Research Report

Financial Industry Reporter

Web Conferencing Standards for Privacy and Security

Financial Industry Reporter

As the use of Web conferencing has grown, both companies that participate in it and the companies that provide Web conferencing software and hosting services have recognized the need for Web conferencing standards for privacy and security.

Web conferencing privacy protects personnel records, as well as the private information and participation of individuals involved in a conference. Web conferencing security protects information that a company or government agency doesn't want to share because it could affect the company's plans or profits, or national security. Web conferencing standards would help to protect both of these needs.

As with any activity that uses the Internet, Web conferencing comes with the risk that hackers and company rivals may listen in on a conference or take information from it. During a Web conference, data is stored temporarily on a shared Internet server -- belonging either to the company itself or to the company providing hosting services. That's the time when the data becomes most vulnerable to theft.

As protection, most Web conference hosting companies take a three-part approach to data security during a Web conference:

  1. Encryption with Secure Socket Layer (SSL) technology to make the data unreadable to anyone other than the intended recipients.
  2. Non-persistent data flow. Encrypted data is kept switching constantly between the host's computer and the participants' computers instead of being stored on one computer.
  3. Intrusion control, which scans the network for unauthorized users and shuts down a transfer port to deny them access.

While each hosting company has its own security architecture, they all conform to informal industry standards. Internet standards -- like those for Web conference security -- often are based on specifications developed by the Internet Engineering Task Force (IETF). Manufacturers, Web hosting companies and others then voluntarily agree to standards and follow them.

Recognizing the need, the IETF set up the Centralized Conference Working Group (XCON) in 2003 to recommend standards for Web conferencing. XCON is developing a standardized suite of protocols for multi-media conferences where strong security and authorization requirements are needed. While XCON is still working on parts of this, companies are using some completed recommendations in their security architecture. That's why you may see XCON mentioned in hosting companies' descriptions of their security systems.

As the host of a Web conference, you can take action to make sure the conference has adequate security. Here are some things you can do:

  1. If you're using hosted services, check how the company ensures conference security and make sure that meets your needs. The companies usually provide detailed information on their Web sites and can answer your questions. Look for compliance with IETF or XCON standards and certification by a third party.
  2. Send invitations over secure e-mail and only to a carefully culled list. If the conference involves sensitive information, you may not want to publicize it outside this group.
  3. Screen new entrants during the conference. Watch for uninvited participants and terminate their access. Web conferencing software often has this capability.
  4. Decide which information should be made available to which participants -- and at what point during the conference. Everyone may not need access to sensitive information, and it may only need to be "on the table" for a short time.

Finally, don't stop thinking about security when the conference ends. For example, make sure a hosting company deletes confidential data from their server immediately after the conference. Limit access to the recorded conference and, if you're providing a podcast of the conference, edit carefully to remove sensitive information.

Next, let's consider the Web conferencing options available for solo entrepreneurs.