$ thoughts on zoom

The past few months have placed immense demand on remote working and particularly video-conferencing tools. This has placed greater scrutiny on the security practices of companies like Zoom which has received a great deal of press - resulting in better transparency and a commitment to its users for improving its controls.

Putting opinions and conjecture aside for a moment, Zoom’s current posture and response got me thinking - in particular, the following aspects were of interest to me:

• Zoom currently have SOC2, TRUSTe, EU-US Privacy Shield, FedRAMP security and privacy certifications
• To meet the high capacity demands, Zoom had traffic tunnelled via China. This can now be controlled by explicitly choosing where your traffic should be routed
• In order to meet the lack of end-to-encyption, Zoom has taken steps to hire Alex Stamos (ex-CISO for Facebook) and has recently purchased Keybase.

Compliance

Without going into details around each of the security and privacy certifications, most organisations look for at least SOC2 and FedRAMP from their cloud service providers (various aaS offerings). Some organisations will not only choose these certifications as a baseline upon which to build their own GRC (Governance, Risk and Compliance) checks, but may end up using them as the only validation they do.

• Do organisations place too much emphasis on compliance to standards without doing their own set of checks?

Data Sovereignty

The transfer and storage of data is without doubt a key design component when looking into cloud-based services - yet there are also numerous concerns around the supply chain that warrant investigation (when considering both the physical and virtual locations of endpoints):

• Do we need the same level of transparency and data routing that Zoom is now providing from all our cloud-based providers?
• What levels of scrutiny is typically done for supply chains when analysing data transfer and storage? (to belabour the point, Zoom’s data was routed through China, deployed on infrastructure provided by an American-owned public cloud provider, located in a data centre owner by an Australian communication service provider)

Encryption

End-to-end encryption typically makes use of PKI (Public Key Infrastructure) to ensure data in transit and at rest is secure.

• Have we taken stock of all forms of work/personal communication tools to see whether similar practices are followed? If they don’t, do we move towards safer tools or demand better security from the existing tools?
• If end-to-end encryption is not deployed, should we look to ensuring that PFS (Perfect Forward Secrecy) ciphers are used to mitigate being able to store data and decrypt at a future point in time?

I don’t propose to know the answer to any of these questions, and I am not apologising for any of Zoom’s mishaps - I am interested in whether we are placing as much scrutiny across all the software and tools we use in our daily lives (without having to wait for a new article to reactively respond to our security posture).

I will certainly be keeping a close watch on the 90-day plan that Zoom has outlined. In particular I will look to seeing whether there are practices that they will be undertaking that I need to take into account myself (in terms of choice of software for personal use) as well as in conversations with my customers and partners (when discussing security aspects of their migration to public cloud and cloud-based services).