The US National Security Agency (NSA) published last week a security assessment of today's most popular video conferencing, text chatting, and collaboration tools.
The guidance contains a list of security criteria that the NSA hopes companies take into consideration when selecting which telework tool/service they want to deploy in their environments.
The NSA document is not only meant for US government and military entities but the private sector as well.
The idea behind the NSA's initiative is to give military, public, and private organizations an overview of all of a tools' features, so IT staff don't make wrong decisions, expecting that a tool provides certain features that are not actually living up to the reality.
Per the NSA's document, the assessed criteria answers to basic questions like:
- Does the service implement end-to-end (E2E) encryption?
- Does the E2E encryption use strong, well-known, testable encryption standards?
- Is multi-factor authentication (MFA) available?
- Can users see and control who connects to collaboration sessions?
- Does the tool's vendor share data with third parties or affiliates?
- Do users have the ability to securely delete data from the service and its repositories as needed (both on client and server-side)?
- Is the tool's source code public (e.g. open source)?
- Is the service FedRAMP approved for official US government use?
A snapshot of these assessments is available in the image below. [In case any of these change and the screenshot becomes outdated through the years, please refer to the original PDF document.]
The NSA published the above assessment due to the ongoing(COVID-19) pandemic, which has resulted in many private-sector employees, government workers, and military members working from home and increasingly relying on teleworking tools.
Knowing which tool fits which security posture and threat matrix is the first step in preventing intrusions, the NSA said.
This assessment also marks the second cyber-security advisory that the NSA issued last week. Days before, the agency had also published guidance and a list of the most common vulnerabilities threat actors had been using to plant web shells on servers.
This week, the US government has also issued another security alert, this one by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). CISA said it was concerned about hasty deployments of Office 365 and Microsoft Teams that may have exposed companies to attacks due to missing key security configurations.