Back in April 2020, when the world was in the initial throes of the pandemic, our team started to work from home. We were used to working from home (during weekends) and relied on Skype and WebEx for business meetings. We watched the astounding rise of Zoom (from 10M daily participants in Dec 2019 to 300M daily participants in Apr 2020) and subsequently the security problems that accompanied it .. to the extent that it was banned by many corporations world-wide all the while exploding in use among consumers. Many corporations and institutions that used Zoom, did so hesitating and fearfully (afraid of hackers listening in). We sensed an opportunity here and realized that video conferencing could be the killer app for our security products.
Video conferencing (excluding secure military systems) was never built with security in mind. The goal was to facilitate communications as painlessly as possible. I know … I was part of a team at ATT Bell Labs (now part of Nokia) that created a virtual meeting service in the 1990’s (see patent). Our team contributed to many of the standards that underlie today’s conferencing technologies. With a background in both security and video conferencing, I was in a unique position to understand what it took to create a secure video conferencing system. So how do you build a secure video conferencing system?
First, you need to build the video conferencing piece. At a minimum this consists of the following – (1) a XMPP server which hosts the meeting room and chat server, (2) a video/audio bridge for mixing the media streams, (3) a Controller that sets up the meeting room and acts as the go-between the conference participants and conference resources, and (4) the participant software which could be a desktop program, a mobile app or a browser (implementing the webRTC API).
Second, you need to authenticate every user. Currently, when you get a meeting link (from Zoom, Teams or any one else) and you click on it, you are taken into the meeting. At most you are challenged for a meeting password. There is no user authentication unless your company has setup Single Sign On (SSO), in which case, you will be directed to a SSO page to authenticate (typically via 2FA or AD/LDAP) prior to proceeding to the meeting page. The problem with this is that all the meeting participants should be enrolled in the same authentication system. This does not work for meetings among participants who belong to diverse organizations. The challenge is to authenticate all users, even those who are not enrolled in the authentication system.
So, we created two classes of users – (1) paid subscribers, who are authenticated by ProtectID but require prior enrollment and (2) guests, who are authenticated by a new 2FA system but do not require prior enrollment. The main difference is that ProtectID has a lot more authentication options than the guest authentication system.
Third, you need to control access to the meeting room to specific participants. Just because a user is authenticated doesn’t mean they are authorized for that particular meeting. So, we created a meeting authorization system that checks the authenticated user against a list of authorized participants for that particular meeting. To our knowledge, no other competitor does this.
Fourth, you need to ensure that the meeting cannot be spied on by malware. It is relatively easy for malware to capture the keystrokes in a conference (entered in the chat interface), capture screen shots when presentations are shared, spy on the clip board or spy on the audio and video in a conference. Existing anti-virus software have a malware detection rate of less than 10%. Some AV software try to block the camera or microphone from third party software but no vendor has comprehensive protection of the audio stack to prevent a conference from being captured.
Rather than trying to detect malware, we decided to take a different approach. We built a protective shield to stop the keystrokes, the screen, clipboard, the camera, microphone and audio stack from being spied on. This way even unknown malware can’t spy on the conference.
The above innovations make the video conference extremely secure but we wanted to do more. We were not happy with the existing meeting scheduling systems (such as from Zoom, Teams, etc.). We felt that it was limited to just scheduling the meeting. So, we set about building a comprehensive meeting management system.
First, we created a scheduler (similar to Zoom’s) which will enable the user to set the meeting time and other parameters (such as allowing users to join before the meeting organizer).
Second, we added the ability to create a Meeting Agenda and Meeting Notes. This was important because though storing a recording is nice (which we will also have), it can be a pain to go over a couple of hours to find out what happened in the meeting. Also, the recording is not stored permanently whereas the Meeting Notes will be always available.
Third, we added the ability to add participants to a meeting. This gave us the ability to control access to the meeting as well as send meeting notices via email and calendar entries at the click of a button.
Fourth, we added a meeting log. This shows data such as who joined the meeting, what time they joined, how long they stayed, etc. It also shows errors such as when a participant can’t login or a meeting is terminated erroneously.
Next, we added an Administrative System. This enables the company admin to do a variety of functions such as:
• User Administration – This consists of adding, removing and updating user information. In addition, the admin can provision the user for the various authentication methods of the ProtectID authentication system.
• Meeting Analytics – This allows the admin to access the meeting logs of all the meetings in the company. There is a powerful query tool that allows the admin to slice the log data in various ways to generate various reports.
• Reporting – Reports can be generated in pdf format or exported to excel for upload to other systems. These reports can help in meeting compliance requirements.
In addition, we built a Monitoring System that includes a dashboard to monitor the SafeVChat network hardware and software performance metrics to identify bottlenecks and potential issues.
The video conferencing industry is in its infancy. Thrust by the pandemic into the spotlight, it is changing the way we work and interact with each other. I believe we will see a lot more innovation in this space. Of course, this is just the beginning for SafeVChat …. stay tuned for future enhancements.
Ram Pemmaraju, CTO of StrikeForce Technologies, Inc.