Security basics for federal video conferencing

Paul Cantwell

High-definition video conferencing gives federal agencies tools for cost savings and increased productivity through secure teleworking and collaborative work environments. Federal executives, then, must understand the security issues of HD video conferencing -- on-premise or in the cloud.

In video conferencing, agencies are concerned with secure data storage, controlling and handling classified information to protect it from falling into the wrong hands.

Data storage, including global customer data, the calls placed, and signaling -- how voice and audio systems dial a specific number to establish a connection -- must be stored securely. With cloud services, a provider must maintain this information in a locked-down, secure U.S.-based data center. Information must be accessible only by the administrator for a given deployment. Only the records for that given deployment should be accessible.

Other key aspects of secure video conferencing include:

• firewall traversal (session border control functionality);
• relay functionality;
• Session Initiation Protocol (SIP) registration;
• Multi-party control unit (MCU) functionality.

Firewall traversal allows remote locations to work with on-premise users, whether users expose a public IP address or not. A relay function allows signaling and media to take place between peer-to-peer calls in deeply firewalled environments. At every stage, signaling and media must be completely encrypted.

With the MCU, multiple video streams are merged into a single stream to mix a multi-party call. Video from every party in the call is re-sized and re-scaled into a single stream to be consumed by each participant.

At its most fundamental, telecommunications signaling for video conferencing must be encrypted. After establishing a video connection, voice and video must also be encrypted. The connection must be encrypted twice to ensure that the number being called is secure -- as is video and audio data shared on the call.

Standards for cloud-based video conferencing include, at a minimum:

Advanced Encryption Standard (AES) -- AES was established by the National Institute of Standards and Technology (NIST) in 2002. The U.S. Government adopted AES in 2003 to protect classified information. The standard comprises three block ciphers, implemented with a 128-, 192- or 256-bit key.

Triple-DES (DES3) -- This approach applies the Data Encryption Standard (DES) cipher algorithm three times to each data block. It provides the effective security of a 112-bit key.

For most video conferencing applications with AES encryption enabled, this standards-based approach is sufficient. The largest financial institutions and retailers trust this encryption for Internet transactions.

Video communications solutions for government and military require special certifications and security credentials. Depending on the requirements, the following standards or credentials apply:

Federal Information Processing Standards (FIPS) -- FIPS are publicly announced standards developed by the U.S. federal government for use by all non-military government agencies and by government contractors. Many FIPS standards are modified from standards in the wider community (ANSI, IEEE, ISO, etc.).

Joint Interoperability Test Command (JITC) -- JITC provides a full-range of interoperability testing, evaluations and certification services to support rapid acquisition and fielding of global net-centric warfighting capabilities.

For now, JITC typically recognizes only on–premise solutions. The absence of that credential may not be enough to preclude cloud-based video conferencing, but on-premise solutions may be easier to implement quickly.

Many organizations resist having information managed by outside sources. On-premise solutions enable complete control of every element of communications. Cloud-based solutions offer the benefit of convenience, because providers take care of all infrastructure and security details.

Each federal agency must weigh these benefits and advantages to implement the right video conferencing solution for them.

Paul Cantwell is vice president of federal sales for LifeSize. He can be reached at:

pcantwell@lifesize.com