By now, you’ve likely heard the term “Zero Trust” and how it relates to cybersecurity. A few years ago, it was in more of a conceptual stage, two attached words floating about like a bobblehead, murky and undefinable. You weren’t as articulate as you hoped when asked what it meant back then. What did “Zero Trust” entail?
What were the specifics? The answer would come in time and on the heels of significant breaches to national security, most notably the Solar Winds hacking. That infamous breach, which went undetected for months, led technologists to prioritize architecture development and a set of guidelines to protect data optimally. A more precise definition of Zero Trust was then put into writing by the National Institute of Standards and Technology (NIST).
Defining Zero Trust
Zero Trust ensures that every user is highly vetted and pre-authorized before every digital interaction. NIST’s Federal Information Processing Standards (FIPS) incorporate the above mentioned guidelines, which regulatory compliance regulators now recommend. Companies are starting to take concrete, customized and proactive steps, which involve verifying every person from every possible device. The objective is to keep bad actors from accessing critical assets and protect private data from being breached.
When it comes to Zero Trust, where are we applying it and which areas are we forgetting?
President Biden signed an executive order in January 2022 to improve the nation’s cybersecurity. But wait; does that apply to the nation’s cybersecurity “overall?”
We try to ensure our networks are secure for emails, and we spend significant time worrying about viruses that may arrive in our inboxes, but there are other ways hackers breach networks in an age when communications are conducted collaboratively.
After working in cybersecurity for over two decades, I immediately realized that COVID-19 would usher in new security issues as the pandemic led to a rise in remote work. With people conducting video conferences from multiple unknown devices and locations, I knew we had to shore up the popular meeting platforms. It was apparent that critical industries would be relying more and more on conducting high-level business virtually.
Foreseeing that healthcare, finance, state/local government, disaster relief and other sectors were in jeopardy, my team and I approached the most popular video conferencing platforms at that time, offering our help with solutions to protect users.
We knew that to create a safe platform, every user (from any location and device) would have to be individually authorized and authenticated prior to every type of conference. Contrary to how the name Zero Trust may sound, it is about elevating trust rather than eliminating it.
Hackers are clever and they’re known to “follow the money.” They catch on quickly and realize that there is now something to profit from in arenas like collaborative communications. They salivate at the notion of obtaining proprietary information about mergers and acquisitions before the news becomes public.
Then there are the clowns, silly people intent on pulling pranks during serious video conferences wherein private information is discussed. “Zoom bombings” that occurred last year included incidents of hackers interrupting school board Zoom meetings to scream obscenities. Although a prank may seem benign, it can throw an organization completely off-kilter, and in a school, it can make teachers and principals extremely concerned that students – or others outside the school – overheard private information.
Before Covid, people used video conferencing for presentation purposes. Now, companies are relying on these virtual meetings to conduct high-level organizational discussions across critical industries and sectors requiring compliance (i.e., HIPAA in healthcare). It is the fabric of all companies today as they’ve transitioned to remote and hybrid work environments.
The importance of “layering” and other recommendations
“Layering” is key to security in collaborative communications. Most of the popular video conferencing companies that gained traction during the pandemic ask that you download desktop client software, which is quite problematic when protecting critical data. Bad actors can steal information from desktops, video streams, microphones and audio equipment. They can also craftily capture a user’s keystrokes and sneakily steal screenshots. Good cybersecurity measures assure that these hacking methods don’t happen.
Some recommendations for establishing cybersecurity in video conferencing include the following:
- Â It is optimal to have no desktop; instead, have entirely web-based conferencing, eliminating exploitable desktop clients.
- Â Ensure that there is full proof, two-factor authentication
- Â There should be keystroke encryption (a method of protecting everything typed into a keyboard)
- Â Establish out-of-band authentication (so communication channels used to authenticate each – and every single one – of the users are separate from the channels used to sign in)
- Â Verify users with biometrics technology (i.e., fingerprint identification and facial recognition).
- Â When looking at video conferencing vendors, other things to consider include: assessing the platform’s ability to prevent screenshot capture and protect cameras, microphones, speakers, keyboards and clipboards.
Triaging meetings by the level of data privacy
The best practice is to categorize levels of conferences according to tiers of importance to truly protect essential and private data. For example, a social meeting, like one announcing an employee’s return after maternity leave, would be classified as a “Level One” meeting. That type of meeting would not necessitate the same specialized controls that a “Level Four” meeting would entail.
The video conferencing space has grown from $2 billion before COVID to $60 billion to $100 billion in the last two years, a staggering statistic. These numbers attest to the fact that the future of global business is in trouble across critical sectors, including the government sector which made cyber security a key focus in the first place. Since video conferences have become the fabric of corporate America and business interactions worldwide, it behooves the government and us to consider these platforms’ security features, ensuring complete organizational cybersecurity hygiene.
That’s why it is my hope that the Biden administration places a special emphasis on video conferencing, highlighting it as a priority under the umbrella of cybersecurity initiatives.
Virtual collaborative communications are here to stay. Companies have realized they can save time and money on business travel and that meetings can take place across cities, states, countries and continents, involving participants across the globe. Therefore, these virtual meetings must be classified by appropriate security tiers, with specific measures delineated for specific meetings to ensure the highest level of protection for the most critical and proprietary data.
ITechnology News: Trellix Launches Advanced Research Center, Finds Estimated 350K Open-Source Projects at Risk…
