Videoconferencing platform Zoom has made a new round of cyber security enhancements to its service, adding new third-party certifications and attestations, product innovations and updates to established programmes.
The break-out tech star of the first Covid-19 lockdown, Zoom nevertheless attracted negative publicity from the off over an attitude to user security that could fairly be described as somewhat lax. It moved swiftly to address these feelings and change attitudes, adding needed features such as end-to-end encryption and introducing mechanisms to ensure security and privacy by design. These efforts continue to this day.
Zoom CISO Jason Lee said: “Safety, security and privacy are at the core of how we make decisions at Zoom and enhance our platform. We remain committed to being a platform that users can trust for all of their online interactions, information and business.”
Lee said third-party certifications and attestations demonstrated the effectiveness of Zoom’s cyber transformation efforts. Besides its recent achievement of the National Cyber Security Centre’s (NCSC’s ) Cyber Essentials Plus badge in the UK, it has also recently achieved various authorisations and certifications with bodies in Germany, the Netherlands and the US.
Zoom’s platform – incorporating Chat, Meetings, Phone, Rooms and Webinar – recently became compliant with the ISO/IEC’s 27001:2013 certification, while the organisation also expanded the scope of its SOC 2 Type II report to meet the control requirements of the Health Information Trust Alliance Common Security Framework (HITRUST CSF).
It is adding new security and privacy features, which are now being offered to all users through a newly introduced automatic update system to prevent people missing or ignoring patches.
Other innovations planned for the rest of 2022 include a bring-your-own-key/encryption (BYOK/E) feature – this is a cloud security model that lets service users deploy their own encryption software and manage their own keys by deploying a virtualised instance of their own service against the hosted service or application. It plans to add end-to-end-encryption to the Zoom Phone service for one-on-one, intra-account phone calls made via its client.
Wider initiatives such as its CISO Council, and the development in the UK of a data security and protection (DSP) toolkit for NHS customers, continue to bear fruit. Other recently released bespoke solutions for various audiences and markets include a Germany-specific solution, Zoom X, developed with telco Deutsche Telekom, and in the US, the federal government-specific Zoom for Government.
Meanwhile, Zoom’s bug bounty programme, which is run by HackerOne, now hosts more than 800 ethical hackers and penetration testers who last year received payouts of $1.8m across 401 reports, and has awarded bounties worth over $2.4m since its inception.
Finally, its Trust Centre asset, which provides further information on compliance, privacy, safety and security, was recently enhanced with the addition of a Learning Centre, offering free courses for Zoom users around features such as meeting password policies, and managing problematic or abusive users.
