The National Security Agency’s NSA released a report evaluating the safety of major video conferencing and messaging tools frequently used in RemoteWork, such as Zoom, Microsoft Teams, and Slack.
Evaluation targets are Cisco Webex, Dust, G Suite, GoToMeeting, Mattermost, Microsoft Teams, Signal, and Skype for Business. ), Slack, SMS, WhatsApp, Wickr, and Zoom. The NSA evaluated the security of these tools on an eight-based basis.
First, whether to implement end-to-end encryption. Not only does the sender and the recipient all encrypt, it matters whether the encryption keys are interacting. Also, in case of large-scale video chat, end-to-end encryption is not implemented due to performance issues.
Following is whether the communication encryption is strong and is based on well-known testable encryption standards. Even in the absence of end-to-end encryption, the NSA recommends the use of strong encryption standards, and states that it is desirable to use open protocol standards such as TLS, DTLS, and SRTP.
Next is whether to use multi-factor authentication. The NSA checks how to allow access to existing accounts using multi-factor authentication such as codes, tokens, and biometrics for each tool. The next question is whether you can check and control who connects to the user session. The NSA says it is desirable to support reasonable and strong authentication to join the session, whether access to the session can be restricted to only invitees using features such as login passwords and waiting rooms.
The following is the privacy policy and whether it allows sharing of information with third parties or affiliates. Meeting tools must be able to protect sensitive data such as contact information and content. Whether or not various information that may damage the organization, such as metadata related to ID, device information, and session record, is shared with a third party, and if any, should be specified in the privacy policy.
Next is whether the user can safely remove the service store and necessary data from both the client and server. The NSA may not be a service that fully supports safe overwriting and deletion of data, but explains that users should be given the opportunity to delete data such as shared files or session contents and permanently remove unused accounts. .
Next, whether it is being developed as open source, and finally, whether it complies with the US Federal Security Certification (FedRAMP).
In summarizing the evaluation, Microsoft Teams and Google G-Suite stipulate a policy for sharing personal data with third parties and developers, although strong encryption, multi-factor authentication, FedRAMP compliance, and various aspects meet the NSA requirements. In the case of Slack, you cannot freely delete server-side data from the client side. Also, while Zoom is FedRAMP compliant, it does not use user multi-factor authentication. Zoom has repeatedly been pointed out for user personal information leakage and security issues.
The NSA explained that the reason for the release of the security evaluation report for video conferencing tools is to organize and guide the characteristics of tools that are important to military organizations, public institutions, and private enterprises, and that each organization should have an appropriate security system and be prepared for threats from malicious attackers. did. Related information can be found here .