Alternative collaboration platforms guideline
Introduction
The Collaboration Platform (Microsoft Teams) policy and guideline sets the direction on the use of Microsoft Teams as the preferred collaboration platform for departments to use when conducting official Queensland Government business.
However, some departments may have already invested in collaboration tools or are using existing tools. Departments may require alternative third-party products to host or participate in Video Conference meetings, or trainings using alternative platforms e.g. Skype, Zoom, WebEX, GoToMeeting etc.
As per the Information Security Policy (IS18:2018), departments must appropriately analyse and manage their risks, in line with their business context and risk appetite, when deciding to use alternative collaboration platforms. Considerations specifically around security, privacy and data sovereignty should be understood. As per the Queensland Government Information Security Classification Framework, information that must be assessed for confidentiality (C), integrity (I) and availability (A) before deciding to use offshore processing and/or storage.
Purpose
This guideline provides information and advice for Queensland Government departments to consider when using / implementing alternative collaboration platforms.
These guidelines are for information only, and departments are strongly recommended to further investigate any obligations considering their own business requirements, risk appetite and seek expert advice where necessary. It is also highly recommended that departments undertake their own risk and privacy assessments based on their specific requirements for usage of alternative collaboration platforms.
Audience
This document is primarily intended for Queensland Government departments.
Scope
The scope of this guideline encompasses the guidance relating to collaboration platforms which are used in following scenarios:
- platforms implemented and used in Queensland Government departments used to collaborate with other government and non-government entities
- Queensland Government participation on collaboration platforms hosted or managed by a third party.
Collaboration platform security considerations
The Queensland Government Information security policy (IS18:2018) seeks to ensure all departments apply a consistent, risk-based approach, to the implementation of information security to maintain confidentiality, integrity and availability. In the wake of the COVID-19 crisis organisations have turned to collaboration platforms for video-teleconferencing, document sharing and to stay connected to maintain business as usual.
It is likely, when organisations increase their use of collaboration platforms, it will increase the risk of exposing sensitive information and breaching privacy laws, while cyber threat actors are using this as an opportunity to diversify their avenues of exploitation.
To ensure an appropriate risk-based approach is used when adopting a collaboration platform, a robust set of policies, procedures and controls should be implemented. Establishing context and applying the agency's risk appetite is integral when conducting risk assessments.
Key security considerations when deciding on use of a collaboration platform include:
- classification and sensitivity of information being used within the platform
- privacy policy and terms of use, particularly whether information can be shared or used by third parties
- responsibility for granting and reviewing access
- ability to remove/block unauthorised attendees
- data sovereignty considerations
- encryption used by the solution for data at rest and data in transit
- role based access control where possible
- leveraging existing solutions instead of looking for an alternate solution
- considering platform integration and use of web or dedicated desktop application
- ability to use the application on non-corporate devices (e.g. BYOD)
- ability to remove messages/files sent
- considering an incident response plan to addresses a security or privacy breach
- availability and quality of technical support in a timely fashion in the event the service is interrupted
- service providers track record on supporting and maintaining the solution
- reliability and scalability of the service providers solution
- use of strong encryption mechanisms for information in transit and at rest
- service providers ability to quickly and effectively patch/remediate any existing or new vulnerabilities
- departments ability to manage the service provider through SLA's and contract(s)
Security configuration guidance
When using and/or configuring any videoconferencing applications, the following is also strongly recommended to be considered:
| Security configuration | Description |
|---|---|---|
1 | Do not make meetings or classrooms public | Usually there are two options to make a meeting private:
|
2 | Participants video | Consider participant video settings. Usually participants choose whether to enable video or not. |
3 | Require host to be present before meeting starts | This is only recommended if the waiting room functionality has not been activated. |
4 | Require a password when scheduling new meetings or starting an instant meeting | A password will be generated when scheduling a meeting and participants require the password to join the meeting. |
5 | Embed password in meeting link for one-click join | Meeting password will be encrypted and included in the join meeting link to allow participants to join with just one click without having to enter the password. |
6 | Consider audience when sending invitations | Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people. |
7 | Limit the list of domains that the invitation can be sent to | Where possible limit which organisations can access your meetings or platform. |
8 | Allow only signed-in/invited users to join | Signed in with the email that they were invited through. |
9 | Enable Mute upon Entry | Automatically mute all participants when they join the meeting. |
10 | Auto saving chats | Automatically save all in-meeting chats so that hosts do not need to manually save the text of the chat after the meeting starts. |
11 | Be aware of surroundings when hosting or attending meetings | Be aware of your (and participants) surroundings when hosting or attending meetings. Using a private location for meetings will help maintain confidentiality. |
12 | Lock a meeting | Lock a meeting after required participants have joined where possible. |
13 | Enable Attendee On Hold | If available, this option stops video and audio transmission to a participant or participants while the rest of the participants can continue. |
14 | Allow screensharing to Host Only where possible | The host should have control over screen sharing and file transfers to avoid the sharing of disturbing imagery or malware. |
15 | Disable remote control for participants | Only a host should be able to control the presentation. |
16 | Enable the ability to remove unwanted or disruptive participants if required | Remove unwanted or disruptive participants if required. |
17 | Disable participants ability to record the session | Allow only hosts to record and save the meeting/webinar. |
18 | Only authenticated users can view cloud recordings | The viewers need to authenticate prior to viewing the cloud recordings, hosts can choose one of the available authentication methods when sharing a cloud recording. |
19 | Recording disclaimer | Show a (customisable) disclaimer to participants before a recording starts. |
20 | Disable In-meeting file transfer | Prevent people from sharing files through the in-meeting chat, as this will prevent any inadvertent clicking on a malicious file shared or prevent sharing of sensitive information to unauthorised participants. |
21 | Enable anti-malware protection | If file transfer is required for the meeting enable any malware or viruses scanning options on the platform. |
22 | Screen-Share Applications Only | Limit screen sharing to applications only, preventing the meeting host and participants from sharing their entire desktop. |
23 | Disable private chat / Turn off - Allow users to chat | Can be used if required to prevent anyone from getting unwanted messages during the meeting and will prevent anyone from being sent a malicious link or file without the knowledge of the host. |
24 | Enable encryption | Where possible require that all messages and files are encrypted in transition and at rest. |
25 | Periodically review operation logs | These logs allow account owners and other designated users, the ability to view changes made by administrators on the account. This can include changes in account management, user management, and other advanced settings. |
26 | Configure log collection | Configure logs collection from your platform / account to your SIEM where possible and establish alerting/monitoring mechanisms. |
27 | Use updated version of platform and client software | Ensure that users have the latest versions of applications installed and are keeping them updated with regular patching. Ensure that users download applications only from legitimate websites/links. |
Desktop application vs internet browser
Encryption
Careful consideration should be given to the data encryption options when using a desktop application vs an internet browser-based implementation. Many video conferencing platforms support TLS 1.2 with Advanced Encryption Standard (AES) 128-bit algorithm only for the desktop client in Electronic Codebook mode.
Deployment and support
When selecting or using alternative collaboration platforms where possible ensure you have a mechanism to package and deploy the client application to desktops. This will enable management and control of the applications.
Patching and updates
Due to the increased usage and focus on alternative collaboration platforms, new patches / updates are being released more frequently. It is best practice to create a policy and apply these updates and patches to the chosen application as soon as practicable.
Approved and managed browsers
Where possible, consider downloading and deploying the desktop client for the alternate collaboration platform to use, as the web client has limited features and generally a lower level of security and controls. Where this is not possible, departments should assess the capabilities and risks of using the web client and if permitted, ensure that only the organisations approved browsers which are a part of their Standard Operating Environment (SOE)/Managed Operating environment (MOE) are being used to access these platforms. Ensure users have the latest versions of applications installed and are keeping them updated with regular patching. This ensures timely patch and policy updates, improved operational control of content and plugins, and allows for better logging and reporting.
Existing collaboration platforms in use
It is acknowledged that some agencies may have already invested in collaboration tools or are using existing platforms (e.g. Skype for Business). As Microsoft Teams is available to Queensland Government departments under existing whole-of-government arrangement for no extra charge, departments are expected to adopt this as a preferred platform when operationally convenient.
The departments who are continuing with their existing collaboration solutions are encouraged to consider enabling transitioning to Microsoft Teams as the preferred government platform.
Information privacy considerations
When assessing collaboration platforms, departments need to ensure they have an understanding on how data is stored, and whether the product shares information with affiliates and/or other third parties.
Most products should only collect information to support the provision of their services, so it is important departments understand what information is collected and for what purpose it is used. Departments should be careful of products that are silent on whether they share data, or statements stating they share data for business purposes (as these types of statements are unclear to who the data is being shared with and to what degree).
Departments should choose products where they have control of privacy settings and ensue videos are not stored automatically (unless the host has chosen to record the meeting). The option of being able to consent is an important feature, but note sometimes if you don't consent, you don't get to use the services (or sometimes specific features will be disabled).
Microsoft Teams can be configured to ensure files are stored locally, however content associated with functionality such as chat and video are generally not stored locally, and departments need to understand where such content will reside. It is therefore important agencies have clear policies and processes in place on what type of information can be transmitted/stored over chat and meetings. For example, agencies may set policies that prohibit using chat for SENSITIVE and PROTECTED information. No matter what product is used, departments must ensure the Privacy Principles in the Information Privacy Act 2009 are adhered to.
More information on privacy considerations for cloud solutions can be found in Cloud computing and the privacy principles produced by the Queensland Office of the Information Commissioner.
Ownership of content and copyright
Departments need to ensure they understand where ownership resides be careful of products that don't allow users to retain ownership of their content and intellectual property. When using video conferencing and posting/sharing content, users should still ensure they are not breaching copyright laws, such as sharing works of others without their consent. For further information see the Queensland Public Sector Intellectual Property Principles and the Use of copyright materials guideline.
Recordkeeping considerations
Departments must consider their recordkeeping obligations under the Public Records Act 2002 when using any collaboration product. Employees should not use chat type features to record major business decision unless a record of that decision is kept in an appropriate recordkeeping system. For further information see the Records governance policy and the Managing information in the cloud factsheet.
References
- https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
- https://www.esafety.gov.au/key-issues/esafety-guide/zoom
- https://www.cyber.gov.au/publications/web-conferencing-security
- https://www.theguardian.com/technology/2020/apr/08/zoom-privacy-video-chat-alternatives
Appendix C
NSW Government video conferencing comparative analysis
Appendix D
Alternative products
This appendix lists alternate video conferencing tools, links to specific advice by vendors to use the product in a secure fashion and other relevant news and industry references.
Zoom
- Best practices for securing your Virtual Classrooms
- Zoom meetings vs Webinars
- Zoom desktop applications vs Mobile Apps
- Zoom Global Data Processing Addendum
- FBI warns of emerging threat of Zoombombing
- Zoom geo location routing feature released
- New client for Zoom released
AARNet Zoom
- AARNets safe usage guidelines for Zoom covering operational security and administrative settings
- AARNets response to Zoom security and privacy issues
- Best practices for securing your Virtual Classrooms
- Zoombombing and tips for preventing it
Skype
- Encryption in Skype
- Skype Privacy and security questions answered
- Security Guide for Skype for Business Online
- Set up Skype for Business Online Admin / Security Guide
- Skype for Business mobile app security
WebEx
- Cisco Webex Best Practices for Secure Meetings: Hosts
- Cisco Webex Best Practices for Secure Meetings: Site Administration
- Manage Security for a Cisco Webex Site in Cisco Webex Control Hub
- Cisco Webex Meetings Security Whitepaper