Collaboration platforms security criteria – how to choose the best one?
Recently, on our blog, we have discussed the issue of innovation within the scope of work organisation on numerous occasions, both within the scope of the selection of confirmed and efficient tools, as well as, particular best practices, that may translate to more comfortable conditions of remote work. Lately, numerous organisations specialised in security have issued their recommendations, including offensive security. A document published by the National Security Agency is among them.
The criteria of communication platforms security
Surely, NSA agents cannot be denied knowledge and experience in penetrating various types of software, including (and possibly, primarily) software used for communication, exchange of files and cooperation. Therefore, we are speaking of categories, where a violent eruption of popularity took place in terms of popularity related to the necessity of a swift implementation of remote work procedures for the purpose of a pandemic outbreak. Therefore, what can be said of their security within the scope of an American government agency?
It is worth mentioning, that the methodology of the most secure solutions selections is curious itself. The decision did not lie in a certain type of automated penetration tests used as a benchmark, or a summary of information regarding the existing, acquired messages. No focus was directed at exploits that could be acquired in the darknet. Instead, a clear set of criteria was prepared, in form of questions that were asked in relation to the platforms that were the most popular after the pandemic outbreak.
End-to-end encryption
While selecting a telecommunication platform used in a company environment, one should follow such factors as communication encryption service. Therefore, the best possible solution is a service of a strong, popular and confirmed end-to-end encryption standard, therefore, a model where messages are encrypted and decrypted on end devices. Then, most often the service provider does not have access to the private and public key cryptography combination, or the contents of the communication itself. Currently, in the era of cloud infrastructure, it is rare for the peer-to-peer communication model, when the entire content is transferred through a centralised hub system, which may pose an issue, when communication is not end-to-end encrypted.
Multi-factor authentication
Currently, an increasing number of applications dedicated to the consumer market, we are dealing with an availability of various 2-FA implementations, i.e. two-factor authentication. It provides an additional (apart from a login and password) logging component, which may protect the user from account hijacking even when someone possesses his login data. Usually, the second component is additionally delivered via an alternative channel, e.g. while logging on a personal computer, the second component should be delivered via a smart phone. In the case of enterprise class software, this pattern is increasingly expanded to multi-factor authentication, where the administrator may determine, which components or their combinations, should be used. Additionally, biometric data is playing and increasingly important role in the matter.
Functional criteria
Additionally, there was no lack of pointers regarding the functionalities of particular solutions. Here, the leading role is played by functions that allow for an easy and clear way to manage the users that participate in communication. It is key, i.a. in cases of videoconferencing sessions, where an intrusive person may connect, and without the capability of managing participants, the incident may be omitted. The ability to manage files and conversation contents, that we share via a particular platform, is no less important. The most important thing, within this aspect, is so that every individual could easily and irreversibly erase own data. Here, we are also speaking of copies stored on the producer’s servers.
Data trade and open source
Therefore, we pass on to the issue which led to the catastrophe of the image of the largest social-media services, i.e. data trade. At the turn of the second decade, particularly in terms of free services we were used to our data being machine-made anonymous and shared to advertisement networks. In the case of a communication platform, within a company, such practices are unacceptable. Additionally, NSA experts encourage that we use open source software, as the general accessibility of the source code can translate to the frequency of security audits, as penetration tests may be performed by anyone. Also, in terms of open source, we are assured that the service provider, or his outsourcing partner did not place any functions that would jeopardise the privacy of end users.