AntonioDiaz -

Zoom making progress on cyber security and privacy, says CEO

Three months after being hit by a spate of security incidents, Zoom’s CEO, Eric Yuan, has been discussing progress towards a more secure product

Zoom CEO Eric Yuan has delivered an update on progress as the embattled video-conferencing company takes radical steps to enhance the security of its core product, which shot to global prominence when the Covid-19 coronavirus pandemic forced millions of people to start working from home.

On 1 April 2020, close to what we now know to be the height of the first wave of the pandemic in the UK, and as Zoom took brickbats over a lack of security features and a number of high-profile incidents of so-called zoombombing, Yuan pledged a number of enhancements to address security and privacy within Zoom, to be delivered over a 90-day programme.

“During the first few months of 2020, the Zoom team worked around the clock to support the tremendous influx of new and different types of users on our platform,” said Yuan. “The sudden and increased demand on our systems was unlike anything most companies have ever experienced.

“As March came to a close, we realised that our singular mission to deliver frictionless video communications to hundreds of millions of daily meeting participants needed to include an equivalent focus on security and privacy – areas where we needed to do more.

“On 1 April 2020, we pledged to make a number of enhancements to address security and privacy. The 90-day programme we rolled out that day refocused our company on seven commitments that embedded security and privacy permanently in Zoom’s DNA.”

Its first commitment, effective 1 April, was the enactment of a feature freeze and a shifting of all Zoom’s engineering and development resources to focus on security and privacy. In the past three months, it has released more than 100 new features, including version 5.0 of Zoom, featuring AES 256 GCM encryption, user interface updates, default passwords and pre-entry waiting rooms, as well as new features to help hosts keep their meetings secure, and keep malicious users at bay.

It has also moved to address its previous flip-flopping on end-to-end encryption, partly through its acquisition of Keybase, and put in place new mechanisms to ensure security and privacy by design in all future development.

Its second commitment, a comprehensive review to ensure security and privacy, has seen the appointment of a group of CISO advisers, third-party experts, power users, and other organisations in the privacy, safety, inclusion and social justice space.

Its third commitment, to prepare a transparency report detailing information on requests for data, records or content, has seen significant progress, said Yuan, including the recent creation of a guide on how Zoom responds to government data access requests, and new policies, including those relating to new privacy legislation in California.

Its fourth commitment, to enhance its bug bounty programme, has seen the development of a central bug repository, with input from the likes of HackerOne and Bugcrowd, a review process, and improved communication with security researchers and third-party assessors. Yuan has also hired a head of vulnerability and bug bounty and a number of application security engineers.

Read more about Zoom

Its fifth commitment, the creation of its CISO council, has proved successful, with a number of meetings and discussions having already taken place, incorporating input from more than 30 major organisations, including HSBC and Sanofi. This panel has advised on, among other things, regional datacentre selection, encryption, meeting authentication, and other new features. Going forward, it will run a series of CISO roundtables to keep this dialogue fresh.

Its sixth commitment, to conduct a series of penetration tests, has been achieved with the help of the likes of Trail of Bits, NCC and Bishop Fox, which repeatedly probed and reviewed multiple systems, including Zoom’s production environment, public and colocated datacentres, its core web app and corporate network, and its public API (application programming interface) for mobile and desktop clients.

Its final commitment, to host a weekly Wednesday webinar, has seen 13 meetings take place led by Zoom executives and consultants taking live questions from attendees. These webinars will continue, although they will now shift to monthly, with the next to take place on 15 July.

Yuan added: “This period has brought about meaningful change at our company and made the safety, privacy and security of our platform central to all we do, as we strive to be worthy of the trust customers place in us. I am proud of, and humbled by, the role Zoom has played in connecting the world in crisis, and in all that our team has accomplished in the past 90 days to better secure our platform.

“But we cannot, and will not, stop here. Privacy and security are ongoing priorities for Zoom, and this 90-day period, while fruitful, was just a first step. Throughout this report, I have provided information on new processes and people that will help Zoom on our journey to becoming the most frictionless and secure video-communications platform in the world.”

Read more on Privacy and data protection

Data Center
Data Management