Zoom Wraps Up 90-Day Security and Privacy Agenda

Here's what the video conferencing company did to address privacy and security

4
Zoom-90-Day-ending-security
Collaboration

Published: July 7, 2020

Ian Taylor Editor

Ian Taylor

Editor

Zoom’s 90-day plan to enhance the security of its video conferencing platform recently came to an end. First initiated on April 1, 2020, a time where the company faced scrutiny from users who experienced a brief phenomenon that would become known as Zoombombing. Since then, and several other security issues including when Great Britain’s Prime Minister, Boris Johnson, Tweeted a photo of himself in the country’s first-ever virtual cabinet meeting held via the popular video conferencing system where his meeting ID got exposed, causing many to question if Zoom was secure.

Following these mishaps, and amid a global pandemic, the likes of which we have not seen for over 100 years, Zoom today reports, it reached over two trillion in April 2020. According to Zoom Founder and CEO, Eric Yuan, during the first few months of 2020, Zoom’s team worked around the clock to support the sudden influx of new and different types of users on its platform. Yuan added:

“The sudden and increased demand for our systems was unlike anything most companies have ever experienced”

The company set out on its new-found quest to further secure its platform with world-class security, and address more user demands along the way. In a series of seven commitments Zoom set out to address in its 90-day plan, the folks at Zoom enacted a feature freeze, effective April 1, and shift all our engineering resources to focus on our biggest trust, safety, and privacy issues.” Video conferencing developers over at Zoom HQ then enacted a 90-day freeze on all features not related to privacy, safety, or security. “We released over 100 features including the following during this timeframe,” a spokesperson for the company said in an email.

“As March came to a close, we realized that our singular mission to deliver frictionless video communications to hundreds of millions of daily meeting participants needed to include an equal focus on security and privacy – areas where we needed to do more,” Yuan said.

Eric Yuan
Eric Yuan

Zoom 5.0’s launch was among the most monumental of the giant’s AES 256 GCM encryption, available to all users, after facing backlash. Yes, all free and paid accounts now have AES 256 GCM encryption. The company also released a feature that lets users report other users, set passwords for waiting room, and limited screen sharing. Zoom meeting hosts even gained the ability to disable many device logins, give unmute consent, cloud recording ‘expiration,’ and gain a tighter grip on Zoom Chat controls. During this phase, the company acquired Keybase to realize end-to-end encryption as well as to offer customized data routing based on user geography.

“Going forward, we have put mechanisms in place to make sure that security and privacy remain a priority in each phase of our product and feature development security requirements, risk assessment, threat modeling along with established secure code guidelines, self-service scanning, and CI/CD tools.”

I am told, Zoom established processes that will be of benefit for the tech giant well into the future, as it will likely face other challenges as it battles user demand and scalability. Yuan wrote in a statement, the company has the skeleton of a plan when future security issues arise, for instances such as testing, automated test execution, web testing tools, secure configuration, integrity monitoring, confirm requirements, internal system monitoring to assess security, health, and the threat landscape the company face.

Its third commitment, staying transparent, and Zoom said it’s made “Significant progress in defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content.” The report, Yuan said, should make its debut in Q2 2020. Getting this right will be crucial for Zoom because users want to know where data get stored, routed to/from, and what purpose it serves in a company’s business strategy.

Commitment number four, to beef up its critical Bug Bounty Program, and developers there built a central bug repository and related workflow processes. “The repository takes vulnerability reports from HackerOne, Bugcrowd, and [email protected], the latter does not rely on an NDA-triaged through praetorian.” Zoom’s fifth commitment helped to establish an industry-wide conversation on security and privacy in the industry. Given all the new use cases COVID-19’s thrown the company’s way, the 36-member third-party board could lead to new standards that protect users.

Along with privacy for all its new use cases, Zoom formed the CISO advisory council, a group comprised of Lea Kissner, Alex Stamos, Luta Security, Bishop Fox, Trail of Bits, NCC Group, Praetorian, Crowdstrike, Center for Democracy and Technology, and other organizations that work in the privacy, safety, and inclusion spaces. Enlisting the help of several firms,  Zoom reviewed its entire platform and its third-party connections for security purposes:

  • Cloud configuration
  • External IP space
  • Internal production network
  • Zoom core web application and Zoom corporate network
  • Internal network
  • External perimeter
  • Public API for common clients
  • Mobile clients
  • Desktop clients

Zoom held a series of 13 webinars every Wednesday since April 1, which featured many Zoom executives and consultants who answered questions live from those in attendance. “We will continue these webinars, the next on July 15, and then move them to a monthly cadence,” Yuan added. Zoom shook up its leadership quite a bit, going on an epic hiring spree as it faced a growing user-base. Zoom’s popular Zoom Phone offering added Zoom for Government, an offering already authorized under the U.S. Federal Risk and Authorization Management Program (FedRAMP).

The video conferencing company further expanded operations in the U.S. with new offices in Phoenix Arizona and Pittsburgh Pennsylvania. Yuan added, despite the setbacks the company’s faced along the way, he is proud of the work his team’s done, concluding:

“While fruitful – this was only the first step”

Customer ExperienceDigital TransformationFuture of WorkMergers and AcquisitionsMobilitySecurity and ComplianceUser ExperienceVideo Conferencing
Featured

Share This Post