Secure video conferencing services
The COVID-19 pandemic has led to a significant increase in the use of videoconferencing, with the largest German internet hub, DE-CIX, reporting a 120% increase in videoconferencing traffic1. In addition to the replacement of business trips and meetings with video conferences, collaborative work on documents is increasingly taking place. In combination with home offices this leads to risks in information security.
The Federal Office for Information Security (BSI) has recently published minimum standards 2 for the video conferencing services3, which includes both technical and organisational measures. Furthermore, functional requirements (e.g. signalling of camera and microphone activity) 3 are described. An overview of the minimum standards for videoconferencing services is given below.
- functional requirements
- regulations for users
The following diagram provides an overview of the individual areas based on the minimum standards for videoconferencing services3.
Before introducing a videoconferencing service, the requirements of a system should be defined with regard to information security, data protection and the scope of the product or service. This results in the security policy, the security concept, the rights and roles concept, the emergency concept (IT Service Continuity Management), incident reporting and resolution (Incident Management, Incident Response) as well as the policy for the use of external services.
2 functional requirements
The functional requirements essentially result from the requirements for data protection (DSGVO) and the protection of classified content, which include encryption, signalling of camera and microphone activity, display of participants, recording of video conferences, editing and sharing of content, data exchange, chat communication and security functions.
Procurement is preceded by the decision to operate a service in-house or to use it ("make or buy"). In addition to commercial aspects of this decision, there are also questions about the enforceability of information security and data protection requirements with external service providers, the availability of the service (or of the company's own staff) and integration into processes for reporting and resolving faults.
When operating videoconferencing services 3, integration into the existing Information Security Management System (ISMS) is a minimum requirement. This is particularly challenging for external service providers with a "standard product". Other requirements in this phase are secure configuration of the service with, if necessary, deactivation of services, protocols and functions, as well as integration into processes of incident reporting and remediation (including patch management, vulnerability reporting).
5. regulations for users
In addition to instructing the users, the secure use of videoconferencing services and the corresponding facilities (meeting rooms, home office) should be practised regularly and be validated by testing.
The minimum standard for videoconferencing services addresses the essential element for a secure videoconferencing service. Aspects for a higher protection requirement (classified information, secret protection) must be additionally supplemented by the relevant authority or company. The protection of personal data is also addressed in the minimum standard, but the implementation requires more detailed consideration, especially for external service providers based in a country without an adequacy decision4.
by Bernd Kohler @ dainox 20-11-2021
1 We are all online: Internet in the times of Corona https://www.de-cix.net/en/news-events/news/we-are-all-online-internet-in-the-times-of-corona↩
2 According to § 8 Absatz 1 Satz 1 BSIG ↩
4 Artikel 45 Absatz 3 DSGVO ↩