• Type: Whitepaper
  • Topics: Conferencing;
  • Date: January 2016

By Tim Kridel, Special to AVIXA

Secure CollaborationLots of AV firms offer motorized window shades, which automatically drop when a meeting is about to begin in a particularly sunny room. Maybe it’s time to start selling shades as a way to secure those meetings, too.

Consider this common practice: Meeting organizers write or display the enterprise Wi-Fi network’s SSID in a conference room so presenters can connect their laptops and tablets. If that conference room is on the ground floor, such a practice just made those meetings very public, along with the entire corporate network, if the room’s Wi-Fi isn’t partitioned off into a virtual LAN.

“You could walk right up to the room's window, log on and you’re on their core network because there’s often no separation,” says David Danto, a Dimension Data Principal Consultant who’s seen this risk first hand. “The guy who was in charge of the AV systems said, ‘Don’t worry about it. That’s an IT security problem. They’ll catch it.’ It wasn’t in that guy’s silo, so he wasn’t interested.”

The moral to the story is that security is very much in AV’s silo. Securing videoconferencing, unified communications and other collaboration systems is particularly important — and particularly challenging — because modern meetings frequently involve confidential information and multiple partners who are both in the room and remote.

Today, every endpoint is a potential backdoor for hackers or other network snoops. If one meeting participant works for a company with lax security policies, the device they’re using could be a way to eavesdrop on the meeting or access all of the other attendees’ corporate networks. 

Some barriers are relatively easy and cheap to erect. For example, configuring a video codec so that it answers manually rather than automatically, or answer automatically but only with the mic muted. Indeed, a little configuration can go a long way.

“Often enterprises have the equipment they need to properly secure their networks in production, but sometimes that equipment is simply lacking the proper configuration,” says John Fuchs, AVI Systems IT Director. “No equipment comes out of the box fully secured. In fact, it’s generally just the opposite.” AVI Systems is an AVIXA AV Provider of Excellence (APEx).

Another simple measure: If collaboration spaces use wireless mics, they should use encrypted models.

“There are still a huge number of clients I go to see where you can’t get into the building unless you give an ID and somebody comes to pick you up,” Danto says. “Then they’re using unencrypted wireless microphones. You can sit in your car in their parking lot and listen to everything said in their room.”

But don’t stop there when it comes to encryption. Extend it to video, control and other streams. “As a security design principle, you have to assume your communications can be captured once it leaves the privacy of your organization’s network,” Fuchs says. “If your communications are intended to be confidential, then end-to-end encryption is a must.”

There are different levels and types of encryption, and the choice comes down to the needs of a particular client or vertical. For instance, Sensory Technologies, also APEx company, offers a hosted video collaboration service that’s JITC certified, by the U.S. Department of Defense, which means it uses the highest levels of the Advanced Encryption Standard (AES) and then some and is fit for government.

“So from a snooping standpoint, trying to capture a stream is next to impossible,” says Blaine Brown, Chief Technology Officer at Sensory Technologies.

That high level of protection might seem necessary only when selling into the government market. But it could be equally appealing when targeting other verticals, such as financial services.

Who Are You?

When securing collaboration spaces — both physical and virtual — authentication also is important. “During a collaboration session, everything is protected through encryption, but that doesn’t stop people from joining,” says Michael Frendo, Executive Vice President of Worldwide Engineering at Polycom. “So you want to have great ways of authenticating people.” The company is developing a product that uses employee ID badges to authenticate people. Other emerging options include biometrics, where an endpoint uses a person’s face, voice or both to determine whether she should be allowed to participate in a meeting. Some biometrics platforms already have “liveness detection,” which can tell when a fraudster is holding up an authorized user’s photo or playing a recording of her voice. 

At the very least, biometrics offers another way to build multiple authentication layers into collaboration systems. “You want at least dual-factor authentication,” Frendo says. “One is too easy to defeat.”

Of course when UCC participants have to authenticate multiple times, there’s the risk that they’ll forget some part — such as their PIN — or get frustrated by the gauntlet. That’s another reason clients may consider biometrics for logging into collaboration sessions: Fingerprints, faces and voiceprints can’t be lost or forgotten.

Biometrics also can help meet client preferences. For example, many smartphones and tablets now can be unlocked when the owner peers into their camera — a plus when those devices double as collaboration endpoints. But those devices also are conditioning people to expect alternatives to passwords, PINs and other burdensome security mechanisms. When those people are buying collaboration solutions, a product with biometrics could have a competitive edge.

Problems = Opportunities, Opportunities = Problems

Some AV integrators offer hosted collaboration services as a way to offset declining hardware margins and create recurring revenue streams. The sales pitches traditionally center on how the cloud frees the client from the cost of buying and maintaining on-premise infrastructure.

Security could become another way to convince clients to go the hosted route, especially as media coverage of IT breaches build awareness. Educating clients about security risks can help demonstrate why it’s more efficient to have an AV service provider and integrator take responsibility for applying patches and updates.

“Cloud application service providers have a laser focus on their product offerings and are constantly applying security updates and are built on redundant platforms with dedicated staff and monitoring tools to make sure their services stay running,” Fuchs says. “Very few organizations can afford to make the investment in hardware, software and personnel to achieve that level of service on their own.”

Of course, that role puts pressure on integrators to deliver, which can be challenging when AV vendors make it difficult to find and get patches. “Go to an AV manufacturer's website with some model numbers and see if you can even get information about patches,” Danto says. “It’s the Wild West. Some companies will list it, and it’s a download. Some will say to call their support people. Some won’t reference it all."

Some AV integrators are expanding their hosted collaboration solutions to include archiving and indexing. “There I think security will be much more of a challenge and much more of an emphasis because now you’re storing content versus just preventing someone from trying to hijack a feed,” says Brown of Sensory Technologies, which is preparing to launch an archiving service.

Those recordings will have to be encrypted, and access will have to be limited to authorized users. To do that, AV firms will have to start thinking like data center operators. One example is developing a process to ensure that one client’s content isn’t hauled off when another client on the same physical server is subject to a law enforcement investigation.

Savvy IT directors know about those kinds of scenarios, so expect in-depth questions if they’re also in charge of AV. For that matter, expect more security-related questions across the board, partly because collaboration systems use IT networks and because of the awareness that builds with every media report of a breach.

“For larger customers — the Fortune 500s and higher — security is a very big deal,” Brown says. “We’re starting to see a trend toward more people being aware and cautious about what they’re doing.”