MS Teams :- Kollective Browser-Based Peering

Today in this blog , we will first outlines the benefits of the Kollective solution, and then describes the installation requirements and footprint on the desktop, introduces its components and their interactions, and details its built-in security features.

THE Business Case:-

The problems that arise from running live video events impacts many areas of the organization:

The Corporate Communications Challenge:
  • Challenging deadlines for live events
  • Difficulty in achieving global reach – every office and employee
  • Challenge meeting employee quality expectations
  • Availability of real-time and historical analytics showing event success
  • Visibility around content resonance
  • Challenging deadlines for live events
  • Network impact of high bandwidth, high definition Live Events with many concurrent users
  • The ability to measure the specific network impact of live events
  • The constraints of security and compliance in achieving goals
Kollective Solution Overview

Microsoft's collaboration suite enables simple communication within organizations that can scale to thousands of users for live or on-demand content. Live video events in Microsoft Teams and Stream offer a seamless, easy to engage solution with no hurdles for your IT teams or employees. Kollective's browser-based peering solution scales these communications across your network, allowing you to
achieve 100% delivery at a fraction of the bandwidth. With the Kollective platform you achieve the following benefits:
  • No requirement to add hardware or increase bandwidth.
  • Self-service integration of the Kollective platform with Microsoft Teams and Stream through a flexible Cloud architecture andbrowser-based delivery model for easy testing and deployment of live video across your enterprise.
  • Utilize innovative peering technology to reduce the bandwidth required to deliver a high-quality Microsoft Teams/Stream viewing experience to every user.
  • All network topologies are supported, including wireless, VPN, and MPLS and there is no significant incremental load on machine resources beyond what is required to render video.
  • Real-time analytics provide feedback about content consumption and user-experience with visibility into associated network usage, from which informed decisions can be made.

Kollective's Browser-Based Peering solution is designed to be transparent to users, simple to enable by an administrator, and with negligible impact to loading times and stream delay to the end user.
The browser-based delivery solution is built on standard web technologies already approved and supported in the enterprise within the Microsoft Teams Client and WebRTC enabled browsers. If users are running legacy browsers or unable to peer, content will be sourced directly from the Azure CDN.

The following features are supported with Browser Based Peering:
  • Microsoft Teams Live Events (encoder & quick start)
  • Microsoft Stream Live Events
  • Microsoft Yammer Live Events
  • Microsoft Skype Meeting Broadcast
  • Microsoft Stream VoD*
Intelligence and Insights
Kollective IQ provides real-time business intelligence and insights for live events using pre-configured and customizable dashboards. These provide the key stakeholder metrics for live events including reach, Quality of Experience, user experience and network distribution to provide a rounded view of your communications events.

Network Readiness Test
Kollective Network Readiness Test (NRT) is a service for testing the network’s readiness for a live video broadcast. The NRT runs on top of Kollective SD ECDN without disrupting end users, content is distributed, played and analyzed in the background on user workstations, reporting delivery and player metrics, about buffering and other issues that may arise.

Technology Architecture
Kollective operates a cloud-native architecture built on the following standards:
  • Global, low-latency architecture
  • Designed around Microsoft Azure to provide elasticity, scalability, redundancy, regional resilience and data compliance.
  • Currently located in Azure West Europe (Netherlands) and Azure West US (California) in an active-active configuration with availability zone failover and regional failover configured.
  • Utilise CloudFlare for global load balancing to ensure that Kolllective cloud services are accessed at the closest point of presence.
  • Advanced telemetry, monitoring and proactive alerting from all systems.
Security and Compliance

Secure by Design

The Kollective solution is Secure by Design, architected using standard web-based protocols with all
data transfers encrypted and signed:
  • TLS 1.2 with authenticated tokens is used for communication to cloud services
  • Communication between peers uses WebRTC (DTLS/SCTP)
  • Communication to the Kollective cloud applications use HTTPS
  • All communications between peers and cloud services are encrypted and signed
  • The only data sent to the Kollective platform is session ID, browser agent, buffering timers, startup time, start/end time, private IP address, public IP address, delivery bytes by source and universally unique identifier. Data is sent using standard HTTPS and is encrypted at rest.
  • The peer solution operates within the Microsoft Teams client or compliant browser and therefore does not typically interact with endpoint security.
  • Integration with Microsoft Teams and Stream is implemented securely using a standard JSON Web Token mechanism to ensur that only authorized users have access to the requested data, there is no requirement for separate authentication services.
  • Kollective operational personnel manage the Kollective platform in line with the procedures defined within the SOC2 certification process and privacy policy.
  • Kollective do not receive, store or process customer content, nor are we able to decrypt the source content.
  • The Kollective platform is multi-tenant environment with all customer data tagged per organization to provide tenant isolation. This tagging persists through the data lifecycle and is enforced at every layer of the system, i.e. only requests processed within an authenticated organization's context may access that organization’s data and these restrictions apply to all data and all processes/threads, both in memory and on disk. Using this mechanism access to other tenant data is not possible.
  • All application code is scanned for vulnerabilities through several industry standard best practices and third-party auditing tools and all application code is independently verified prior to deployment in a production environment. Once in the production environment penetration scans are run weekly with additional ongoing vulnerability detection using automated tools.
Data Compliance
Kollective have the following certifications with regards to security and data compliance:
  • SOC 2 Type II Service Organization Control for Data Security
  • US/EU and US/Swiss Privacy Shield
  • TrustArc TRUSTe Privacy Shield Verified

Security Q&A

What is being sent to the cloud?The only data sent to the Kollective platform is private IP address, public IP address, session ID, external ID, transfers, peering, buffering, time, connects, bytes. Data is sent using standard HTTPS and is encrypted at rest.

What is being downloaded to the browser?The javascript plugin in which peering is implemented is downloaded from using secure protocols. It is approximately 600kb in size and once retrieved is stored in the browser cache for future use until the cache is refreshed or the peer mesh client is upgraded.

How does this interact with my endpoint security or other agents including anti-virus?
The peer solution operates within the Microsoft Teams client or compliant browser and therefore does not typically interact with endpoint security.

How is content secured from unauthorized access?The authorization mechanism is implemented within the Microsoft Teams or Stream application.

Do Kollective have access to my content?No, the encrypted content is sourced directly from the CDN. Kollective do not have receive, process or store content, nor are able to decrypt the streams.