Sponsored By

Let's Talk About Collaboration SecurityLet's Talk About Collaboration Security

Recent stories should cause organizations to take another look at collaboration security.

Irwin Lazar

July 21, 2019

3 Min Read
Key

The focus of the collaboration industry over the last few weeks has been around security.

 

The firestorm started when security researcher Jonathan Leitschuh published a detailed write-up covering vulnerabilities he had discovered in the Zoom video conferencing service that allowed for potential denial-of-service attacks, unwanted joining of meetings (potentially with microphone and camera activated), and perhaps most disturbingly, a resident Web server that was left behind on uninstall, enabling the re-installation of the Zoom client, and the joining of a person to a Zoom meeting, without a user’s consent.

 

No Jitter’s Beth Schultz covered the story, and Zoom’s response here while contributor and fellow analyst Dave Michels, of TalkingPointz, provided a thoughtful look back at Zoom’s response and the continued questions raised by the incident here.

 

The security stories continued last week with Slack’s announcement that it was resetting all user passwords for accounts it believes were compromised in a 2015 data breach, and a new post by Cisco Distinguished Security Engineer Jeremy Laurenson on how allowing guest accounts with Microsoft Teams means organizations lose control of data shared into someone else’s Teams instance. Jeremy’s post echoes concerns related to guest accounts that I touched on in a No Jitter post back in May 2018.

 

Sadly, the recent security-related stories underscore the lack of risk awareness, and inclusion of collaboration in overall security strategies. In our recently published "Workplace Collaboration: 2019-20 Research Study," Nemertes found that just 21.3% of the 645 participating organizations have a proactive workplace collaboration security strategy. That’s up slightly from 2018 when just 19.3% of participants said they had such a strategy.

 

Nemertes_WCsecurity-pie.jpg

 

Today, most enterprise security strategies are evolving from perimeter-based approaches to zero-trust models that treat all devices and users as untrusted. Too often, however, enterprise focus those efforts on protecting access to data stored in CRM, ERP, and other apps, and not necessarily covering collaboration platforms and services.

 

We found that having a proactive workplace collaboration security strategy correlates with success (defined as obtaining measurable business value from collaboration investments). Approximately 17% of our research participants qualified for our success group. Of those, 36% have a proactive security strategy covering collaboration versus just 21.1% of those not in our success group.

 

We dug a bit deeper to better understand what participants who had a proactive security strategy were including in that effort. The primary components are:

  • Regular audits, by internal security teams or external vendors, to discover potential vulnerabilities

  • Penetration testing, again by internal teams or via external vendors, to discover potential paths to access applications by unauthorized individuals

  • Patching programs to identify, evaluate, and apply security patches as they become available

  • Implementing of firewalls and/or session border controllers to provide protection against SIP-based application attacks

  • Ensuring that vendors obtain relevant compliance and security certifications such as FedRAMP, SOC 2/3, ISO/IEC 2700xx, HIPAA, etc.

 

Most used are security audits, while app-specific firewalls and security certification assessments are least used. We’re not yet finding that organizations are extending zero-trust components like behavioral threat analytics, cloud access security brokers, and next-generation endpoint security to their collaboration applications.

 

Nemertes_WCsecurity_1.jpg

 

In addition, we’re finding that organizations are increasingly mandating the use of encryption, the ability to manage their own encryption keys, and requiring applications to support single sign-on before allowing lines of business to use their own collaboration applications.

 

While we didn’t specifically ask about guest account use, anecdotally we do hear that these are typically allowed, likely with little understanding of the risk as Cisco’s Laurenson noted in the post I previously cited. However, organizations wishing to support team collaboration across corporate boundaries should look at using either federation services like Mio, NextPlane, and Sameroom, or enabling native federation provided by Team apps like Cisco Webex Teams.

 

Hopefully the collaboration security issues of the last few weeks will serve as a wakeup call to both CISOs and collaboration leaders to take security more seriously, and to include collaboration platforms in their overall security planning, especially their emerging zero-trust approaches.

 

About the Author

Irwin Lazar

Irwin Lazar

As president and principal analyst at Metrigy, Irwin Lazar develops and manages research projects, conducts and analyzes primary research, and advises enterprise and vendor clients on technology strategy, adoption and business metrics, Mr. Lazar is responsible for benchmarking the adoption and use of emerging technologies in the digital workplace, covering enterprise communications and collaboration as an industry analyst for over 20 years.

 

A Certified Information Systems Security Professional (CISSP) and sought-after speaker and author, Mr. Lazar is a blogger for NoJitter.com and contributor for SearchUnifiedCommunications.com writing on topics including team collaboration, UC, cloud, adoption, SD-WAN, CPaaS, WebRTC, and more. He is a frequent resource for the business and trade press and is a regular speaker at events such as Enterprise Connect, InfoComm, and FutureIT. In 2017 he was recognized as an Emerging Technologies Fellow by the IMCCA and InfoComm.

 

Mr. Lazar’s earlier background was in IP network and security architecture, design, and operations where he advised global organizations and held direct operational responsibility for worldwide voice and data networks.

 

Mr. Lazar holds an MBA from George Mason University and a Bachelor of Business Administration in Management Information Systems from Radford University where he received a commission as a Second Lieutenant in the U.S. Army Reserve, Ordnance Corps. He is a Certified Information Systems Security Professional (CISSP). Outside of Metrigy, Mr. Lazar has been active in Scouting for over ten years as a Scouting leader with Troop 1882 in Haymarket VA.

See more from Irwin Lazar

Editor's Spotlight

How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
Ccaas
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations
How Air Canada Tapped Amazon Connect to Modernize Its Contact Center Operations

Dec 16, 2024

How Talkdesk Delivers for Vertical Industries
Ccaas
How Talkdesk Delivers for Vertical Industries
How Talkdesk Delivers for Vertical Industries

Dec 5, 2024

How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
Ccaas
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity
How Vendors Could Help Small and Medium Businesses Navigate Change Amidst Rapid Change and Complexity

Dec 17, 2024

Subscribe to Our Weekly Newsletters
Stay informed and sign up for weekly No Jitter and WorkSpace Connect newsletters
Sign Me Up
Mar 17 - Mar 20, 2025
As the #1 communications, collaboration and CX Conference and Expo in North America, we empower IT professionals to confront and overcome today's most pressing challenges. Attend Enterprise Connect and join thousands of like-minded peers building a framework for future success. You’ll walk away with rich learning experiences, invaluable connections, business opportunities, and inspiring insights. Register with Promo Code CONNECT25 to save $200 on Conference passes.
Learn More