How Google Meet keeps your video conferences protected

All over the world, businesses, schools and users depend on video conferencing to help them stay connected and get work done. Google designs, builds and operates their products including Google Meet on a secure foundation, aimed at thwarting attacks and providing the protection needed to keep users safe.

Google Meet’s security controls are turned on by default so that in most cases, organisations and users won’t have to do a thing to ensure the right protections are in place. Here are the key capabilities of Google Meet that help protect users.

Proactive protection to combat abuse and block hijacking attempts

Google Meet employs an array of counter-abuse protections to keep your meetings safe. These include anti-hijacking measures for both web meetings and dial-ins. 

Google Meet makes it difficult for malicious individuals attempting to guess the ID of a meeting and make an unauthorised attempt to join it by using codes that are 10 characters long, with 25 characters in the set. It limits the ability of external participants to join a meeting more than 15 minutes in advance, reducing the window in which a brute force attack can even be attempted. External participants cannot join meetings unless they’re on the calendar invite or have been invited by in-domain participants. Otherwise, they must request to join the meeting and their request must be accepted by a member of the host organisation. 

In addition, several new features are rolling out to help schools keep meetings safe and improve the remote learning experiences for teachers and students, including:

• Only meeting creators and calendar owners can mute or remove other participants. This ensures that instructors can’t be removed or muted by student participants.
• Only meeting creators and calendar owners can approve requests to join made by external participants. This means that students can’t allow external participants to join via video and that external participants can’t join before the instructor.
• Meeting participants can’t rejoin nicknamed meetings once the final participant has left. This means if the instructor is the last person to leave a nicknamed meeting, students can’t join later without the instructor present.

Secure deployment and access controls for admins and end-users

To limit the attack surface and eliminate the need to push out frequent security patches, Google Meet works entirely in your browser. This means it does not require or ask for any plugins or software to be installed if you use Chrome, Firefox, Safari or Microsoft Edge. On mobile, it is recommended that you install the Google Meet app. 

To help ensure that only authorised users administer and access Meet services, it supports multiple 2-Step Verification options for accounts that are secure and convenient. These include hardware and phone-based security keys and Google prompt. Additionally, Google Meet users can enrol their account in Google’s Advanced Protection Program (APP), which provides the strongest protection available against phishing and account hijacking and is specifically designed for the highest-risk accounts. 

For G Suite Enterprise and G Suite for Education customers, Google offers Access Transparency which logs any Google access to Google Meet recordings stored in Drive, along with the reason for the access. Customers can also use data regions functionality to store select/covered data of Google Meet recordings in specific regions. 

Secure, compliant and reliable meeting infrastructure 

In Google Meet, all data is encrypted in transit by default between the client and Google for video meetings on a web browser, on the Android and iOS apps and in meeting rooms with Google meeting room hardware. Meet adheres to IETF security standards for Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP). For every person and for every meeting, Meet generates a unique encryption key which only lives as long as the meeting, is never stored to disk and is transmitted in an encrypted and secured RPC (remote procedure call) during the meeting setup.

Security is an integral part of all of Google’s operations. Google’s team of full-time security and privacy professionals support software engineering and operations to ensure that security is always a part of how Google builds and runs its services. All of Google Cloud and G Suite customers benefit from these capabilities, including: 

1. Secure-by-design infrastructure: Google Meet benefits from Google Cloud’s  defense-in-depth approach to security which utilises the built-in protections and global-private network that Google uses to secure your information and safeguard your privacy.
2. Compliance certifications: Google Cloud products including Google Meet, regularly undergo independent verification of their security, privacy and compliance controls, including validation against standards such as SOC, ISO/IEC 27001/17/18, HITRUST, and FedRAMP. Google supports user’s compliance requirements around regulations such as GDPR and HIPAA, as well as COPPA and FERPA for education.
3. Incident management: Google has a rigorous process for managing data and security incidents that specifies actions, escalations, mitigation, resolution and notification of any potential incidents impacting customer data.
4. Reliability: Google’s network is engineered to accommodate peak demand and handle future growth. Its network is resilient and engineered to accommodate the increased activity on Google Meet.