COVID-19 , Encryption & Key Management , Governance & Risk Management
Zoom's New York Settlement Spells Out Security MovesMeanwhile, Videoconferencing Firm Acquires Start-Up Encryption Company
Zoom has reached a settlement with the New York state attorney general's office to provide better security and privacy controls for its videoconferencing platform after concerns were raised over how the company protects corporate and customer data.
See Also: OnDemand Panel | Zero Trust Privileged Access: 6 Essential Controls
As part of the settlement, Zoom agreed to implement "reasonable encryption and security protocols," for customer and corporate data. This includes the use of end-to-end encryption for all data as well as deploying industry-standard AES-256 encryption, according to the attorney general's office.
An analysis by Citizen Lab, a group based at University of Toronto that studies surveillance and its impact on human rights, found that Zoom used the inadequate AES-128 encryption standard within its cloud-based videoconferencing platform (see: Zoom Promises Geo-Fencing, Encryption Overhaul for Meetings).
Meanwhile, Zoom also announced Thursday that it will acquire Keybase, a 25-person startup company that is developing end-to-end encryption, secure messaging and file-sharing services. The financial terms of the deal were not released.
New Security Moves
As part of the New York settlement, Zoom also agreed to implement and maintain a "comprehensive data security program" to protect users. The program will be overseen by the company's head of security, according to the attorney general's office. Zoom will also conduct a risk assessment and work to fix software vulnerabilities in its platform.
Zoom also agreed to implement privacy controls for free accounts as well as those accounts used in schools, according to the settlement.
"This agreement puts protections in place so that Zoom users have control over their privacy and security, and so that workplaces, schools, religious institutions, and consumers don’t have to worry while participating in a video call," New York Attorney General Letitia James said Thursday.
A Zoom spokesperson tells Information Security Media Group: "We are pleased to have reached a resolution with the New York attorney general, which recognizes the substantial work that Zoom has completed as part of our 90-day security and privacy plan, including making a number of our pre-existing security features on by default and also introducing new security enhancements."
Making a Buy
The deal to acquire Keybase is the first acquisition in Zoom's nine-year history, according to CNBC. It also comes at a time when the company is being pressed to improve security and privacy within its platform.
"This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom’s wide variety of uses," Zoom CEO Eric S. Yuan notes. The company is working on deploying the AES-GCM encryption standard with 256-bit keys across more of its products and services, he adds.
On Twitter, Alex Stamos, the former CISO of Facebook who is now advising Zoom, added that the acquisition of Keybase is part of the company's 90-day security improvement plan and that a new cryptographic design for the platform will be published May 22 for the public to review.
As Eric's blog says, we are working on a detailed cryptographic design to be published by May 22nd for public review. This will be an open and transparent design process as Zoom builds something both unique and impactful to the privacy of millions.— Alex Stamos (@alexstamos) May 7, 2020
The acquisition, combined with the agreement with New York, shows that the company is trying to merge its existing offerings with new security enhancements, says Jeff Pollard, a principal analyst focused on IT security at Forrester Research.
"I think Zoom keeps its focus on securing it what it sells. That’s going to require Zoom to merge two aspects of its value proposition: The first we already know about - Zoom’s ability to make the experience easy for its end users," Pollard tells ISMG. "The second one is newer: Zoom’s focus on security and privacy. The key is going to be threading the needle between those two items. That’s going to be of paramount importance for them moving forward."
Pollard also expects that Zoom will also add a "customer-facing evangelist type of CISO" soon who can talk more about the company's security and privacy initiatives.
The NY Investigation
The New York attorney general's office began its investigation into Zoom in March as the COVID-19 pandemic began to spread, forcing employees to work from home and requiring students to finish their schooling through online learning, which led to an explosion in the use of videoconferencing platforms, especially Zoom’s.
By late April, Zoom was hosting approximately 300 million meeting participants each day on its platform, compared to about 10 million meeting participants in January 2020 - an increase of nearly 3,000%, according to New York officials.
And while the company's videoconferencing platform exploded in popularity, researchers began to noticing shortcomings in Zoom's security and privacy practices (see: Zoom Still Addressing Security, Privacy Concerns).
The FBI and other law enforcement agencies warned of so-called Zoom-bombing incidents, where third parties would interrupt video calls with profanity and threats. In addition, security researchers began finding numerous vulnerabilities in the company's platform, and stolen or leaked Zoom credentials began appearing for sale on underground forums.
Over the last several weeks the company has begun making improvements to its platform, which is one reason why the New York City Department of Education reversed its ban on Zoom this week, according to Business Insider.
As the COVID-19 pandemic is forcing more companies to rely on cloud-based video and collaboration platforms, security researchers at the U.S. National Security Agency published an overview of more than a dozen of these services to assist with comparing the types of protections they offer for enterprise data.
Within its document, the NSA notes that in addition to offering only partial end-to-end encryption, Zoom also lacks multi-factor authentication. Zoom is, however, approved for government use through the FedRAMP program, which facilitates the certification of cloud service providers that qualify to be used by federal agencies.
This article was updated to include comments from Forrester's Jeff Pollard.