I am seeing an increased need and proliferation of web based collaboration tools. WebEx, GoToMeeting, MS LiveMeeting, etc. While these tools are necessary as we see people and organizations looking for collaboration, how secure are they? A couple concerns come to mind. NOTE: I have not done any research into this nor read much of the product literature.
What can these services see?
In a hosted model these companies act a the middle man between the person giving a PowerPoint presentation and the ones viewing it, as an example. Can WebEx or GoToMeeting see the presentation? If so, is it done overtly or covertly? Any audit trail? Is the presentation stored on their servers?
Sharing of desktops?
I know some of these services have the ability to share their desktops or applications. Some can even give control of their entire PC over to another person in the meeting. That could have some significant security implications in certain environments.
How do you handle these technologies? Do you block them? Have an approved one and block the rest?
I would love to hear what you do.
–Chris
Technorati Tags: GoToMeeting, WebEx, Web Meeting
June 25th, 2008 at 10:09 pm
If you have a conference call, how secure is it? Can AT&T or Verizon listen in? If so, is it overt or covert? Is the conference call recorded on their servers? Is there any audit trail?
Answer those questions, and you’ll have a general idea of how transmitting web data is no different than transmitting audio data. Different providers do accomplish it in different ways, so if it’s a concern, we should include those questions in our RFPs.
I might suggest a better question would be “What data in your organization would you want protected to what degree?”
Don’t hold a public web seminar if you don’t want a competitor to figure out how to attend. Don’t have a telephone call (or web meeting) if you don’t want to have a chance that someone, legally or illegally, could figure out how to listen in.
Arguably web data being encrypted is significantly more secure… Live, private web communications are arguably as secure as the same on a telephone - it’s just a different appliance. Governance - if that’s your concern - should be no different.
If you want to have really private communications, don’t send a letter, make a telephone call, or trust a courier. Meet the recipient in an unused part of a large local park and speak in code… wearing a trenchcoat of course
!
Good questions
Roger Courville
1080 Group, LLC
roger@1080group.com
June 25th, 2008 at 10:29 pm
Thanks Roger. I definitely understand the dangers of any electronic communication. I used to wear that trench coat
My reason for asking the question was to try and gauge the level of risk people are willing to accept in dealing with these technologies.
The bigger concern for me is the ability for participants to share desktops and give control of desktops as part of many web collaboration offerings.
Thanks!
–Chris
July 14th, 2008 at 4:44 pm
Hi,
Happened to run across this post and just wanted to add that with GoToMeeting we utilize true end-to-end encryption between the participaring endpoints which provides fundamental protection against monitoring by Citrix Online. Our communication servers are only routing opaque, encrypted packets. If the session is recorded, it is recorded in the same encrypted format.
This is in contrast to services such as WebEx that only use SSL on the links between endpoints and their data centers and decrypt-switch-then-reencrypt meeting data.
(Morale: all claims of “end-to-end” encryption are definitely not equal.)
For more details, checkout our security white paper: https://www1.gotomeeting.com/default/downloads/pdf/p/GoToMeeting%5fSecurity%5fWhite%5fPaper.pdf
Regards,
-John Kennedy
Chief Security Architect
Citrix Online