The ability to join a meeting, connect your own device and share content is now a given in today’s workplace. Steve Montgomery explores the security implications this expectation has created.
AV products have entered the workplace in vast quantities and are commonly integrated in to corporate IT systems. The onus is on suppliers and integrators of these devices to ensure these systems meet end-user security requirements. Any device that enables commercially-sensitivecontent to be accessed or displayed within an organisation must be secure to prevent misuse and loss of data.
“System security is absolutely crucial when talking about content sharing in the workplace,” says Lieven Bertier, director GTM strategy and services meeting experience at Barco. “It is vital that employees’ conversations are secure and confidential, especially when dealing with content-sharing technologies. As cyberattacks on corporate organisations become increasingly prevalent, the importance of robust security is only going to increase and should be one of the first things considered when designing workplace technology systems.”
This also applies as much to internal security as well. Personal employee information has to be kept secret from co-workers. Any device, such as a collaboration system, or even an intelligent display, must not be easily accessible from an unauthorised network point, and must clear any cached data as soon as it has been released by a user, otherwise it could be a simple task for someone to recall it.
This is becoming a much more complex task as users require access to content from an ever-increasing range of personal devices. Interoperability of products enabling them to work with devices from a range of manufacturers is high on the list of features. “Standalone products no longer really exist. Technologies need to integrate with other systems that are often from competing manufacturers with the minimum of configuration and provide a seamless experience to the user,” says Bertier.
Many years ago, the AV industry moved from video conferencing via the telephone network to IP networks. It didn’t matter if the system was using the internet or intranet, the systems all used propriety hardware codecs. Even if someone managed to intercept the data stream, decoding it was complicated and involved expensive hardware. Today many systems are software-based, which consequently require more attention to be paid to security. If someone gets hold of the stream they already have the means to decode it on their laptop or phone.
Assessing the security of individual products is not something that end users want to become involved with when a new system is deployed. People are conditioned that using technology should be easy, which can lead to sacrificing security. If a system is too difficult to use people tend to work around the technology in favour of high availability. “Generally speaking, end users aren’t usually involved in the security discussion of content sharing. While it’s important for them to know that the data is secured, their main concern is the ease of use of the system in place,” points out Noa Ustin, Kramer.
David Silberstein, director of technology, WyreStorm Technologies, agrees: “Users presume that content sharing and collaboration systems are secure. They expect it, or IT would not approve its use. Even if they are using free or low-cost services like Google Hangout, Skype or DropBox, the user feels secure or does not think about security in most cases.” Physically removing a device containing sensitive data on an internal hard disk is an option for data thieves. “Some AV devices contain hard disks with cached content comprising sensitive information that would be classed as a breach under GDPR if stolen; just like a PC,” explains Spiros Andreou, service delivery manager for UK integrator CDEC. “If devices are destined to have data stored on them then the internal disks should be encrypted with a FIPS-140-2 (the US government cryptographic minimum standards) encryption scheme. Cryptography is hard to implement and maintain unless it is designed into the device, so this should be considered carefully when selecting a product.”
Whilst users may not consider security themselves, corporate IT teams must. Most, if not all, content sharing devices use the corporate network to transfer data. Any device added onto the network can expose the whole organisation to attack if not correctly secured.
AV equipment must therefore comply with internal security procedures. This is something that concerns Ustin, who suggests what action the AV industry should take: “IT teams are always wary of adding anything to the corporate network which is understandable. Many products do not take security into account. If we want to convince IT professionals, we need to speak in the same language and terminology as they do when explaining the security aspect of their systems.”
David Thorson, VP, programming at AVI-SPL has experience of working with IT teams to allay their fears: “I don’t think IT teams are resistant to collaboration and content sharing systems, the question is what is the right platform, or combination of platforms? The best approach AV integrators can make when discussing how to deploy content sharing systems is by selecting technologies that integrate with the customers’ existing management tools. For example, integrating platforms with LDAP allows IT to leverage a tool they are familiar with in a new way allowing systems to be secure and easy to use.”
LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. It is commonly used to provide a central place to store usernames and passwords. Andreou also cites it as an essential feature: ”The best AV devices will support LDAP or AD authentication with multiple roles meaning that granular access controls can be defined for administrators, users and read-only, and that access can be audited.”
It is good practice to ensure that all devices are registered on the network. This prevents external attack but does not prevent it from internal threat. Some organisations only permit company-owned devices to be connected to the network, however this, as Thorson points out, reduces flexibility: “The impact of too much control will often result in little flexibility. The key for IT and AV professionals is to find the appropriate mix of confidentiality, availability and integrity.” Security comes in many forms and has to be handled at many levels.
An option sometimes considered is for collaboration and sharing systems to run on a separate network. However this is often not practical and in most cases collaboration systems will need to access the corporate network to give users access to their files and directories. A separate dedicated network will not necessarily be sufficient or justify the additional cost and time needed to install and manage it.
Even if a network is totally isolated there are still concerns: who is allowed to join and listen in to the meeting? Can anyone in an open room join in by just dialling a number? Simple methods of eavesdropping are available, like electronic snooping by placing a device around a Cat5 cable to extract data or picking up signals from a standard computer monitor. Silberstein sums up the situation: “Nothing is 100% secure implement and maintain unless it is designed into the device, so this should be considered carefully when selecting a product.”
Whilst users may not consider security themselves, corporate IT teams must. Most, if not all, content sharing devices use the corporate network to transfer data. Any device added onto the network can expose the whole organisation to attack if not correctly secured.
AV equipment must therefore comply with internal security procedures. This is something that concerns Ustin, who suggests what action the AV industry should take: “IT teams are always wary of adding anything to the corporate network which is understandable. Many products do not take security into account. If we want to convince IT professionals, we need to speak in the same language and terminology as they do when explaining the security aspect of their systems.”
David Thorson, VP, programming at AVI-SPL has experience of working with IT teams to allay their fears: “I don’t think IT teams are resistant to collaboration and content sharing systems, the question is what is the right platform, or combination of platforms? The best approach AV integrators can make when discussing how to deploy content sharing systems is by selecting technologies that integrate with the customers’ existing management tools. For example, integrating platforms with LDAP allows IT to leverage a tool they are familiar with in a new way allowing systems to be secure and easy to use.”
LDAP (Lightweight Directory Access Protocol) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. It is commonly used to provide a central place to store usernames and passwords. Andreou also cites it as an essential feature: ”The best AV devices will support LDAP or authentication with multiple roles meaning that granular access controls can be defined for administrators, users and read-only, and that access can be audited.”
It is good practice to ensure that all devices are registered on the network. This prevents external attack but does not prevent it from internal threat. Some organisations only permit company-owned devices to be connected to the network, however this, as Thorson points out, reduces flexibility: “The impact of too much control will often result in little flexibility. The key for IT and AV professionals is to find the appropriate mix of confidentiality, availability and integrity.” Security comes in many forms and has to be handled at many levels.
An option sometimes considered is for collaboration and sharing systems to run on a separate network. However this is often not practical and in most cases collaboration systems will need to access the corporate network to give users access to their files and directories. A separate dedicated network will not necessarily be sufficient or justify the additional cost and time needed to install and manage it.
Even if a network is totally isolated there are still concerns: who is allowed to join and listen in to the meeting? Can anyone in an open room join in by just dialling a number? Simple methods of eavesdropping are available, like electronic snooping by placing a device around a Cat5 cable to extract data or picking up signals from a standard computer monitor. Silberstein sums up the situation: “Nothing is 100% secure, the question is how far do you want or need to go to secure your data? It comes down to system requirements and design.”
Nor are systems that bypass the network completely a viable solution. Thorson: “There is no remote digital collaboration system that can exist without a network. Systems that bypass any customer’s network or management systems are known as the dreaded ‘shadow IT’.
Local collaboration systems can exist without a network and remain isolated. This option may seem secure at first, but isolated devices cannot be managed or monitored. This can lead to vulnerabilities lurking in the enterprise. This is not the answer to security concerns. It is far better to take on security practices on day one and plan for updates and maintenance to systems to ensure that any vulnerabilities are addressed as soon as possible.”
System security is an issue that everyone in the industry has to take seriously. From the AV viewpoint, products must be designed with security procedures in place. “We understood from a very early stage that for a lot of our customers the ability to present securely is a non-negotiable starting point,” explains Ustin.
“That is why VIA encrypts every bit and byte, from end to end, with the highest and latest encryption protocol and cypher keys. “Not only does our solution protect the video data sent from a user to a display, but also the entire handoff between a user and a VIA device. We also make sure that our products go through exhaustive security penetration tests based on the OWASP standard.”
Integrators also have an important role to play, as summarised by Andreou. “Integrators are stepping up to help manage the increasingly treacherous world of AV device security, working closely with network administrators and manufacturers to answer the difficult questions about integrating devices that interrogate databases, talk to AD, share files with Dropbox and cache the CEO’s investor presentation.
As middle-men in the supply relationship, integrators are crucial in guiding their customers through the minefield of dangerously vulnerable, often cheaper and poorly supported products and should offer a raft of professional services to appease the network manager, the data protection officer and the room user.”