Access control in regulated industries
Learn how to build and maintain appropriate levels of access control for video meetings in regulated industries:
- Control meeting access (ABAC/RBAC)
- Enable continuous authentication
- Automate meeting classification labels
Jump to section
Implementing access control in video conferencing
Today, video is the way work is done, in nearly every industry. Secure communication on video is paramount, particularly in industries that handle sensitive and often confidential information, such as military, defense, intelligence, and other highly regulated sectors.
In these situations, risk of unauthorized access is deemed unacceptable, requiring the organization to take strict precautions in terms of securing its meetings. This eBook delves into the details of access control in video conferencing, offering a comprehensive guide to safeguard your virtual meetings.
Access control is a fundamental aspect of secure video conferencing. It involves restricting and managing who can access your video meetings, to ensure that only authorized participants are present. This is essential for maintaining privacy, security, and compliance with relevant regulations based on industry, region, as well as internal policies.
Knowing who has access to your video meetings goes beyond simply knowing the names of the participants. Rather, it’s about ensuring that each participant has the appropriate level of access and that unauthorized participants are kept out of the meeting. This layer of security is essential for preventing data breaches and maintaining the integrity of sensitive communication.
Key components of access control
Authentication
Verification of the participants’ identities, often the ‘first line of defense’.
Authorization
Granting or denying access based on the participants’ roles or defined attributes.
Encryption
Securing the communication channel to prevent eavesdropping.
Logging and monitoring
Tracking access attempts and meeting activities.
Common access control methods
Here is an overview of some of the common access control methods and their definitions:
Unacceptable risk environments
These are meetings at the highest security level, in which risks to security could be catastrophic in impact. In addition to the methods mentioned above, unacceptable risk environments may require these additional forms of access control:
- Biometric authentication: A security mechanism that uses biometric features such as fingerprints or facial recognition to access the meeting.
- External identity provider (IDP): An external service that manages user identities and can be integrated with the video conferencing system to authenticate users.
High risk environments
These are meetings in which private and/or confidential information is exchanged. In addition to the methods mentioned above, high risk environments may require these additional forms of access control:
- Multi-factor authentication (MFA): Requires two or more verification methods, such as a code sent to a mobile device.
- Policy engine: This gives the organization the opportunity to control access over how network resources and organizational data are used. This can be done through:
- Role-Based Access Control (RBAC): a security mechanism that assigns permissions based on the roles within an organization, rather than assigning permissions to specific users directly. Each role is equipped with certain access rights, and users are then assigned to these roles, effectively granting them the permissions associated with those roles.
- Attribute-Based Access Control (ABAC): a security model that grants or denies access to resources based on attributes associated with the user, the resource, the environment, and the action being taken. Unlike role-based access control, which uses predefined roles to determine access, ABAC uses policies that evaluate attributes to make decisions. This allows for more granular, context-aware access control that can consider a wide range of attributes, such as location, time of day, or transaction history, thus offering a more dynamic and flexible approach to securing resources.
- One-time meeting link: This ensures that meeting links are only valid for a single use-case and not available for re-use in a series of meetings, for example.
Moderate risk environments
These include typical business meetings in which no confidential information is exchanged. In addition to the methods mentioned above, moderate risk environments may require these additional forms of access control:
- Single sign-on (SSO): Integrates with existing authentication systems to streamline access control.
- PIN code access: In addition to password, requiring a PIN code can provide an additional layer of protection.
- Waiting rooms: Participants are placed in a virtual waiting room until the host admits them.
Low risk environments
These meetings represent the everyday video calls between friends and family members, primarily of a personal nature.
- Password protection: Passwords are a simple and effective method to create a first layer of security, requiring participants to enter the right password to access the meeting.
- Invitation-only access: Meetings can be restricted to only those who have been invited, limiting participation to pre-approved individuals.
Technical measures to ensure control over video meeting data
Encryption
Identity and Access Management (IAM)
IAM frameworks help manage user identities and regulate access. This involves integration with directory services like lightweight directory access protocol (LDAP) or active directory, and the use of single sign-on (SSO) and multi-factor authentication (MFA).
- SSO: By integrating the video platform with identity providers using standards like SAML 2.0 and OpenID Connect, users are able to log in using their existing corporate credentials. This simplifies the process and ensures that only authenticated users can access meetings.
- MFA: MFA offers an additional layer of security when verifying user identities. This could involve sending a code to a user’s mobile device or requiring biometric verification, to enhance security beyond name and password.
Secure meeting URLs
Audit logs
Self-hosting
Network and transport layer security
Use case: Secure meetings in the defense industry
A national defense contractor needs to hold highly confidential video meetings with multiple stakeholders, including military officials and subcontractors.
Key challenges:
- Ensuring that only authorized personnel can join the video meetings
- Protecting sensitive/confidential information from cyber threats
- Maintaining compliance with defense industry regulations
How Pexip solves access control challenges for the defense industry
Full data control
Keep meetings private
Ensure security awareness
Full data control
Keep meetings private
Ensure security awareness
Implementing access control
Download the full eBook and discover best practices for implementing access control in video conferencing:
- Authentication and authorization
- Encryption
- Secure meeting management
- Monitoring and compliance
- Network security
- Secure deployment