Cybersecurity controls to implement before onboarding your team — Zoom
As we have all heard over and over again, these are unprecedented times. Organizations are scrambling to adapt to the situation and to setting efficient working from home policies and procedures. Many organizations are actually being forced to go through a long overdue digital transformation process to be able to survive in these conditions. Leveraging SaaS platforms like Slack, Jira, Zoom, Microsoft Teams, and WebEx, teams are finding new ways to collaborate and manage their daily work tasks. These platforms have seen exponential growth in daily active users, and this has not only tested the resilience of their team and backend software development, but also the stability and scalability of cloud infrastructure providers that support them like AWS, GCP, and Azure.
Ofcourse this sudden growth of users comes with its own set of problems, and in the case of Zoom, it was a Cybersecurity and privacy problem. You can read about all the backlash the company has faced in the news, albeit a bit harsh in my opinion considering the pressure they were put under in such a short period of time. Many of the Zoom client vulnerabilities and concerns that have been made public have already been patched by Zoom.
I will focus in this commentary on basic measures to improve the cybersecurity and privacy of the Zoom service, specially for the organizations that hurried into starting to use Zoom without really looking at settings and configurations.
Meeting Room IDs
Everyone should be aware that there are two types of meeting room IDs that every user has access to with each having a different use case.
Personal Meeting Room ID
Every user has a personal ID that does not change and is used for “instant meetings” in what zoom calls a “Personal Meeting Room”. Some settings for this type of meeting room are set from a different page than the general settings applied to “scheduled meetings”. You can navigate to this specific settings page to follow my below recommendations that will make things more secure.
Scheduled Meeting Room ID
These IDs are generated automatically when you are scheduling a meeting and inviting other users via email or sharing the meeting URL link. As I mentioned before, the general settings apply to these types of meetings and are set from another page than the personal meeting room ID settings above. You can again navigate to this settings page to follow my below recommendations that will make things more secure.
For more casual users or classrooms there is one very important action that can be done after a Zoom call starts and all invitees have joined, which is to “Lock” the call. This will prevent anyone else from joining and can be done by clicking the button that says “Lock Meeting” in the Participants pop-up.
General User Profile Security Settings
General user settings mitigate the risk of users accounts getting compromised are also very important. These are settings that can only be enforced by the Admin of the Zoom account. You can again navigate to this settings page to follow my below recommendations that will make things more secure.
IOS and Android Apps
Users should also take certain measures on the mobile apps by taking advantage of the security measures that iOS and Android OS have. You can update your privacy settings for the Zoom app to restrict its access to your location, contacts, calendars, microphone, camera, assistant, notifications, and cellular data.
There are some major concerns about Zoom that no setting can really fix, those would be something every organization needs to evaluate based on their threat model to see if they are willing to take those risks with their data. Some of these concerns highlighted by Citizen Lab are related to their end-to-end encryption methodology and routing of traffic through servers in China. Zoom did respond to the Citizen Labs findings in a blog post by their CEO.