Security in video communications

Eero Heikkilä, Elisa Videra's Head of Professional Services, says that in order to ensure the critical security requirements in video communications, they have to be taken into consideration from the very beginning. But the experts at Elisa Videra won't settle for just filling the requirements – they build the entire solution on security.

"Our information security management system follows the ISO/IEC 27001 requirements", Heikkilä emphasizes. "That ensures that all technical, operational and physical aspects are thoroughly dealt with."

Eero Heikkilä has a vast experience and expertise in security management
and is currently the Head of Professional Services at Elisa Videra.

The role of the technology vendor is essential in making certain that the provided technology and equipment meet the user requirements. Pexip is one of Elisa Videra's technology partners that provides best-in-class industry security, interoperability, infinite scalability and a wide variety of ways to ensure high quality and easy-to-use video meeting solutions. 

Especially with government organizations, financial institutions, healthcare providers and others dealing with highly confidential information on a daily basis, the importance of screening and choosing a trusted provider of technology cannot be overemphasized. With video meetings, proprietary and sensitive information is shared frequently, and employers need to feel certain that no one else can access that data without permission. These types of customers typically prefer to run the entire meeting platform on-premises and inside their network, or in the private cloud of their choice, and Pexip offers flexible deployment options. 

"The entire solution has to be built so that it can provide the best possible support for both the pre-meeting and in-meeting phases, like support roster controls, using PIN codes and encoded phone calls", Heikkilä emphasizes. 

During the meeting, one of the best rules of thumb to ensure sufficient security is to act the same way as you would at a physical meeting.

"The user has to be able to control both the meeting space and the participants. The same way that you browse across a meeting room to see who is present, you can check the roster list to see that the right people have arrived", Heikkilä advises. "Then, just as you would close the door, you should lock the virtual room to prevent further entry."

Heikkilä refers to increasingly common "meeting bombing" incidents: if there is not even a simple PIN code required, an uninvited participant can enter a meeting just by randomly tapping in email-like URL-addresses or conference IDs. The organizer should be able to prevent this kind of incident from happening, or at the very least throw the unwanted participant out and prevent the re-entry.

In addition to PIN codes, pre-meeting security can be enhanced with virtual meeting rooms and IDs that are valid only for the duration of the meeting. The invitations play a role as well: they should only be sent to relevant recipients.

When the most sensitive issues are discussed, everyone has to be especially alert for any eavesdropping that might take place. And, as the meeting has been adjourned, just as you would turn off the lights in a conference room, in the same way you should end the virtual meeting.

Even, and especially, when it comes to the devices that are used to attend virtual meetings, common sense prevails. Default passwords should never be used; instead, the administrators (not the end-users) should be given the opportunity to manage the devices. Signaling and media should be encrypted whenever possible, and centralized provisioning should be utilized for ensuring consistent settings.

In addition, only up-to-date devices with latest software versions should be used. Every now and then, a device that has no more active support shows up in video conferencing deployment and causes challenges from both operability and security points of view. 

These devices may not be covered by an active maintenance contract, but even worse, they may be completely end-of-sales, end-of-life and end-of-support by the vendors, meaning that the vendor will no longer provide security fixes, bug fixes or functionality updates for them. Added to the frustration that these devices cause for the end user, as they don’t work similarly as up-to-date devices, they also have interoperability flaws and may act as so-called backdoors to the customer network. 

Especially during a pandemic, when even the most sensitive kinds of meetings are being held virtually, the collection and handling of data has become an essential security issue. The participants are interested in what kind of data will be collected, what will be done with it and where it will be stored. 

With so many alternatives at hand and so many viewpoints to consider, including all government and business-related regulations there might be, managing such a versatile service platform goes well beyond any in-house IT department's comfort zone. 

"With encrypted calls, on-premises services are not necessarily more secure", Eero Heikkilä states. "To ensure the best possible outcome from every angle, it often makes sense to let dedicated experts run these services."

As the needs of users become more versatile, the chosen video conferencing service is expected to be able to adapt quickly to required changes. This has led to organisations' growing interest towards moving their self-hosted infrastructure into a cloud environment, where, for example, capacity increase can take place promptly. While the flexibility of a cloud environment is undeniable, certain doubts exist, and issues like data security and control have slowed down this development.

Many of these obstacles were removed in December 2020 as Pexip, a leading provider of enterprise video conferencing and collaboration solutions, announced the launch of the Pexip Private Cloud – a deployment option for video conferencing that provides the ease and scalability of a shared cloud with the control, security and privacy of a self-hosted solution.

Heikkilä adds that with the modern solutions, added security does not have to contradict the functionality. Even in that sense, it is better to aim high.

Special integrators such as Elisa Videra, who deal with these kinds of issues every day, are the best way to ensure that for any given situation and circumstance, the best available security solution can be designed, implemented and maintained.