This time last year, the use of video conferencing platforms was growing as the world became steadily more digitized. However, no one could have predicted the rapid rate of growth these platforms have experienced as a result of the COVID-19 pandemic, quickly forming an essential part of daily life for many businesses and individuals. As organizations shifted almost overnight to a remote working environment, video calls became a critical means for teams to stay connected, while family and friends, separated by social distancing restrictions, were forced to turn to platforms such as MS Teams and Zoom to maintain regular interactions.
Although video calls became something of a lifeline for many people, the huge surge in new users brought about a number of well-publicized security issues in the early part of the pandemic, and it quickly became apparent that video conferencing platforms had to quickly enhance their security to keep users and their data secure. On this year’s Safer Internet Day, Infosecurity caught up with Magnus Falk, CIO advisor at Zoom, to discuss the security and privacy challenges the company has faced since the start of the pandemic, and how it has adapted its security strategy in response.
What were the main security issues/challenges Zoom experienced as a result of the shift to remote working last year?
The pandemic caused major disruption to how people live and the way they can work. Even prior to government work from home guidance, we saw Gen Z and other factors driving a shift towards a much more distributed workforce.
Zoom grew up successfully as a business to business service. When the pandemic hit, we saw a huge influx of new and different types of users who used the Zoom platform in experimental ways: to teach yoga, to have parties, to perform religious celebrations, and more. We had to learn with them and we adjusted our platform to support these new uses, which now seem normal.
The global scale of adoption and innovation was unlike anything most companies have experienced. This made us rethink what it means to be a video communications technology provider at a time when (more than ever) people needed ways to connect.
Overall, we were able to address any emerging security and privacy issues quickly, taking a number of actions to ensure that Zoom and its users were as safe as possible.
How has Zoom adapted its overall approach to security compared to the pre-COVID period?
In April 2020, we pledged to make a number of enhancements to address security and privacy concerns. The 90-day program we rolled out refocused Zoom in line with seven key commitments, all of which embedded security and privacy permanently into Zoom’s DNA. These commitments included shifting all engineering resources to focus on our biggest trust, safety and privacy issues during the program.
As a result, we enacted a 90-day freeze on all features not related to these three areas. With all of our engineering and product resources aimed in this direction, we released over 100 new features. We have also hired outside advisors to help conduct a comprehensive security review of the platform, as well as a head of vulnerability to lead an internal team of ‘hackers,’ all dedicated to helping us find and address any vulnerabilities.
What new steps have been brought in to protect meetings from malicious actors in the past year, and how effective have these measures been?
As part of the security and privacy measures outlined in our 90-day program, we made a number of changes to make meetings as protected as possible. The launch of Zoom 5.0, for example, brought with it meeting defaults such as passcodes, waiting rooms and limited screen sharing.
“The launch of Zoom 5.0, for example, brought with it meeting defaults such as passcodes, waiting rooms and limited screen sharing”
From May last year, it became a requirement for all Zoom clients to use version 5.0+ in order to join any meetings, ensuring that the leading standard of encryption, AES 256 GCM, was fully enabled for paid as well as free users. AES 256 GCM encryption provides confidence in your meeting’s confidentiality and supports Zoom’s great performance.
In addition, working with trusted third parties, we have also developed a vulnerability management approach which sources vulnerability reports from HackerOne, Bugcrowd and security@zoom.us triaged through an evaluation service. We established an ongoing review process with daily meetings, and improved our coordination with security researchers and third-party assessors.
Most recently, a new Suspend Participant Activities tool enables meeting hosts to temporarily pause a meeting and remove a disruptive party within it, as well as report them to Zoom, before restarting the meeting.
How much more challenging has it been to protect sensitive data emanating from meetings in the past year? What have been the main steps taken to protect data?
Zoom has always protected the content of meetings. Zoom 5.0+ has improved further the encryption standard and in addition Zoom has now released an end-to end-encryption option, allowing protection against concerns about key handling.
Since the start of the pandemic, we have also made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records or content – our first report was published in December.
We have also taken a number of different steps over the last year to protect data. Paid Zoom customers, for example, are now able to customize which data center regions their account can use for data in transit and at rest, giving them more control.
What have been the main privacy and security lessons learned from the COVID-19 pandemic?
A key lesson from the pandemic is that it is not only important to have great privacy and security, it is important to be able to interact with opinion-formers in real time. As usage of Zoom surged, the level of interest in our platform surged and frankly took us by surprise. Questions came thick and fast, and information was required rapidly and in many languages. Our response to this was quick, but not quick enough, and sometimes our users were left wondering.
How will these lessons help further enhance security on the Zoom platform going forward?
This period has brought about meaningful change at Zoom and made the safety, privacy and security of our platform central to all we do. While we are extremely proud of all that our teams have accomplished to better secure the platform; we cannot and will not stop here, despite now being the industry leader in secure and private video first communication.
We have put mechanisms in place to ensure that both security and privacy remain a priority in each phase of our product and feature development, from design through to production. This includes risk assessments and threat modeling, as well as automated test execution, secure configuration and monitoring of the threat landscape, to name a few.