Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm an analyst and advisor at KuppingerCole Analysts. And in each edition of this podcast, I have one guest joining me, a fellow analyst or another interesting partner. And today it is the founder and principal analyst of KuppingerCole Martin Kuppinger. Hi Martin.
Hi Matthias, and welcome to everyone listening to this podcast.
Great to have you. And we will focus for 15 minutes or so on one important topic from many people currently working from home and just getting used to using technology. They have never been in contact with we're talking about video conferencing and more specifically about video conference security. There have been lots of talk and news about the dangers of these software systems and how to protect them adequately. I love the term zoom bonding like photo bonding, but with video conferences so that you just join a video conference that you're not supposed to join because it is not well-protected. I think we should talk about a bit how to secure your video conferences in a manner that it is really adequate for corporate environment, for business environment, for communication also in highly sensitive environments, what would be your first initial suggestions where to start when it comes to securing these systems?
Oh, where to start? I would say the first thing is don't leave your users alone. I think that that's the easiest thing to do, give them advice. So I think it's important that that we have in work from home scenarios, but also when you look at home schooling and all the things we have to do these days, it is highly important that we build on the flexibility on the good human sense on the innovativeness of the users, of the employees, of the teachers, of students that are out. However, why not giving them some good advice at the beginning, which tools to use, how to use it. Some guidance, very focused, not going over the top, not making it more complex than it needs to be. So think about saying these are the one or two tools you can use if you don't have a standard tool in your organization.
Anyway, this is the way to use it and put this with a little bit of screenshots on two pages or so. And that already, I think is maybe the most, most important thing, what then should be on that. So what is the security device? That would be a different question, but first give advice, and maybe also hint them to some of the better advises carefully reviewed you find in the internet. There are some good links from many windows these days, which say, okay, configure it that way or that way or that way, but provided why. So don't leave your user standing in the room.
Exactly. And I think when it comes to this individual advice, there's really some best practices that have been established over the last year weeks. And for those who use the software most probably for a longer time, which is best practice in organizations anyway. So I think one, one really important feature and we just used it for, for this recording right now, it's this waiting room feature so that you cannot join the meeting without being really let into the meeting by the organizer so that there is some kind of workable waiting room where you have to remain until you are really admitted to this system. And so nobody can just do this soon bonding anymore, by just guessing the meeting ID and joining without maybe even noticed. I think that is a real good starting point real use the waiting room feature.
Yeah. And that's, I would say a very common way to do it. So ensure that you control, who can come in that starts with the invite with the meeting ID, which might be on you choose some that reuse meeting IDs control the access, controlling what people are allowed to do in a room. And all of these tools have some level of setting. So if you look at these tools, if you start using these tools, you always had some area, we'll find some settings. So the audio settings, the video settings, the settings for the chats, et cetera, all of these tools have it. And I think it's very important to review them. So boosts the people and the it giving advice on how to use the tools should review, revisit all these settings capital and look at which settings can we use, but also the ones who are using it actively, for instance, for inviting some colleagues and business partners, or as a teacher to students, look at it in detail and think about what could we do to improve security, which also might include for instance, passwords. And yes, it's always a good idea to have a password that is a little bit better than 1, 2, 3, 4, 5, 6.
Exactly. And, and I think as in these invites, often the password is actually transmitted as part of a URL to join such a call in the first place that you really should choose a good password for any individual joining. And you just should not share the URL more globally than you really need to. So if you just invite two people, just send them the invite, make sure that only they can join. And ideally with individualized good passwords as a starting point.
And you can for instance, share the meeting ID, which is not that super complex to type in and to pass forward in two separate messages, ideally two messages on separate channels that it's somewhat more complex, but saying, okay, this is the meeting ID. This is the password that is important and try not to share a password as part of an URL at all. So yes, it's a little bit more inconvenient to enter a password, but there's also a farmer security when people need to enter a password to have received in an auto spam channel. So try to do it that way, but the more sensitive it is apparently that they need to enter that. And Marty has already talked about the waiting room also then have a look at who enters finally. So who are the people that come in and in literally all scenarios, we know two people. So if you're not trust to a webinar where we push out a message to many people, which are relatively anonymous to us, which are not active in this session and Bowie trust wants to share and spread the message and all the other scenarios have a look at the attended list. I'll just read the people you want to have in it, if not throw them out again.
Exactly. I think taking the role of the host of such a call really serious, that means really controlling access, but also understanding who is actually there and who should not be there. And to really just ejac them from there, that is really an important role. It needs to be well understood. And it's really a kind of a risk assessment actually that has to be executed for each call. How sensitive is the information that you're processing here? Should I add another layer of security, as you said, transmit the password out of band via another channel that that might be something not necessary for each and every call, but there will be many calls that deserve this type of measures. And I think that is really important.
Yeah. And I think that's, that's the pond, you know, when you're dealing with sensitive corporate information, when you're dealing with staff, which is in some way more privacy sensitive, so take a, take a classroom, you have some restrictions, et cetera, then really be careful and better add an extra level of security,
Right? One topic that is actually, if you look at best practices, it's not really clear from, from each perspective is whether or not you should use video in such a call. Somebody recommend just to switch it off for bandwidth purposes and for privacy purposes and for security maybe. But on the other hand, we, as analysts who have been using video conferencing for years now, you really recommend using video for, for different purposes. What is your idea here?
Yeah, so I'm, I'm overall, I'm a believer, but I'm driven more from an advisory perspective or from them. So to speak pre-sales perspective and the calls I have very frequently, or when I'm with my peers, I feel that video usually is a very good thing to have in that type of calls because it allows you to see the other person. So you get the mimic, you get the, the reaction of the theaters in the video. So I'm a big friend of using video. And so I wouldn't go with turn off video necessarily. I think it really depends a little on what you're trying to do in a meeting, but then I talk with my colleagues. We do always, it's better when I talk with potential customers, video is always better it's by the way, these days more or less the norm w when I do advisory, it's clearly a mix of video and using tools such as Microsoft whiteboard and presenting some stuff and other things.
But again, they're with you is in many parts of such conversations are very important and essential element. So you must not go over the top and the most important thing at the end of the days, anyway, give some good advice and then also trust on the good human sense of people to run this stuff, right. Help them to get into this new, for many new style of working, give them only hints when things are really critical. And hence, that could be okay, there's a back end that tool for awhile, we better go to another tool or track whether it's patch was you had the newest release, six things like that, give them advice, use the waiting room, which really makes sense. Stuff like that. But don't go over the top.
Yeah, I think so. And I think that again is a risk assessment. If, if, if it is not necessary for a single cause, or that just don't go up at the top. I think one aspect that we should consider is the recording of meetings. Because once you are the host and run the meeting, you have direct control at what point get executed. Well, who is in the call who can contribute, who can speak, who can share once the meeting is over and there is a recording available, this is a completely different game because the recording has, this has a life of its own can be shared. And I think that is really then again, a sensitive document. It's not longer the call, but it's really the same sensitive information. I think that should be also included in the training, how to deal with that.
I think recording some generation should be treated very, very careful because from trusts, from a legal perspective, you need to inform, oh, we doing a recording and you need to then treat it correctly, according to GDPR and other regulations. So I, I would say, be careful with recordings only record when it's really, really required. So honestly, aside of the webinar recordings we are doing at KuppingerCole, when, when we really record a webinar to have a podcast available for the standard meetings, I virtually never ever do recordings. So even for, for briefing splint, a window briefs me Ubud news. I very rarely do a recording because if you have a recording, so theoretically could be a forensic approach. I've never came across a scenario where I needed it. And then the other side might be reluctant to say, okay, I agree with you recording death and such.
Then it says scenario. So forget about that part. And then the other thing is then you have recordings. What do you do with the recordings, unless they are mental, like of badly now recording for us for a webcast afterwards, will you really listen again to this recording? How many people really do that? So I know so many scenarios where, where we have endless lists of videos and to review, and then you look, Hey, I spent 60 minutes of the call. Shall I spend another 60 minutes for listening to the recording? So you rarely needed. And if you need to be super, super conscious about what it means with respect to informing the attendees, respect regulations.
Yeah, exactly. I fully agree. I think this, this, these recordings actually, they are just garbage on your hard disc. And once you, you pile up these files and lots and lots of more recordings, you, you are in danger of treating them wrong afterwards. So, so not to, to dispose them correctly, to delete them, to, to have them on, on an archive on the backup desk. So it really makes sure that just don't record it. Every information that you can avoid is really good information.
And then the, the thing which I would bring out more again, as we quickly touched it, be a little bit careful regarding the, so if there are security alerts, take the security alerts earner. So look at the security alerts, think about, do they impact me? Do I need to do something? And that is something where again, the good human sense of users is important. So if they read something, if they learn something better, ask the AppMon and it's super important specifically for all the, it admins have a look at the tools they use. And again, this is part of the guidance and then the risks are really limited and very clearly also, again, good human sense. If you start, for instance, sharing sensitive content within a meeting. So you have a business meeting to share sensitive documents, financial numbers, which are not yet published or stuff like that, but better half a look again at the attendee list first. So are really only two people in the call and then you are pretty safe. And don't forget to also find a fair assessment of risk and opportunity using these tools as a huge opportunity for continuing to work efficiently. And yes, there's always some risk, but we'll never have a hundred percent security. So we need to understand the risks we need to mitigate it. We need to bring in our good human sense, and then we should continue using these technologies.
That was actually a perfect summary for today's call. Yeah. Thank you very much marching for joining me today for this topic. And I think it's really important and it's really actionable advice that people can really use in their everyday life. And if you just take away one thing, use this waiting room feature, then this podcast what's worth listening to thank you all for your time. Thank you Martin for joining me. Thank you.
