With files from Jim Love, CIO for ITWC

 

The current crisis is forcing everyone, CIOs included, to make fast decisions about things that were previously considered non-strategic, and top of the list these days is deciding on collaboration and conferencing products to connect those now forced to work from home. It may not have been not high on the list of enterprise applications before now; indeed, for many organizations, it probably didn’t even warrant the attention of the CIO or require thorough vetting for security and scalability. Suddenly that has changed. Now it’s mission-critical.

Obviously, one of the top questions has to be “What does it cost?” Crisis or no crisis, the spectre of the budget still looms. But there’s a lot more to check on than that when selecting a collaboration product. Just look at the issues that have emerged around the hugely popular Zoom platform: meetings, including the U.S. House Oversight Committee, interrupted with offensive text or images (“Zoom-bombing”), questions about the location of the servers running those meetings, discovery of 500,000 account credentials for sale on the dark web, and more.

We consulted CIOs, analysts, and other experts and came up with a number of questions that need to be answered when evaluating conferencing solutions. Aside from the obvious price and features, there are many other considerations. Another useful source of information from the Real World is one of the sites where users report on their experiences not only with the product itself, but with the company that produces it. The Canadian Centre for Cybersecurity also offers generic usage guidance, handy for when you’ve settled on a product.

However, before doing so, let’s take a look at some of those questions.

First things first – read the terms and conditions and the privacy policy. If they’re in legalese (as they often are, outside GDPR-governed countries), get Legal to take a peek to make sure there aren’t red flags. If the service mentions data collection, does it say what data, how and for whom it’s collected, if it will be sold or given away, where it will be stored, and how it will be secured? If your business requires certain standards of compliance (eg: PCI, GDPR, PIPEDA), does the solution properly support them? Are there any other conditions of use that could cause issues? What caused your legal person’s eyebrows to shoot up?

Once these hurdles have been crossed, it’s time to look at feature sets.

Number one for everyone we asked is security, which takes multiple forms. 

  • encryption of transmissions, encryption of data at rest and in use, 
  • how user accounts are created and managed, 
  • how conferences are created and managed, 
  • where the servers processing the conferences are situated (and whether the provider runs its own infrastructure or uses a partner) and 
  • how they are secured and managed, 
  • integration with corporate single sign-on solutions 

All of these factors contribute to whether a solution is appropriate for a specific business.

Stay abreast of the latest security issues: listen to ITWC’s Cyber Security Today podcast

 

Other requirements to consider

Does the product offer link security – if someone gets their hands on a meeting link, can they just pop in, or is there a mechanism to ensure only authorized attendees enter the room? Can the admin or host control not only who enters, but what they can do (eg: screen share, share images or documents, record)?

If transcription is available, who does it, who else sees it, and how is the conference transcription data protected?

How are recordings managed? Where are they stored, and how are they protected?

Most products allow some form of chat, both privately between individuals in the meeting and among members of the entire group. Are chats distributed as well when a meeting recording is sent out? If so, confidential private comments could be revealed.

The maximum number of people permitted per meeting is another question that people often forget until they find out the answer the hard way. And are there restrictions on meeting length? 

Info-Tech Research Group also recommends quizzing vendors about their bug handling (and if anyone tells you their software is bug-free, run – there’s no such thing, as we all know), whether they have a bug bounty program, and how they deal with zero-day vulnerabilities. 

It also suggests asking how many requests the vendor gets per year from law enforcement, and how it mitigates government requests for client data.

It’s unlikely that all vendors will be willing – or able – to answer all of these questions, but the information they do offer will go a long way towards either building confidence that it’s the right solution or convincing you to continue your quest.