On this episode of Navigate, a special six-part podcast series with Pexip and Futurum Research, host Daniel Newman talks with Giles Chamberlain about how to approach privacy and security for your video conferencing solutions.
Video Conferencing Popularity Bringing Privacy and Security to the Forefront
In the last month, video conferencing has seen an explosion in popularity due to shelter-in-place orders. More people are on video than ever before, but this huge increase has also brought increased security concerns. Zoombombing and other video conferencing breaches have made headlines for weeks. Enterprises are realizing that it is not as easy as just clicking a link and joining a video. There has been a greater call to ensure privacy and security for all users.
Giles noted that when looking at a video conferencing solution, you need to consider privacy and security individually. Let’s break it down.
Breaking Down Privacy and Security
Every video conference call creates data. If you’re recording audio, video and chat sessions that is all data that is in the hands of the provider. But even if you’re not recording, you’re still creating metadata. That could be IP addresses, email addresses, or company information. Protecting this information is crucial. Laws and regulations like the GDPR, CCPA, HIPAA and others set the standard of how this information is protected.
When considering a solution, it’s important to perform a risk assessment or research the standards that companies guarantee. It is the responsibility of the ITDM in the enterprise to ensure privacy by understanding the security protocols that are in place.
An enterprise should also have their own set of security protocols in place for video conferencing. Giles recommended that companies start with strict security and loosen restrictions as you operate. No employee will ever start with lax security and then voluntarily move to a more secure environment. Retrofitting is hard. User experience might be sacrificed in the name of security, but it’s table stakes.
Privacy and security standards come down to where a video conferencing solution is hosted. The great advantage of the cloud service is somebody else does all the work for you. But you still have the legal obligation to know what data you’re giving them, where it’s going, and what’s happening with it. You can’t just abdicate the responsibility altogether. If a company decides that the risk of losing important data is too high then they can bring it all in-house and host in their own data center. This is where Pexip started. Self-hosted solutions were sold to providers to host on-prem.
The second option available is shared hosting. Companies that trust a cloud provider like Google, Azure, or AWS can move the compute capacity to the cloud while still having employees manage the service. The data is still under the control of the organization, but the hosting is elsewhere to take the strain off the company’s data center.
The final option is managed hosting. Companies can turn the whole service over to someone else. Another company provides the compute power and ensures the data protection.
Some off-the-shelf video conferencing solutions only offer one hosting option. Pexip on the other hand offers all three, giving customers better options for what fits their needs. At the end of the day, enterprise leaders know what they need and what they need to protect.
For more information about Pexip, their products and offerings be sure to check out their website or listen to the full episode of Navigate below.
Daniel Newman: Welcome to Navigate, a six-part podcast series brought to you by Pexip. My name is Daniel Newman, I’m the Founding Partner and Principal Analyst of Futurum Research, and I will be your host today. In this discussion, I will be talking to Giles Chamberlin on how to approach privacy and security for your collaboration and video conferencing solution. Giles, welcome to the show.
Giles Chamberlin: Thanks Dan, it’s great to be here.
Daniel Newman: It is, it’s great to have you. I’m here in Chicago, Illinois. We are in about the 23rd or 24th day of being sheltered in place. It is the middle of April 2020. I hope you’re listening to this right after we published it, but if you’re not, if it’s some time later in the year, I always think it’s great [inaudible] especially when there’s a world pandemic going on that’s completely changed the way we work, but has been a powerful enabler in what we’re going to discuss today which is video, as well as security and privacy.
But Giles, where are you at today?
Giles Chamberlin: I’m just outside Oxford in the United Kingdom, about 50 miles West of London. Like you, we’re in week four of the lockdown. I have two young children at home, so if you hear noises off then please excuse that.
Working from home is not that unusual for us. Being a video conferencing company we do it a lot, so we moved in fairly flexibly. Not leaving the house, being restricted, that’s harder, that’s much harder.
Daniel Newman: I think we’re all getting a little bit stir-crazy, but hopefully we’re starting to see progress. Parts of Europe are starting to slowly reopen things. The United States here, we’ve started talking about it. Despite all this, we’ve certainly seen the way we’re going to work change, video has become a powerful tool in enabling businesses to continue forward, especially in a lot of information fields in finance, in healthcare, and in banking, and in education, in tech.
Me, I mean like you, I’ve been pretty used to this, but at scale I used to get on airplanes 47 weeks a year so it’s also a little bit different when everything is being done at home. I want to talk to you about security and privacy, but before I do that, I want to get a quick introduction of you out there. I’m sure some of the folks in the community have worked with you and Pexip. These podcasts, hopefully will be getting out to the world and a lot of people will be learning from them.
Tell everybody about what you do, Giles, and then your role at Pexip.
Giles Chamberlin: Yup. I’m one of the founders at Pexip, I’m the CTO here. We set up in 2012 when my daughter was two weeks old. To anybody else thinking of starting a company, don’t start a company when your daughter is two weeks old.
As I am the CTO, I’m also responsible for the information security side of the business, which is one of the reasons I’m very keen to talk about information security, and privacy, and how to take video conferencing as a business class tool. Because as you say, more people are using it than ever before and they’re now starting to take it seriously and to look at the security aspects, whereas before they were using it along the lines of calling auntie Flo for a social chat and privacy was less important.
Daniel Newman: It’s really interesting to hear your story. Obviously, I’m an entrepreneur too, founded this research company, and you are absolutely right. When you’re in that initial stages of finding a business and trying to do the family thing is extremely difficult. I applaud you and I’m glad you stuck with it though because the technology you’re developing, it was scaling and growing nicely, and the company has been through some big growth in the last year, but I don’t think anything could have prepared you for the growth you’ve seen in the last month or two, right?
Giles Chamberlin: Yes. I think like everybody else in the conferencing space, we’ve seen extraordinary growth in usage both from existing customers sending all their staff home and so their usage goes through the roof, to new customers coming to us saying, “We need you now” on prospects who would normally have taken quite a while to close suddenly saying, “Well, can you get it done by the end of the day?” It’s been a challenge rolling out of these hugely increased scales.
You’ve seen all of the players wobbling. Fortunately everybody is still up, still running, and it’s all going remarkably well proving just how resilient the internet is. They got it right 40 years back.
Daniel Newman: Congratulations on all the success. I’ve said video is not new and its ability to do a lot of what we are doing now was not really new, but being sheltered in place, not being able to get face to face with people has really spurned a movement of people putting their cameras on and putting them on all the time.
As we return to more normalcy, I think we will see some of these behaviors will last which will be great for the industry, great for business. Companies have realized some of that travel may not have been necessary, some of those events may not have been necessary. With the right interoperability, the right platforms, it can certainly be done better, but security has been a really hot topic throughout this pandemic.
We saw the video scale to extraordinary volumes and people are loving it. They’re using it for education, they’re using it for healthcare, they’re using it to run their businesses. We’ve also seen security become a headline. We heard about the zoombombing over the last few weeks. We’ve heard about some issues with data flowing through servers and in different places where… There’s a lot to think about.
Basically, it’s not as easy as, “Hey, let’s just press, click a button and jump on a video.” Yes, that’s how I want it to work and that’s how your customers want it to work, but you every day are thinking about other things. How are you thinking about that?
Giles Chamberlin: Let’s divide it up a couple of ways. First off, there’s the privacy and security of your video conferencing provider which might be an external company, or it might be your own IT department, and then there’s the behavior of your end users. Let’s skip the end users for a bit, they’re hard.
If we look at the video conferencing provider. What we mean by privacy, that’s the information that you’re going to be handing over to the video conferencing provider. How sensitive is that? How important is that? Security is the process by which they are going to protect that for you, and it’s these two things that play together.
So if you look at the data you’re going to give to the provider, whether it’s your IT or another company such as Pexip or one of our competitors, if you’re recording as well with this video call here, or transcoding, or something like that, then the data you’re handing over obviously includes all of your presentations, all of your audio, all of your video, all of your chat sessions.
But even if you’re not recording or transcribing, then you’re still handing over metadata. Who’s involved in the call, perhaps what their email address is, what their IP address is, the company they work for, and that could be sensitive too. The fact that big company A is talking to big company B might mean there’s a takeover going on.
You’ve got to try and bear in mind how they’re going to process this data, and you’ve probably got a legal requirement as well. In Europe, we’ve got something called GDPR for the protection of privacy data. In the States you’ve got things like the HIPAA stuff for the healthcare market item, [inaudible] for defense industry.
There’s all sorts of legal requirements on how you handle data, and this comes back to your point about there’s not one easy solution to all of this, because all of these people have got different requirements as to what they want you to do with the data. So yeah, it’s quite an involved, quite a fun problem if you’re that sort of person.
Daniel Newman: I think the challenges of getting it right is important. I know I’d like to get your take a little bit more on sort of what individuals can do and companies can do to make sure their employees are keeping meetings safe.
But I do want to preface this, as someone that analyzes the industries across the tech spectrum and cloud being part of that, I expect tech companies that sell enterprise solutions to have a certain amount of security baked in, a certain amount of privacy, a certain amount of tools.
We’ve entered this world because of cloud, Giles, that people think a Facebook experience is the goal, or that a Twitter experience, or a TikTok experience because that’s the UX side that everyone loves. The problem is, is when it comes to an enterprise solution, it can’t just be free for all, those companies make money with your data. Those companies are not paid to be secure, they’re paid to create an experience and they’re going to use, they’re going to harvest the data and use it to make money. My big point here, you guys can’t do that.
Giles Chamberlin: Some companies will use it to make money, some explicitly won’t. I think the first thing you’ve got to do is to look at the provider you’re thinking of using. Again, whether it’s an external provider or your own provider, look at the data they’re going to be giving, see how you feel about that data going out. So you start looking at how they’re claiming they’re going to use it and if you’re comfortable with that.
You look into how they are going to protect that data and fulfill what they say they’re going to do. You could do that by conducting your own audit. That’s expensive and difficult. You could look for third-party certification, there’s the ISO standards. We’ve just been through ISO 27001 certification, which certifies that our information security management systems are fit for purpose.
You look at all of the things involved in trusting your data to somebody else, and then you’ve got to make a risk assessment. Is this suitable for what I’m doing? If you’re just having a chat with your friends over a beer one evening, that’s one thing. If you’re discussing the commercial strategy of a multinational company, you’ve got a much higher threshold.
If the risk assessment you conduct says this is not sufficient, you’ve then got to look for alternatives. Either another provider perhaps, or looking down to self-hosted where you are your own provider and you then guarantee that you control where the data is, where the data flow is going. There’s a downside to that which comes back to your Facebook comment. If you’re doing all the work of hosting all this yourself, it’s a lot more work.
You’ve got the traditional trade off between security and usability. It’s much easier to use something that’s not secure almost by definition because you don’t even have to log onto it, you just get in. You mentioned the end users, this comes around to the end user side of things as well. End users want to just click and join a meeting, to make it more secure you might want to give them a PIN, but then you’ve got to trust your end user not to put all of that meeting information on the internet for other people to use, and so the unfortunate zoombombing events and so on that were happening earlier.
If you don’t trust your audience not to display inappropriate PowerPoints, you’ve got to try and lock down and prevent the guests of that meeting displaying PowerPoints. If you’re having a meeting with two or three colleagues, that level of security would be annoying when one of them wants to contribute, and you trust your audience more in that case. You have to take a different approach to security. It has to be done on a case by case basis.
Daniel Newman: Absolutely, but you have to enable a certain amount of tools to the users.
Giles Chamberlin: You need the controls to allow them to do that, and you then need to educate them to say, “These tools are available, please use them.” The final stages, unset the defaults towards the secure. If they need to, they’ll move it towards easier to use, they will never voluntarily move easy to use towards secure.
Daniel Newman: That’s probably the challenge with some of the… not any one, but with a few of the more off-the-shelf, cloud-based collab tools that have been introduced was the idea was to be UX focused, and security was the sacrifice, privacy and security. It isn’t hard to say, “Hey, let’s have a knock for someone to enter, and then you have to allow them into the room”, that’s a long time practice.
Also then there are certain things that if you’re an enterprise and a business, and you want to do collab which is a big part of Pexip’s focus, right?
Giles Chamberlin: Mm-hmm.
Daniel Newman: Is enabling businesses, enabling interoperability. Encryption for instance, it’s just something that it should be thought about before who’d ever start using a solution.
Giles Chamberlin: You have to try and design this in from day one. Retrofitting it is hard and you always can see the edges when you try and do this. Encryption, I see no reason for not having this from day one. There’s no end user issue, this should be table stakes, not locking meeting rooms for other people joining.
These are all good practice for an enterprise environment or a sensitive environment where you don’t want other people walking into the meeting by accident. Don’t mind them walking in by accident too much, it’s the ones doing it on purpose who are the issue.
Designing this end from day one is important. We were very much an engineering, hardcore engineering led company, so with our initial versions of the video conferencing clients, the user experience was not ideal, you never want me as a graphic designer. But we did build in the security technology very, very strongly from the beginning, and we’ve now improved our user experience to smooth out the edges.
Daniel Newman: Yeah, absolutely. It’s a challenge, but I think it’s also an opportunity. I think as we scale companies like yours, have a chance to really market and differentiate around the approach to security for interoperability. The fact that you’re able to bring many solutions in together into a safe, secure, centralized platform is going to be a big part of the story.
I think security is often thought of after as opposed to before because like I said, because the user experience drives a lot of the reasons some of these cloud apps scale so fast is because they’ve skipped the entire process of IT auditing or evaluating, because they’ve been purchased the same way you would purchase any other off-the-shelf stuff solution.
That’s why it’s even more important that these companies bake it in and think about it from day one because the way it gets into an organization versus when it starts to create scale creates a lot of problems.
Giles Chamberlin: You never see security on the three features on the front page of a website saying “buy our product because…”, you do see it on page 37 of the tender document saying, “By the way, do you make sure that you’ve got this, this, this and this?” So it is absolutely necessary, essential, and until recently hasn’t been top of mind for many organizations.
I think the increased use of video in a business context, the massively increased use that we’ve seen and the recent headlines around it are bringing this top of mind for more and more end users. They won’t be going in integrate detail and saying, “Were you using deprecated encryption algorithms?” That’s not their job, but there’ll be looking for a coherent security story and probably an approach so those things like the certification, ISO accreditation, this sort of approach just to give you that rubber stamp that says, “Yes, somebody’s thought about this, somebody’s looked at this, it’s being considered.”
Daniel Newman: I think the industry standards will start to fall around, one, is it encrypted from end-to-end, fully encrypted, and then I think that’ll be something that’s going to become a popular topic. Two is going to be what is done with the data, and is it private? In terms of our enterprises, does it meet the compliance requirements of enterprises on a global scale? Three, it’ll be reputation. The third will become the reputation because as anything hits scale, it’ll build a reputation of whether or not it’s secure.
Giles Chamberlin: I agree very much on the reputation and the data management. The end-to-end encryption is a very interesting one because, again, it comes back to security versus usability. What do you want to do with this? If you’re looking for a real-time transcription for subtitles so your disabled colleagues can read the text, that’s going to break end-to-end encryption. You’ve just decrypted in the middle in order to do the transcribing.
Daniel Newman: It’s a good point. There will be use cases where encryption-
Giles Chamberlin: Encryption in transit and control of the data, knowing exactly what’s happening, appreciating you’re taking a slight reduction in security for a massive increase in functionality. You might then say, “Oh, I don’t trust a third-party to do that decryption in the middle in the transcription, I’ll do it myself self-hosted.” So you put it in a steel ring to data center with armed guards on the door and say, “Okay, now I believe it’s not end-to-end encrypted, but I’ve got big dogs and rifles to protect it in the middle.”
Daniel Newman: I think when I say that, I think probably leaning towards those cloud, those companies that are claiming to be public cloud. The quotable encryption will be important only because it’s been speculated now and it’s been called out very specifically that some companies have claimed it but not necessarily-
Giles Chamberlin: They’ve corrected their advertising….
Daniel Newman: I do think to your point when clarity is available in terms of, “Hey, you can turn this feature on or off depending on what you’re trying to do, but here’s the risk.” I think that needs to be more clear, especially like I said, for enterprise solutions, not for when you’re calling grandma, not for when you’re… a few friends want to hop on and do an afternoon happy hour.
But for when a business is having its corporate meeting, and a city is having, or an educational institution is talking about important things, that’s when you need to make sure how is this data being handled. I want to kind of bring this back, Giles, and talk about this, because you started alluding to this, actually you pretty specifically called it out.
Something Pexip does that’s unique in and that it’s focused on is the self-hosting, and it’s something that’s kind of baked into your DNA. Talk about why that’s a great option, when that’s a great option for enterprises.
Giles Chamberlin: When Pexip it was originally founded, in fact, we were focused only on self-hosted not on service, not on running a cloud service. This was because running a cloud service was going to take an awful lot of hours work, there weren’t very many of us so we thought we’d sell self-hosted solutions to service providers and let them do the antisocial hours which worked very well. Worked so well we merged with Videxio, one of our customers and we now run our own service and get to do the antisocial hours.
The great advantage of the cloud service is somebody else does all the work for you. You pay them a bit of money, they’re the ones doing the antisocial hours, they’re the ones ensuring the security. Managing the service is a problem that just goes away, but it hasn’t gone away. You have a legal requirement to know what data you’re giving them, where it’s going, what’s happening there, so you’ve still got to do some work. You can’t just abdicate responsibility totally.
If you decide that the risk that you’re taking of losing important data or breaching important legislation through using that service provider is unacceptable, they’ve told you clearly they’re going to sell all your data to your competition and they’re going to break all local legislation. Yep, you probably don’t want to deal with them.
You can either go and find another service provider who might be able to match your requirements, or you can bring it all in-house where upon you can say, “Okay, take one extreme, I’m going to run all of this in my own data centers. These are buildings I own. I know physically exactly where they are. I know exactly what links are between them. I manage it myself. I reference check all of the people working on the service. I know everything about everything.” That’s one extreme.
We have customers who run like that on systems that aren’t connected to the internet, you know this is secure. You can then start moving up towards saying, “Well, I trust some of the big cloud compute providers, Google, Azure, AWS. I’m going to host in their compute capacity in known locations, but I still want my own staff to run the service and have their own knowledge of what’s going on. And I want the video conferencing data under my control. I don’t mind about the IP level of stuff going around, but I want that level of control.”
Then you can move that up to saying, “Okay, I want somebody else to run the whole service for me or something we’re working on at the moment.” Somebody else provides the compute capacity of the media, but you still run your own data on… your own management layer on top. There’s a spectrum of approaches to provide there, and Pexip is in unusual position that we can provide across that spectrum.
Daniel Newman: Yeah, so you basically have that self-hosted, shared hosted and managed hosted approach for organizations to sort of choose the mix that’s best for its old, its requirements of course like you said on the tech side, and then of course on your data integrity, privacy, security side, which to me sounds like a pretty full stack, and an expanded stack certainly from where you started.
Giles Chamberlin: Pretty much so.
Daniel Newman: With that, Giles, I want to thank you very much for joining me here for today to talk about security and privacy.
Giles Chamberlin: It’s been great, thank you very much.
Daniel Newman: Please tune in, check out. There is six parts to this Navigate series, so if you’re checking this one out there was other discussions on a lot of very interesting topics on video collaboration and business today. Please join us for this episode. I want to say thank you for tuning in and listening, and we’ll see everybody later.
Disclaimer: The Futurum Tech Podcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.