The procedures to add new users, modify the access levels of existing users, and remove users who no longer need access
- Assignment of responsibility and accountability for system security
- Assignment of responsibility and accountability for system changes and maintenance
- Testing, evaluating, and authorizing system components before implementation
- Addressing how complaints and requests relating to security issues are resolved
- The procedures to handle security breaches and other incidents
- Provision for allocation for training and other resources to support its system security policies
- Provision for the handling of exceptions and situations not specifically addressed in its system security policies
- Provision for the identification of, and consistency with, applicable laws and regulations, defined commitments, service level agreements, and other contracts
On the next page, you'll learn more about hosting Web conferences.
Hosting Web Conferences -- Regulation Options
The key to holding secure Web conferences is to counterbalance the openness of the Web conferencing platform by asserting as much control as possible over the proceedings and its attendees. As a host, you wield a lot of power over the meeting and how information is shared. Web conferencing services allow the host significant control over the meeting. As the host, you can regulate the conference by:
- Gathering registration information
- Determining who is allowed entrance to the conference
- Deciding what information will be made available to which participants
- Setting password requirements
- Expelling unwanted participants
- Ending the meeting at any time
- Terminating the application sharing session at any time
- Screening new entrants
- Locking the conference to new entrants
- Tracking information on meeting attendees
- Monitoring for security breaches
- Saving and deleting content
- Deleting information at the end of the conference
Understanding the risks involved in Web conferencing is the first step toward creating a safe Web conferencing environment. By encrypting data, ensuring that it's not persistently stored and tracking the activity of conference attendees, you can greatly minimize the possibility of security breaches.
Even if you're using an outside Web conferencing service with third-party accreditation, you shouldn't assume that this means your conference is safe. You still need to establish vigilant protocols as the host, such as passwords. You should also determine who's allowed access to information and set procedures for handling information after the meeting.
Web conferencing is still relatively young, and vendors are continuing to address security concerns. For the time being, many companies are finding that the benefits of virtual meetings -- reduced travel costs, the ability to share information -- outweigh the moderate risks of data theft. As long as a company is vigilant about security and uses a vendor with strict security measures in place, Web conferencing should be seen as a viable alternative to the traditional face-to-face meeting.
For more information about Web conferencing security and related topics, check out the links on the next page.