While many software applications add a layer of security as an afterthought component and limit their definition of security to password protection and a few other areas, omNovia started its advanced web conferencing platform with security as one of its very foundations. In reality, omNovia Technologies began as an information security consulting firm in 2004 with solid prior experience in Identity Management and strong authentication systems implementations worldwide. Since day one, security has been an inherent part of the omNovia Web Conference DNA and has always been given the highest level of priority.
In this document we will overview various security risks, particularly in the web conferencing space, as well as omNovia responses to potential threats.
omNovia Technologies offers a complex web conferencing service that is much more than a simple software application running on a computer. Providing omNovia Web Conference as a SaaS (Software as a Service) entails a large number of modules and processes that form the system. Securing every link of the chain is the challenge to overcome since the entire system is only as secure as its weakest link. As a general rule, security encompasses three critical components:
Creating the most locked-down software with 1024-bit encryption would not make it any more secure if the providers’ employees were not trained to protect customers’ passwords. Defining adequate processes is also critical. Imagine customers’ documents such as Microsoft PowerPoint files were to be copied from one server to another. Implementing a procedure that ensures these files follow a path that will never expose them to prying eyes during the transfer is as important as requiring strong password authentication to access conference rooms.
omNovia Technologies enforces a variety of strict rules when it comes to processes and has implemented a comprehensive testing and monitoring methodology to ensure their effectiveness.
A number of features have been built into the omNovia Web Conference platform since its inception to provide full protection for omNovia customers and their end-users.
Authentication and Authorization
One of the most important factors is securing access to web conference rooms. omNovia offers different levels of password protection to meet different business-related requirements. As an example, a sales and marketing webinar for which you would like to have as many viewers as possible would not require the same level of access restriction as a closed meeting between C level executives of a public company.
You can set group passwords, individual passwords as well as temporary passwords for specific events. SSL encryption ensures passwords are never sent in clear through the network.
Beyond password protection, omNovia provides strong two or three-factor authentication capabilities. Access may be controlled by verifying digital certificates (holding employees’ digital ID including public and private keys) stored on a physical smart card and/or by validating biometric credentials such as fingerprint or retina scan.
One of the most practical features also provides a more secure environment and reduces the risk of external intrusions: SSO or Single Sign On is an API (Application Programming Interface) that allows full integration of the omNovia Web Conference with your web based members page or with your internal LDAP or Active Directory. By implementing SSO, your attendees would login to your members area (or internal portal) using their usual username and password, then click a button to access your conference room without having to remember yet another password. It provides easier access for your attendees while simplifying user management on your side. Studies show that lower number of passwords to remember inherently leads to more security as users will not expose their passwords in emails, files or even post-it notes. On the other hand, a terminated employee for instance, would no longer be able to enter your conference rooms as soon as you cut his/her access to your members/employee portal. More information on the SSO API is available at http://support.omnovia.com/kb/141.
Faithful to the “Technology, Process, People” methodology, we have also put in place strict rules for our employees not to provide any passwords online or on the phone. In fact, omNovia employees do not see any passwords in clear as they are encrypted in our databases. This brings us to database protection.
There are two different angles to consider when it comes to database protection: data stealing and data loss.
Protection against hackers trying to compromise databases is a serious threat against which omNovia employs the latest techniques to prevent unwanted access. Additionally, omNovia uses data encryption for sensitive information and never stores end-users credit card information.
Data loss can result not only from malicious attacks, but from inadequate processes in the software or from human error. omNovia uses advanced, secure and frequent backups to ensure the integrity of customer data.
Eavesdropping on web conference sessions by listening to the audio, reading chat messages or viewing the live or recorded media can be considered as fundamental threats to any web conference session. Although direct access to a room might be protected, there may be ways to eavesdrop on the network without being actually inside the virtual room. omNovia employs 128-bit SSL encryption for secure rooms in all client-to-server or server-to-server communications including but not limited to chat, voice, video, application sharing, PowerPoint content and file sharing.
If communication channels were protected without restricting access to voice and content servers, we would only be shifting the weak link. omNovia servers are hosted worldwide in environments with the ultimate physical and logical security. Three levels of personnel identification are required for an engineer to access the physical boxes while strong 2-factor authentication is mandatory to access our servers online. In addition, omNovia infrastructure engineers and staff are also screened for any past criminal records.
For customers requiring an extra level of security, dedicated servers are used for heightened security and performance.
Server redundancies in various regions as well as mechanisms to move live conference rooms from one server to another provides business-continuity in case of severe server problems. For example, during Hurricane Ike in 2008 that severely damaged Houston (Texas), our customers using Houston servers were transparently moved to servers in other states and did not experience even one minute of service disruption.
Last but not least, special attention is brought to our customers’ privacy protection on an ongoing basis. omNovia does not resell or expose our customers’ or their end-users’ information and we also engage in building a “Chinese Wall” security policy, which ensures information from one customer is never shared with other customers.
While we have taken extra measures to ensure the highest level of protection for our customers, we understand that security is an ongoing endeavor and requires daily efforts to maintain and enhance the protection level. omNovia Technologies has made a choice to focus on high quality and custom web conferencing. This means that we will work closely with our customers to adapt our solutions to their needs and further develop or customize them to meet their most stringent requirements.
About Founder and Chief Executive Officer, Shawn Shadfar
Shawn Shadfar is the founder and C.E.O of omNovia Technologies. Mr. Shadfar was a member of the engineering team that invented the first java-based smart card in 1997 and later co-founded the Information Security group at Schlumberger. His group provided a smart card based digital ID solution to the U.S Department of Defense, the NASA, Chevron, ExxonMobil and other Fortune 500 firms. He has published many articles and has spoken at numerous events in the Information Security industry. Mr. Shadfar holds a Master of Science in Electrical Engineering from Georgia Tech in Atlanta as well as a Master of Science in Computer Science from Supelec, Paris.