30 April 20, 09:02
Quote:Continue Reading
How secure are the most popular videoconferencing apps?
#stayhome is not just a popular tag around social networks these days, but also a harsh reality for businesses forced by the coronavirus pandemic to send most of their staff home to work remotely. Face-to-face meetings have been replaced by video calls. But corporate conferences are there to discuss more than just the weather, so before you commit to a videoconferencing app, take a look at its data protection mechanisms. To be clear, we have not conducted lab-based testing on these apps; we browsed publicly available sources for information about known problems in the most widely used software.
Google Meet and Google Duo
Google offers two video call services: Meet and Duo. The first is an app that integrates with Google’s other services (the G Suite). If your company uses those, Hangouts Meet will fit in nicely.
Security — Google Meet
Among Meet’s advantages, the vendor cites reliable data-processing infrastructure, encryption (not end-to-end, though) and a set of protection tools, all active by default. Like most other business products, G Suite, including Google Meet, conforms to advanced security standards and offers configuration and access-rights-management options among its features.
Security — Google Duo
The mobile app Duo, on the other hand, protects data using end-to-end encryption. However, it is an application designed for private users, not for businesses. Its conferences can accommodate only up to 12 participants.
Vulnerabilities and downsides
Other than some messages reminding us all that Google collects user data and therefore can be a threat to trade secrets we were unable to find concrete information about these apps’ security performance. That does not mean that Google services are flawless, but they are backed by a very strong security team that tends to fix problems before they cause any trouble.
Slack
In Slack, you can create multiple chat workspaces for teams, conveniently shown in one window, plus channels inside your workspace dedicated to different projects. Conferencing is limited to 15 participants.
Security
Slack complies with a bunch of international security standards, including SOC 2. The service can be configured to work with medical and financial data and allows companies to select a region for data storage. And joining a Slack workspace requires either an invitation or an e-mail address using the corporate domain.
Slack also offers its customers flexible risk management instruments, integration with Data Loss Prevention (DLP) solutions, and data-access-control tools. For example, administrators can restrict the use of Slack from personal devices and the copying of information from its channels.
Vulnerabilities and downsides
According to Slack’s developers, only a limited number of businesses really need end-to-end encryption, and implementation of the feature can limit functionality. Therefore, Slack apparently has no plans to add end-to-end encryption.
Slack also lets you integrate third-party apps, whose security is not Slack’s responsibility.
Also, researchers have found vulnerabilities — serious ones — in Slack. Slack has patched the following: a bug that allowed attackers to steal data and one enabling interception of a user’s session.
Teams
Microsoft Teams integrates with Office 365, which is its main advantage for a corporate user. In response to the increased demand for work from home tools, Microsoft is now offering a free six-month Microsoft Teams trial, but free users will not be able to configure user settings and policies — a potential security compromise.
Security
Teams complies with a number of international standards, can be set up to work with confidential medical data, and boasts flexible security management options. Under some service plans, additional tools, such as DLP or outgoing file scanning, can be integrated into Teams. Our solution for protecting MS Office 365 scans the data exchanged through Teams to prevent malware from spreading through the corporate network.
Data sent to the server, whether chats or video calls, is encrypted, but again we are not talking about end-to-end encryption. Speaking of storage and processing, the information never leaves the region in which your company operates.
Vulnerabilities
It is a good idea to monitor vulnerabilities in Teams. Microsoft typically patches vulnerabilities quickly, but they do arise from time to time. For example, researchers recently found a vulnerability (since patched) that enabled account takeover.
Skype for Business
The cloud version of Skype for Business — the predecessor of Teams in Office 365 — is gradually becoming a thing of the past, but you can still install it locally. Some users find it more convenient than Teams, and Microsoft will continue to support the local version of Skype for the next couple of years.
Security
Skype for Business encrypts information, but not end-to-end, and the service’s protection is configurable. It also uses local server software, so video calls and other data never leave the corporate network — an obvious advantage.
Vulnerabilities and downsides
The product won’t be supported forever. Unless Microsoft changes its plans, support for the application will end in July 2021, and Skype for Business Server 2019 will be on extended support until October 14, 2025.
...