Sam Tayan, Managing Director at Zoom in the Gulf, explains to Security MEA on the various measures taken by Zoom to provide a safe and secure video conferencing experience to both students and remote working employees across the globe.
With an abrupt adoption of remote working and remote learning worldwide, how are the security challenges being handled?
With more and more people working remotely and utilizing our platform, and as video-first communications become more popular and accessible, we feel a responsibility to help where we can. Additionally, as the use of video conferencing tools increase, user privacy and security concerns become top of mind. Zoom takes user privacy, security, and trust extremely seriously. Originally developed for enterprise use, we have been confidently selected for complete deployment by a large number of institutions globally, following security reviews of our user, network and datacenter layers.
During the COVID-19 pandemic, we are working around-the-clock to ensure that organizations across the world can stay connected and operational. As more and new kinds of users start using Zoom during this time, Zoom has been proactively engaging to make sure they understand Zoom’s relevant policies, as well as the best ways to use the platform and protect their meetings. We are proud of the role we are playing during this challenging time and committed to providing users with the tools they need.
What kind of safeguards, organizations and individuals need to follow for keeping them safe from such emerging threats?
We strongly encourage all users to not post links to sensitive meetings on public websites, and we recommend the use of password protection and virtual waiting rooms to ensure uninvited users are not able to join.
With education going online across the world and schools resorting to Zoom sessions, what is Zoom doing to keep children safe from cybercriminals?
Zoom recently changed the default settings for education users enrolled in our K-12 program, as well as our Free Basic and Simple Pro users, to enable virtual waiting rooms and ensure only hosts can share their screens by default. We have also added a new “Security” icon to the Zoom meeting controls for all hosts to help them quickly access in-meeting security features. Zoom is committed to providing educators with the tools and resources they need on a safe and secure platform, and we are continuing to engage with all of our users on how they can best use Zoom and protect their meetings.
Zoom is now working closely with relevant authorities and telecommunication service providers in the UAE to ensure that Zoom offers its users a safe and secure environment to connect and collaborate with their privacy fully protected in accordance with the country’s laws and regulations.
Are there any plans to provide a dedicated and more secure education platform for young adults?
Zoom cares about our communities, schools, and all students. Recent school closures due to COVID-19 have significantly increased educators’ reliance on virtual learning environments. We can see that Zoom is becoming more and more popular not only amongst schools but also universities in the Middle East. Some of the regional universities hosted their graduation ceremonies over Zoom and we believe that such events are going to continue taking place as they are very important for students, teachers in lifting the spirit of people, and Zoom is here to support such important events. We have also observed that education sector players in the region are very positive about the ease of using Zoom and the speed with which they can shift towards e-learning without delays and excessive training requirements. We are happy that our solution is helping the education sector to maintain its momentum during these challenging times.
Zoom has a wealth of experience helping educational institutions optimize the Zoom platform for virtual classrooms and online learning. It’s our goal to make Zoom easy to use and accessible for everyone, and we’re committed to streamlining the experience for our educational users amid the global coronavirus (COVID-19) outbreak.
Zoom’s teams are working to provide teachers, administrators, and students around the world with the resources they need to quickly spin up virtual classrooms, participate in online classes, and continue their studies online. It’s our intention that everyone, from seasoned Zoom users to those who’ve never interacted with our product, can easily download the client, start and schedule meetings, set students up with Zoom, and start using Zoom for virtual instruction with ease.
To ensure all of our K-12 districts and other institutions can most effectively leverage Zoom for virtual education during this time, Zoom is:
· Providing multi-language resources specifically designed for principals, vice-principals, teachers, students, and parents to set up and use Zoom
· Expanding live training, webinars, and recorded offerings to share best practices for using the platform.
What is Zoom doing to keep its services safe from attacks?
Zoom takes user privacy and security very seriously. Transparency is a core value and that’s why you regularly see us using our blog to clarify policies, advise users how best to use the platform and secure their meetings, and acknowledge and address issues when they arise.
As video-first unified communications becomes more popular and accessible, we feel a responsibility to help where we can. As more and new kinds of users start using Zoom, we have been proactively engaging to make sure they understand Zoom’s relevant policies and the best ways to use the platform, including many recent updates to Zoom’s security features that help users protect their meetings.
The Zoom team has been hard at work delivering additional features that further secure Zoom Meetings and Webinar experiences. We have also introduced additional password protections, one of the best options for securing your meetings and webinars.
As part of our 90-day plan announced on April 1, we doubled down on our commitment to security and we are proactively working to better identify, address, and fix issues.
Starting April 1st, we enacted a 90-day feature freeze on all features not related to privacy, safety, or security. We released Zoom 5.0, featuring AES 256 GCM encryption, the Security icon and the “Report a User” feature, changed default settings for meetings (turning on passwords and waiting rooms by default), tighter Zoom Chat controls, and more. We also acquired Keybase, started building our end-to-end encryption offering for all users (free and paid) and began offering customized data routing by geography.
On Wednesday, 22nd of April, we announced robust security enhancements with the upcoming general availability of Zoom 5.0, a key milestone in the company’s 90-day plan to proactively identify, address, and enhance the security and privacy capabilities of its platform. By adding support for AES 256-bit GCM encryption, Zoom will provide increased protection for meeting data and resistance against tampering.
On the back end, AES 256-bit GCM encryption will raise the bar for securing our users’ data in transit. On the front end, we are the most excited about the Security icon in the meeting menu bar. This takes our security features, existing and new, and puts them front and center for our meeting hosts. With millions of new users, this will make sure they have instant access to important security controls in their meetings.
On the conclusion of the 90-day security plan, we have made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content. We look forward to providing the fiscal Q2 data in our first report later this year. In the meantime, we have recently released a Government Requests Guide and we also updated our privacy policies, mostly to make them easier to understand.
We have developed a Central Bug Repository and related workflow processes. This repository takes vulnerability reports from HackerOne, Bugcrowd, and security@zoom.us (the latter of which does not require an NDA) triaged through Praetorian. We established an ongoing review process with daily meetings and improved our coordination with security researchers and third-party assessors. We also hired a Head of Vulnerability and Bug Bounty, several additional appsec engineers, and are in the process of hiring more security engineers, all dedicated to addressing vulnerabilities.
In addition, we launched our CISO council, led by our Global Deputy CIO Gary Sorrentino and composed of 36 CISOs from a variety of industries, including SentinelOne, Arizona State University, HSBC, and Sanofi. This council has met four times over the past three months and advised on important matters such as regional data center selection, encryption, meeting authentication, and key security features. Since April 1, we have hosted a total of 13 webinars every Wednesday to provide privacy and security updates to our community; featuring a number of our executives and consultants who took live questions from the attendees.
With cyber threats evolving on an everyday basis, what message of assurance does Zoom want to pass on to its current and potential new users?
That Zoom takes privacy and security extremely seriously and is committed to continuous enhancements, including the timely beta testing and implementation of end-to-end encryption.
Zoom’s system is designed such that only minimal information is collected and unless a meeting is recorded by the host, the video, time audio, and chat content is not stored. Zoom places great emphasis on safety and security and has implemented a robust system of security controls designed to protect users’ personal data, as well as features to help Zoom users protect the security of their meetings. In fact, Zoom follows all requisite guidelines of the countries it operates in and interfaces with local governing bodies on cybersecurity issues.
Zoom has used – and continues to use – encryption technology on its platform for all users. AES 256-bit GCM encryption, which is one of the most secure encryption standards used today, is currently enabled and is available to all users – both free and paid.
Zoom only responds to valid law enforcement requests. When we receive a request for information, Zoom’s policy is to comply only if the request follows a valid legal process and there is proper jurisdiction. Zoom’s policy precludes responding to requests where there is an inadequate legal process, for example when authorities lack jurisdiction or when requests are overbroad.
Zoom does not eavesdrop on users’ meetings. We also do not let law enforcement listen into meetings. Any reports to the contrary are categorically false. Zoom does not proactively monitor meeting content and we do not have backdoors where anyone — including employees — can enter meetings without being visible to others via the meeting participant list.