Enable breadcrumbs token at /includes/pageheader.html.twig

Securing Videoconferencing with Zero Trust

Applying zero trust techniques can help federal agencies with security.

Zero-trust techniques can help improve federal agency videoconferencing systems. Credit: Shutterstock

The COVID-19 pandemic changed how government agencies do business by requiring remote work and videoconferencing for meetings, creating a growing need for securing these virtual workspaces.

One way to achieve this security, and one that is being mandated across the federal government, is with zero-trust architecture.

Zero trust requires a change of perspective about securing data versus securing networks because data can be anywhere on a device, Joel Bilheimer, a strategic account architect with Pexip, told SIGNAL Magazine Senior Editor Kimberly Underwood during a SIGNAL Executive Video Series discussion.

In applying zero trust techniques to video conferencing, the concept of data exchange must be considered. A videoconferencing system applying this should be able to carry out privacy/trust determination virtually and it should be able to apply inherent communications tools to the virtual space being used.

Bilheimer explains inherent communication as the natural human ability to shift between priorities, such as identifying a nonclassified conversation from one on classified topics and being able to reflect this in a software tool.

However, most videoconferencing tools aren’t designed with security in mind. When the COVID-19 pandemic began and they suddenly became indispensable, there was also a rise in hacking and incidents of “Zoom bombing” where outside individuals broke into and disrupted meetings on the Zoom videoconferencing platform.

Part of the problem in Zoom’s case during the early days of the pandemic is that it relied on a single global access key for meeting guests. But if a noninvited person got access to the key, they could enter the meeting.

“That’s not a good way to secure the information we’re sharing,” Bilheimer said.

Bilheimer notes that some organizations hold virtual meetings with thousands of guests, meaning there is no way for the hosts to parse and vet everyone. This can be solved by using metadata tags and categories at the session level to determine who has access.

Such a system should have no PINs or logins after user authentication takes place; they are presented with what they can see. He explained that this means when a meeting’s subject matter changes, it shouldn’t be incumbent on users to identify or re-identify themselves.

For example, if a meeting discussing unclassified information shifts to classified material, users with the right clearance can go directly to the meeting, but those without the right classification levels will be excluded, Bilheimer said.