How to pick a high-security video conferencing platform
Several solutions meet HIPAA and GDPR requirements and complete SOC 2 audits.
When the business world went home to work 16 months ago, many companies used whatever tools they had to move daily operations online. Now, remote work is a bigger part of everyone’s office plan and the pandemic is nowhere near over. IT departments are starting to replace these short-term solutions with more sustainable systems, particularly when it comes to video conferencing.
The global enterprise video market size is projected to grow from $9.2 billion in 2021 to $22.5 billion by 2026, according to MarketsandMarkets Research.
In addition to collaboration features and ease-of-use, security is an important consideration when selecting a video conferencing platform. No one wants to risk a Zoom bomb, but regulated industries such as healthcare and banking have their own security rules to meet. This roundup highlights video conferencing platforms that prioritize security and meet these stricter requirements.
SEE: Five ways to make video conferencing safer (TechRepublic)
How to select a secure video conferencing platform
Tom Eagle, a senior director, analyst at Gartner, said that security for meeting software such as video conferencing has become a higher priority over the last year as organizations struggled with work-from-home and now hybrid work arrangements.
Eagle said the three pillars of security are cloud infrastructure and the network and application layers.
“All three should be considered by enterprise buyers in their evaluations of meeting solutions,” he said.
Gartner has developed guidance for enterprise buyers to use when evaluating the security of conferencing and collaboration platforms.
Infrastructure level
Meeting solutions should meet industry standards such as ISO/IEC/SOC requirements to protect video content and metadata in the cloud. Regulatory and compliance standards, including GDPR, HIPAA and PCI, also are considerations at the infrastructure level. Data at rest in the cloud should meet AES-level standards.
Network level
The industry standards of TLS and SRTP should be used to allow users to authenticate and protect media in transit. For remote workers, VPN support may be necessary. However, due to potential performance issues, integration with a single sign-on solution may be a better option. Enterprise buyers also should look for vendors that use distributed denial of service (DDoS) mitigation measures and constant network vulnerability scanning to detect and respond to threats and intrusions.
Application layer
There are distinct security features for IT administrators, hosts and participants. For the IT administrator, the meeting solution should support passwords for all participants, including a different host password as well as randomized meeting IDs and encryption. Security options for hosts should include a waiting room feature that prevents participants from joining until the host arrives, the ability to control audio and video of all participants, control of content sharing, and the ability to lock a meeting so that no further participants can join. At the participant level, security can include requiring users to join by clicking on the meeting invite rather than through an anonymous dial-in to avoid authentication.
Here’s a look at video conferencing platforms that meet some or all of these requirements for companies in regulated industries or leaders who want to boost overall security.
SEE: GDPR: A cheat sheet (TechRepublic)
Avaya
According to the company, Avaya embeds U.S. military-grade security at the application layer that meets NIST FIPS 140-2 and DoD/DISA STIGs and UCR requirements, making the platform a good choice for finance, healthcare and certain government sectors.
Avaya has a OneCloud Private service that is HIPAA compliant. The company also can help customers comply with GDPR by addressing these issues:
- Contractual commitment to privacy – data processing addendum
- Security of processing
- Data protection by design and default
- Assistance in fulfilment data subject’s rights
- International transfers
BlueJeans by Verizon
BlueJeans has had SOC 2 attestation since 2014 and the platform meets the General Data Protection Regulation, according to the company. BlueJeans complies with the California Consumer Primacy Act and is also HIPAA ready. BlueJeans meets all applicable requirements under the Security Rule including for the confidentiality, integrity, and availability of protected health information. The company also has a business associate agreement that it will enter into with covered entities to help meet the needed assurances regarding use of PHI.
DialPad
This video conferencing platform is designed for healthcare organizations that must meet HIPAA requirements. Dialpad is SOC2 Type 2 certified and has completed the Cloud Security Alliance’s Consensus Assessment Initiative Questionnaire which addresses the controls listed in the HIPAA Security and Privacy Rule. The company also complies with GDPR.
According to the company, most Dialpad products meet HIPAA requirements once a business associate agreement is signed. The agreement does not cover the use of Dialpad fax for private health information or the use of SMS for communicating patient information to non-Dialpad users.
Dialpad’s BAA include a custom 30-day retention policy that provides:
- Data encryption at rest and in transit
- Access limits based on minimum necessary privileges
- Reviews of vendor security and privacy
- Access to personal data upon request
- Ability to amend/delete data upon request
- Notification if data breach occurs
LogMeIn
In the Magic Quadrant report for meeting solutions, Gartner lists LogMeIn as a challenger in the product space and lists its use of security standards as a competitive advantage. The company’s “GoToMeeting, GoToTraining, GoToWebinar and join.me to match enterprise needs for a range of meeting scenarios” and the company’s products are “able to meet the certification demands of customers in regulated industries that require compliance with standards such as SOC 2 and 3, HIPAA, PCI and GDPR, as well as those that require AES 256-bit encryption for data in transit and at rest.”
According to the company, GoToAssist data is fully encrypted using Secure Socket Layer (SSL) and government-approved 128-bit Advanced Encryption Standard (AES) end-to-end encryption combined with RSA public/private key encryption. Also, GoToAssist may be used by businesses subject to HIPAA, Gramm-Leach-Bliley Act or Sarbanes-Oxley regulations. LogMeIn products also meet GDPR requirements. LogMeIn conducts SOC 2 (Type 2) audits and shares a SOC 3 report for each applicable product.
Webex for Defense
Cisco built Webex for Defense specifically for the US Department of Defense (DoD). The new all-in-one solution is connected to the DoD Information Network via DISA-managed cloud access points and delivered from Cisco-hosted, DoD IL5-certified data centers. With this new platform, users can connect securely from phones and desktops for secure collaboration with internal and external users as well as DoD partners.