As a consequence of the coronavirus pandemic, organisations have had to rethink how they keep employees safe and healthy by providing secure remote work solutions. Over the past six months, Microsoft Teams has seen tremendous growth, and, as we return to our offices, it is becoming the meeting platform of choice for hundreds of millions of people worldwide. Employees have embraced virtual meetings as the new normal, and video meetings have become second nature for many.
Even more interesting is that according to Gartner, 82 per cent of enterprises allow employees to work remotely at least some of the time. The benefits of hybrid working – in-office and remotely – are likely to make long-term changes to our work routines.
But unlike in-person meetings – where data, presentations, and conversations stay in the room – virtual meetings happen online and in the cloud. This poses a new security threat to many companies. Where does data go, where is it stored, and who has access to it?
The UK’s National Cyber Security Centre (NCSC) has specified 14 Cloud Security Principles (CSPs) to ensure technology and solution vendors align with standard security practices. The NCSC is an independent authority that provides a single point of contact for businesses and organisations of all sizes and kinds. Its objective is to keep the UK the safest place to live and work online. NCSC works with small and medium-sized companies, large organisations, government agencies, the general public, and departments in the UK. It also collaborates with law enforcement, defence, the UK’s intelligence and security agencies, and various international partners.
NCSC’s 14 CSPs provide a systematic approach to determining whether a cloud service is a good match for an organisation’s particular security needs. It covers topics such as protecting data in transit (encryption), asset protection and resilience (protecting user data), secure user management, and secure use of the service, among ten other topics. An essential aspect of the CSPs is that they are understandable and easy to employ for IT administrators and facilities managers that are not cybersecurity professionals, making them usable and useful for many institutions.
As we return to our offices, many meeting rooms equipped with video conferencing technology will be rendered useless as they cannot be used with Teams. Organisations need to solve that compatibility challenge while focusing on the levels of security, privacy, and data protection already in place when using Teams.
Fortunately, several vendors already provide solutions that address this compatibility challenge, and they are all approved and certified by Microsoft. However, an additional challenge is that they employ different ways of solving it, thus have different ways of accessing and handling users’ data.
When using shared cloud meeting services such as Microsoft Teams it can be hard to know where users’ data is physically stored and who can access it. The Microsoft cloud benefits from Microsoft’s security and privacy measures, and of course, these measures are second to none in that scenario. When deploying a solution that bridges existing meeting room technologies and Microsoft Teams, data will be shared with a third-party vendor. It is up to this vendor to choose how data is processed, store, and managed.
Lately, many virtual meeting solutions have been scrutinised because information is not stored according to commonly expected security protocols, sent offshore, or even resold to other parties. Even simple things such as providing basic desired functionality to join a virtual meeting can pose a threat, such as a service needing to read every employee’s calendar. In a world where security and privacy issues are major concerns, that is hardly what an organisation wants.
Organisations have different requirements and guidelines on how to manage and implement security measures. Adhering to security management best practices, and using, for instance, NSCS’s CSPs as guidance will go a long way in making sure user and company data is safe and secure.
Pexip is a strong supporter of strict security measures and data privacy. The company is ISO/IEC 27000:2013 certified, adheres to data privacy regulations such as the EU’s General Data Protection Regulation, have HIPAA compliant solutions (for healthcare), and hold certifications from The Joint Interoperability Test Command – a wing of the US Department of Defense that tests and certifies information technology products for military use.
When we provide a solution that enables third-party meeting rooms to join Teams meetings, we also adhere to NCSC’s CSPs.
Nico Cormier is the chief operating officer at Pexip
Learn more about the CSPs and understand how Pexip solves the compatibility challenge and keeps your meetings secure.
This article was originally published in the Autumn 2020 issue of The Record. To get future issues delivered directly to your inbox, sign up for a free subscription.
Share this story