It has been several months since the confinement began, in early March (11-03) the WHO declares COVID-19 as a pandemic and from there many governments begin their efforts to contain a virus that was not very well known.
Within these efforts are the so-called quarantines or confinements, some more voluntary than others, which begins to move the industry to a forced digitization of operations.
Companies that were or are used to work remotely make their transition in a more or less controlled way, those companies that were not used to begin a path of digitization, telecommunication and telecommuting were forced by a global pandemic.
Do we have the right checks and balances in place? In many ways CIOs, CEOs and multiple executives were faced with a dilemma that could be difficult/easy, each organization/company implemented different measures such as VPNs, remote collaboration systems, chat groups, specific laptops and clouds regained their relevance in various aspects.
Some companies that were not in a position to make this transition followed a more conservative path, where they implemented work schedules, distributed their staff by keeping percentages of staff offsite and others onsite.
Now we are approaching a model that is being called "New Normal", large technology companies in California have commented that their workers may return to work in late June/July, Microsoft and Amazon commented that it would be until October when their corporate offices will return to work in person, in Latin America and Europe have proposed to return in a staggered manner, and that shows that companies will make their decisions on individual basis regarding the "return" to a centralized working model.
In all this transition, movement and return, where does IT security stand, we moved quickly to telecommuting, do we consider the safeguarding of the company's intellectual property, do we have a punctual follow-up of the risks of using the home internet versus the actual work, do we measure in the same way the effectiveness of our staff, and if so, how do we do it?
Certainly many times the answer would be NO, in mid-March I wrote a Blog post about Cybersecurity during coronavirus times.
Where I presented the different KPIs that could be considered in these times, and what at an IT security level we could need in order not to lose the visibility of our operations and also the control of our IT Staff.
What have we learned in the last 3 months and how has our telecommuting modality performed?
Surely we already have a clearer idea of what we should consider, maybe we saw things like:
Do all employees have a contracted internet speed fast enough to meet the needs of their work, during the multiple telecommuting sessions, do all employees have an adequate space where they can concentrate on their activities?
There are a number of questions about the physical spaces where the employees are located, which could affect the productivity of the tasks or simply make impossible a session at a certain time, because the environmental conditions of that employee at that time did not allow it.
We have seen endless cases on Youtube, funny videos where someone is spontaneously interrupted during their session or where they forget to turn off the camera and find themselves in an uncomfortable moment.
There is also security, who else is listening to the remote telecommuting session, there are important discussions taking place in everyone's room involving many people.
This new normality has to be adapted to a secure model of communication, to a secure model of information transmission, whether verbal or written, and the storage of sensitive information must be considered as an important factor.
To summarize a bit.
As strategy for information security regarding telecommuting, I had commented:
- VPN for internal and external collaborators.
- Mobile equipment with Antimalware systems that do not depend on the corporate network.
- Access consolidation systems or remote privileged access.
- Software repositories accessible from the outside.
- Encrypted communication systems.
- Monitoring systems that adapt to hybrid infrastructures.
Today we can add:
- Encryption systems for information stored in the Cloud.
- Corporate collaborative communication media.
- Trust Platforms 0 for restricted access.
Teleconferencing solutions with point-to-point encryption capabilities.
Do you need to implement this type of protection? We can help.
This is the new normal three months after a model of pandemic lockdown that does not seem to end but we are adapting more to it, so we must adapt to these ways of working, and that is part of understanding the risks.
While we understood the health risk of being on the street, we managed to control these risks using different ways of physical and behavioral security, in the same way in this normality we must understand the risks we face in the digital world and along with this understanding of the new attack surface, the controls must adapt, and the technology must not only provide the capabilities of communication and work, but it must also do it in a safe way.
The crisis caused by this COVID-19 pandemic has brought unprecedented challenges to companies in many aspects, and cybersecurity was not left out. If we manage to adapt the cybersecurity strategy in this context of global digitalization where we must be more efficient, more connected and have better results. If we manage to adapt our cybersecurity strategies in this context, we will have achieved an organization with greater resilience to change and with the new standards that this has brought us.
Surely you have already seen the need to choose or hire a communication platform with video calls or collaborative systems of some style, there are many in the market, now I wrote this and I wanted to review what was on the market for VideoConferencing and I found several platforms some more known than others but not few, There were more than 30 platforms, there is even a Gartner quadrant for Meeting Solutions, which seemed to me to be focused on the videoconferencing model where you had to implement an entire infrastructure with hardware, deploy it in different locations and achieve a videoconference, something outdated in these days with increased speeds.
Choosing the best videoconferencing platform can have many variables, from design, price, capabilities, if you already have services from a provider, it can be very easy to get on one or another, but from a security perspective, which platform offers the basic Triad of security, point to point encryption (Confidentiality), Attention to your vulnerabilities (Integrity), Service Agreements and guarantees (Availability)?
A3Sec does not offer platforms of this type, but from a security point of view I thought it would be interesting to make a small summary of these and give them a ranking in terms of how they handle your information.
The following table shows the platforms I found, if they are listed in Gartner or not, the type of encryption they publish, the number of vulnerabilities I found published, and the SLA they handle, the rating being AAA+ the highest has to do with the type of encryption and SLA published.
Platform |
Gartner |
Securty |
Encryption |
Vulns |
SLA |
x |
AAA+ |
End-To-End |
0 |
99,50% |
|
n/a |
AAA+ |
End-To-End |
0 |
99,50% |
|
n/a |
AAA+ |
End-To-End |
1 |
99,90% |
|
x |
AAA+ |
End-To-End |
0 |
99,90% |
|
x |
AAA |
Client-To-Server |
0 |
99,00% |
|
n/a |
AAA |
Client-To-Server |
0 |
99% |
|
n/a |
AAA |
Client-To-Server |
0 |
99,90% |
|
x |
AAA |
Client-To-Server |
0 |
99,90% |
|
x |
AAA |
End-To-End |
5 |
99,90% |
|
n/a |
AAA |
Client-To-Server |
69 |
99,90% |
|
n/a |
AAA |
Client-To-Server |
30 |
99,90% |
|
x |
AAA |
End-To-End |
1 |
¿? |
|
x |
AAA |
End-To-End |
10 |
¿? |
|
x |
AA |
Client-To-Server |
1 |
99,90% |
|
x |
AA |
End-To-End |
0 |
¿? |
|
n/a |
A |
None |
0 |
99,50% |
|
x |
A |
None |
37 |
99,90% |
|
x |
A |
Client-To-Server |
0 |
¿? |
|
x |
A |
Client-To-Server |
0 |
¿? |
|
n/a |
A |
Client-To-Server |
0 |
¿? |
|
Intelligent Xperiences |
x |
A |
Client-To-Server |
0 |
¿? |
n/a |
A |
Client-To-Server |
0 |
¿? |
|
x |
A |
Client-To-Server |
2 |
¿? |
|
x |
A |
Client-To-Server |
0 |
¿? |
|
n/a |
A |
Client-To-Server |
0 |
¿? |
|
x |
A |
Client-To-Server |
77 |
¿? |
|
n/a |
B |
None |
3 |
¿? |
|
n/a |
B |
None |
0 |
¿? |
|
n/a |
B |
None |
0 |
¿? |
This summary does not pretend to be an exhaustive analysis of the mentioned platform, it only aims to show in a quick way what security features we can have in the current meeting platforms. I must mention that maybe not having vulnerabilities does not make it more secure, maybe it does not have an external BugBounty program or it is simply not so well known in the market and has not been exploited, also the SLAs include the information that I managed to find, some manufacturers hide their SLAs a lot and others are more open.
In these days of telecommuting or remote work, there are multiple challenges, and communication is one of the most important, and doing things in a secure way will allow us an efficient operational continuity. KPIs must evolve as our technology and the way we work.
Do you need to protect your communications and data in today's remote work environment?