Skype for Business is growing at a trajectory few solutions have seen before and bringing with it massive gains in efficiency and productivity.
But these gains, as you may have read in Part 1 of this blog series, bring with them new concerns for security and data protection.
Now, there are several ways you can approach security with Skype for Business. The “Tools – Options” tab has a subset of about 15 categories, each with options that can be enabled or disabled, changing the security level within Skype.
You could even try to set Group Policy Settings for Skype to disable features such as file transfers, chat logs, or the meeting recording capability. But that’s not always practical and would result in removing the very features that make Skype so good. It would be like taking the tires and radio out of your car, and depending on your industry, it could be illegal or even out of compliance when the auditors come ringing.
For example, in the Financial Services industry, if you discuss any sort of trading or stock through IM, those conversations need to be available during an audit.
Sure, your VoIP calls are encrypted by default as you authenticate through Active Directory to prevent “hackers” from eavesdropping your conversations. But that’s only effective in the real-time conversation and doesn’t help with the thumbprints that get left behind. Don’t forget, all chat logs, files and recordings are stored on the end point by default.
Can’t I just use GPO settings?
There are several challenges with trying to “lock down” Skype in this manner. First, these GPO settings would only apply to Windows based systems that you manage. Second, if you do break the cardinal rule (as many organizations do, especially in a BYO world) and allow the user to be a local admin of their own system, these policy settings can easily be reversed.
I suppose you could write a macro that executes on close to delete any chat logs and files from the default “downloads” folder (remember when we called them directories?) But that isn’t really an effective “security” solution. It’s security by obscurity.
You could configure the default locations for file saving and recording to be on a network share. This would ensure that all sensitive information shared between Skype participants is kept in a secure, remote location that only your corporate IT controls. This is an excellent step in the right direction! Now, no matter where or what device your employees use Skype on, the data is always protected in the corporate vault.
Distance makes the data grow fonder?
The challenge here, of course, is in the user experience. If I am using a local Skype for Business client and my files, records and logs are always being sent a few hundred miles to my share, then my experience will be degraded and I will most likely ditch it. And if that link is a high-latency network connection–for example over a free hotspot at a coffee shop on Nantucket–my experience will be even worse. So, I may have security with poor performance as I sit and wait for my file to copy over 800 miles using a choppy WiFi. #FAIL
If that were the case, we would find ourselves right back where we started. I’m circumventing my corporate IT controls for a better experience. And with the explosion of BYOD, I am likely installing Skype for Business on my own iPad Pro, Surface, Laptop, Chromebook and more. These are devices that my corporate IT doesn’t necessarily have control over and therefor can’t apply a GPO that redirects my Skype data in the first place.
So, what’s an IT administrator to do?
The most effective way to ensure that Skype data stays secure is to host Skype for Business in the data center behind lock and key where no one can gain access to it. By virtualizing Skype through XenApp and XenDesktop, you can ensure that Skype and its sensitive data stay together for better performance and stay off of the end point devices that easily get lost or stolen. Like peanut butter and jelly or coffee and stroopwafels, always better together.
Now, I hear what you’re saying again. The question on your mind is,
OK, that sounds fine, for text and instant messaging. But if I have my Skype for Business hosted on XenApp in my data center 800 miles away and I want to do voice and video calls, as in your earlier example, well, how does that work?
It’s a great question, and I’m so glad you asked it. What you are referring to is called the “tromboning” effect and it can quickly kill your Skype for Business security strategy by introducing inefficient paths and network stuttering.
So, how do we avoid network stuttering? Stay tuned …