Welcome to Brown’s Bytes! Your weekly insight from Mobliciti’s CTO Andy Brown. Follow #brownsbytes
3rd April 2020
The purpose of this blog is to give opinion and insight into what is hot in the world of Mobile & Cloud. So, this week it will come as no surprise to readers that I have to speak on the subject of Zoom and security.
It’s been quite a busy couple of weeks for Zoom. Their profile in the market (and user base) has been transformed almost overnight by COVID-19 and the rush to use their service for everything from Government Cabinet meetings to online piss-ups between friends. Right now, a lot of businesses are using Zoom (and services like it) to keep them running. It’s not an overstatement to say that Zoom has become a core service for keeping the world running right now.
With all the profile that the service now has, inevitably, Zoom has also become a focus for security research (and attackers) to look for vulnerabilities. The result of this has been a regular feed of negative stories about Zoom security over the past week. In addition, we also have the classic press cycle where something is built up and then knocked down…
What we at Mobliciti are here to do is to try to cut through the noise and try to answer the question in the title. Full disclosure – we’re Zoom partners and we use Zoom internally but having said that I will try to be objective as possible in my opinion here.
As with many of my Bytes, we need to start the story at the beginning, rather than 2 weeks ago. The history of Zoom is actually a fascinating insight into Corporate acquisition and the pitfalls of it in IT. I could do a whole Byte about this alone, but the short version is…remember Webex? Well, the VP of engineering at Webex left a few years after it had been acquired by Cisco and set up Zoom. Right now, the world should be rushing to Webex each other, but Cisco blew it.
And this is all some time ago – Zoom was founded in 2011 and the service first came online in 2013…this isn’t some overnight thing! Just as with Webex before it, Zoom was built with Enterprise in mind – this isn’t a consumer tech that’s been adopted by the Enterprise, it is the exact opposite.
I think it’s worth pointing this out early. Zoom was built to be used by business and with security in mind. It has passed the reviews and audits of some of the most security-conscious organisations in the world
At this point, it’s probably worth also referring you to a recent blog by Zoom’s CEO (the guy who left Cisco) here. The press has been quick to frame this as some kind of admission of guilt, but I don’t see it that way at all. Read it for yourself – it’s an amazingly open, honest and transparent update on what’s going on right now and what the company is doing about it.
I’m not going to rehash everything he said or indeed the blogs he points you to from there (all of them also well worth a read), but to summarise as best I can, it focuses on these key areas:
Probably easiest to point you to Zoom’s blog on Privacy:
We want to emphasise that:
- Zoom does not sell our users’ data
- Zoom has never sold user data in the past and has no intention of selling users’ data going forward
- Zoom does not monitor your meetings or its contents
- Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions within which it operates, including the GDPR and the CCPA”
This really isn’t consumer privacy being adopted in the Enterprise.
This is where the media really have had a field day. Again, Zoom has provided great content on how to block this, but in summary – turn on meeting passwords.
This one was a bit of a clanger, but if anything, I think it shows the perils of adopting 3rd party SDKs in your apps (in particular Facebook’s) and note that this is related to iOS only. It’s been removed now.
This is the area now making the most noise. And rightly so, but I do think there needs to be a bit of context here when looking at the risks involved. Vulnerabilities are a fact of life in all software. There have been some interesting items coming to light and I am sure there will be more. Just as Microsoft is permanently patching Windows and Apple is permanently patching iOS, this is the inevitable game of cat and mouse between researchers/attackers and software companies. Zoom is no different from anyone else in this regard.
As is always the case, what really matters isn’t that vulnerabilities are found, but instead how quickly they are resolved. In this regard I think Zoom is doing a decent job – as an example, vulnerabilities that were published on Monday have been patched by Thursday. That’s a quick turnaround.
The simple advice – make sure your users are patching their software or make sure you are doing it for them.
Many vulnerabilities are also based on the chat feature and in particular getting users to click on malicious links. This is where basic security hygiene really should be playing a part also – you tell your users to be careful with email and the same should apply with any message received, on Zoom or any other chat tool.
I think more than anything else the use of Zoom has to be looked at through the same security lens as everything else. I firmly believe that Zoom remains a secure collaboration platform just as it always was. As with all software and service, there are nuances in how it is configured to ensure it is as secure as possible. In particular, we would recommend the following as a baseline to good security hygiene:
- Make sure the Zoom clients are being kept up to date and receiving updates
- Implement Meeting Passwords for all users. This is a simple change with little user impact.
- Enable SSO to sign in to the service where possible. As with all Cloud services it makes sense to ensure only your users can get access.
- Security education for users should cover Zoom – in particular around clicking on links
We are happy to assist with this if needed. Get in touch if you need help with making sure this is the case.
To be clear, we at Mobliciti remain happy to use Zoom for our meetings – indeed it is powering the business during the current remote working situation.
Short version – Yes! It is safe to Zoom.