90-Day Security Plan Progress Report: June 24

Published by Zoom ( available on www.zoom.us )

As we continue on our 90-day plan to improve the security and privacy of our platform, this week’s “Ask Eric Anything” webinar focused on recent product security updates, including our efforts surrounding our bug bounty program and the updates coming with the 5.1.1 client release.

Zoom CEO Eric S. Yuan was joined by Zoom President of Product and Engineering Velchamy Sankarlingam, Zoom CPO Oded Gal, and Zoom Head of Product Security Randy Barr. 

Zoom CTO Brendan Ittelson, Zoom privacy and security advisor Alex Stamos, and Zoom Deputy General Counsel, Chief Compliance and Ethics Officer Lynn Haaland joined for the Q&A session.

Announcing CISO Jason Lee

Eric started the webinar by announcing that Zoom has hired Jason Lee as our new Chief Information Security Officer, effective June 29, 2020. As the former Senior Vice President of Security Operations at Salesforce and Principal Director of Security Engineering at Microsoft, Lee brings 20 years of expertise in information security and operating mission-critical services. Jason will play a critical role in helping us build a more secure platform as part of our ongoing effort to improve the security and privacy of our product. 

Product updates 

This weekend, we will be rolling out our 5.1.1 client and web release, which includes the following changes: 

  • Centrally managed virtual backgrounds: Account admins can manage the virtual backgrounds used by their organization, providing a list of pre-approved backgrounds for users to choose from. 
  • Web portal security header for meeting settings: The security header will appear in the meeting settings in the web portal, which gathers security related settings such as passwords, waiting room, and authentication methods into one easy to find place. 
  • Updates to Zoom Chat: Users can hide their presence status from external contacts, and will have the option to prevent external contacts from adding new users to a channel or group chat.  

Introducing Velchamy Sankarlingam 

Eric introduced Velchamy Sankarlingam, the former Senior Vice President of Cloud Services Development and Operations at VMware, who has joined Zoom as the President of Product and Engineering. As a cloud and collaboration software veteran with over two decades of experience, Velchamy brings a wealth of experience and knowledge to our team and we are excited to have him overseeing our product, engineering, and DevOps team efforts.   

New meeting security requirements

Starting July 19, all meetings on both paid and free accounts will be required to either have a Passcode or Waiting Room enabled to ensure safer, more secure meetings. Zoom will enable a Waiting Room for your meetings if neither is enabled. If you already have a Passcode or Waiting Room on, there will be no change to how you schedule meetings. If you add Passcodes to an existing meeting, calendar invites will need to be re-sent to include the Passcode, whereas new meetings that have Passcodes enabled will have the Passcode included in the meeting invite automatically. If Waiting Rooms are enabled, there is no change to how you schedule meetings.

Bug Bounty Program Updates

Randy provided a bug bounty and vulnerability disclosure program update. As part of our 90-day plan, we have been assessing our internal vulnerability handling processes and the effectiveness of the bug bounty platforms we use. To improve our bug bounty program and our vulnerability disclosure efforts, we have developed a Central Bug Repository and related workflow processes to align with ISO 29147 and 30111. This repository takes inputs from HackerOne, Bugcrowd, and security@zoom.us (the latter of which does not require an NDA) triaged through Praetorian. We established an ongoing review process with daily meetings, and improved our coordination with security researchers and third-party assessors. 

Q&A

How do you report a bug bounty to Zoom?

You can send your bug bounty submissions to security@zoom.us, where our dedicated team will review each submission and assign someone to address the issue. 

Do you still provide encryption for paid and free accounts?

Yes, all meetings are encrypted with AES 256 bit GCM encryption for both paid and free accounts. We will also make end-to-end encryption of meetings available for free and paid accounts to create a highly secure meeting environment. 

Does Zoom ever collect or sell user data?

When customers use our platform, Zoom collects information we need to deliver the service, such as IP addresses; however,  Zoom does not and will never sell user data. 

Can Zoom add an option for admins to reset Passcode and Waiting Room settings globally? 

As an account admin, you can enable or even lock these settings at the account level, which will enable those security settings for all meetings and users by default. You can also enable Passcodes and the Waiting Room at the group or user level. 

How does the Waiting Room work? 

When the Waiting Room is enabled, participants will be placed into a virtual lobby where the host can review who is trying to join the meeting and admit them, either one by one or all at once. The Waiting Room feature can be enabled at the account, group, user, or meeting level.  

Thank you for your support

Thanks for attending this week’s session, and thank you to everyone who submitted questions! We truly appreciate your support on our journey to make Zoom the world’s most secure enterprise communications platform.

If you missed this week’s session, you can watch the recording here:

90-Day Security Plan Progress Report: June 17

Published by Zoom ( available on www.zoom.us )

As we continue on our 90-day plan to improve the security and privacy of our platform, this week’s “Ask Eric Anything” webinar focused on recent product security updates, including an end-to-end encryption update and additional security controls for account owners and admins. 

Zoom CEO Eric S. Yuan was joined by Zoom CPO Oded Gal, Zoom Head of Security Engineering Max Krohn, and Zoom Global Deputy CIO Gary Sorrentino for this week’s session.

Zoom CTO Brendan Ittelson and Lynn Haaland, Zoom Deputy General Counsel, Chief Compliance and Ethics Officer joined for the Q&A session. 

End-to-end encryption update 

Following our conversations with our users and a number of advocacy organizations, we are pleased to announce that we will be offering end-to-end encryption for all of users – free and paid – as an advanced feature at no additional charge. Free users seeking access to end-to-end encryption will participate in a one-time process to verify their account, such as verifying a phone number via text message. 

We are confident that this risk-based authentication process, combined with our current arsenal of tools, will enable us to continue to prevent and fight abuse on our platform. More information on this announcement

CISO council update

Our CISO council, which includes 36 members representing a variety of industries and enterprise businesses, has met 3 times since its inception in late April. The members of the CISO council serve as the voice of our customers, offer candid guidance and advice on security and privacy, and provide recommendations in regards to best security and privacy practices as well as feature prioritization. 

Starting in July, the CISO council will host CISO Roundtables to give existing and prospective customers the opportunity to meet with a few members from Zoom’s CISO council and security team leaders to get an in-depth review of the security measures Zoom has taken and our 90-day security plan. Up to 40 participants at each roundtable will have the chance to ask our CISO council members and Zoom’s security team their questions, provide their insights, and join in on the conversation surrounding privacy and security. We encourage any CISOs interested in attending one of our CISO Roundtables to reach out to their Zoom account executive to reserve their spot.   

Product update

  • Option to disable email/password for login: Account administrators can now disable the ability to log in to Zoom with an email address and password, requiring users to sign in through SSO or other third party logins that Zoom offers.  
  • Additional whitelist domain options for Waiting Room: Account administrators can whitelist domains beyond their own so participants can bypass the Waiting Room and directly join a meeting.
  • Option to disable participant annotation: Account admins can now disable the ability for participants to annotate on a shared screen. This setting is available at the account, group, and user level.
  • Ability to Unmute All: The ability to Unmute All is now available again in meetings with fewer than 200 participants. 
  • Webinar Q&A management: Hosts and panelists can delete questions and comments submitted through the Q&A and chat during a webinar, allowing them to remove questions that are inappropriate or have already been answered.  
  • Data retention policy: Account owners and admins can set the amount of time that Zoom Phone user data — call logs, ad hoc / automatic call recordings, voicemail recordings, and transcriptions — is retained.

Q&A 

Will there be fees to use Zoom’s end-to-end encryption?

No, Zoom’s end-to-end encryption will be free for both paid and free users. 

Are you still accepting feedback on Zoom’s cryptography design?

Yes. The best place to leave your feedback on our cryptography design is on Github.

What does end-to-end encryption do, and how is it different from Zoom’s AES 256 bit GCM encryption?

With Zoom’s current Enhanced Encryption offering, encryption keys are created on Zoom’s servers and distributed to the meeting participants. Each key is randomly generated and only used for one meeting, then thrown away. In end-to-end encryption, one meeting participant generates the encryption key and uses public key cryptography to distribute this key to the other participants; Zoom’s servers never see the key. Both offerings behave similarly after the key exchange:  the meeting data is encrypted with the meeting key using AES GCM encryption. 

If a meeting host enables end-to-end encryption, do other participants need to have end-to-end encryption to join the meeting? 

End-to-end encryption won’t be compatible with an older version of the Zoom client, and all participants must have an E2EE-enabled client to join the meeting. 

Will users with free accounts be forced to use end-to-end encryption for their meetings?

No, we will not be forcing users with free accounts to use end-to-end encryption. Both free and paid users will have the option to enable end-to-end encryption for their meetings. 

How do I enable end-to-end encryption for my meetings? 

You will be able to turn end-to-end encryption on or off in the settings panel where you configure your specific meeting settings, while account owners and admins will be able to enable and disable end-to-end encryption at the account and group level. Once the meeting has started, you won’t be able to change the end-to-end encryption setting.  

Will end-to-end encryption be available for Zoom Video Webinars?

End-to-end encryption will not be available for Zoom Video Webinars during the initial release; however, we plan to include that feature in future releases. 

When will we receive more information on the Waiting Room and Passcode change happening on June 19th?

We will begin sending out emails this week to our customers to prepare them for the change and we will also be posting an FAQ document to our support site next week. As a reminder, after June 19th, users and admins must enable Waiting Room, Passcode, or both for their meetings. 

What is the status of accessibility compliance for the Zoom client?

Accessibility compliance is very important to us as we strive to provide a platform that anyone can use with ease. Users can get more information about our accessibility compliance at zoom.com/accessibility

Is there a limit to how many people can participate in a webinar?

Up to 50,000 participants can join a webinar, and webinar hosts can accommodate even more viewers by streaming their webinar over Youtube, Facebook, or other streaming platforms.  

Thank you for your support

Thanks for attending this week’s session, and thank you to everyone who submitted questions! We truly appreciate your support on our journey to make Zoom the world’s most secure enterprise communications platform.

If you missed this week’s session, you can watch the recording here:

3 Hardware Solutions to Upgrade the Online Learning Experience

Published by Zoom ( available on www.zoom.us )

Schools around the world in recent months have been thrust into remote learning and teaching classes online. With the possibility of extended remote learning and hybrid learning scenarios, schools are continuing to adapt to improve the experience for students and staff.

Teachers, professors, and administrators using Zoom for remote and online education can continue to use the ever-expanding capabilities and features of the Zoom platform, and they can also incorporate hardware options that can vastly enhance the teaching and learning experience for everyone. 

Here are three types of hardware solutions, all of which are already part of the physical classroom, that can upgrade the remote and virtual learning experience.

Cameras

Webcams can make a big difference compared with the standard built-in cameras on a laptop.  A dedicated webcam provides some flexibility for presenters to stand up while being seen, and it’s definitely easier than trying to move your laptop. Additional features include higher resolution and low-light correction to help presenters shine in less-than-optimal lighting conditions. 

Document cameras are great for projecting clear visuals of textbooks or other physical objects, much like a projector would. A document camera can even double as a webcam. Here’s a great video on how to use document cams in a Zoom Meeting.

Headsets

Teaching is an interactive experience, and it’s important for students to hear the teacher and for the teacher to clearly hear their students. A good headset with noise cancellation and an advanced microphone should help do the trick. Here are some of our recommended headset brands.

Whiteboarding solutions

Zoom natively provides teachers with annotation and whiteboard capabilities. If you prefer the traditional pen-to-paper experience, you can seamlessly annotate on top of an iPad with an Apple Pencil. It’s a nice alternative to using a mouse or trackpad.

If you prefer a physical whiteboard, the Kaptivo camera mounts onto a traditional whiteboard and projects the content right into your Zoom class. Kaptivo’s guide to whiteboarding from home offers some great tips for optimizing the experience.

If you want to go big on the home whiteboard, consider the 55-inch DTEN D7. The all-in-one video conferencing and touch display built for Zoom Rooms doubles as a large, interactive whiteboard.

For more best practices for using Zoom for online education, check out our Educating Over Zoom webpage.

90-Day Security Plan Progress Report: June 10

Published by Zoom ( available on www.zoom.us )

As we continue on our 90-day plan to improve the security and privacy of our platform, this week’s “Ask Eric Anything” webinar focused on recent product security updates, facts about Zoom encryption, and securing meetings with passwords and Waiting Rooms.

Zoom CEO Eric S. Yuan was joined by Zoom CPO Oded Gal and Lea Kissner, former Global Lead of Privacy Technology at Google who is consulting with Zoom on privacy and encryption, for this week’s session.

Zoom CTO Brendan Ittelson; Max Krohn, Zoom’s Head of Security Engineering; and Lynn Haaland, Zoom Deputy General Counsel, Chief Compliance and Ethics Officer, joined for the Q&A session.

Key takeaways from this week’s session

Facts about Zoom’s encryption

Zoom has used – and continues to use – encryption technology on its platform for all users.  

AES 256-bit GCM encryption, which is one of the most secure encryption standards used today, is currently enabled system-wide and is available to all users – both free and paid. A few other things we emphasized:

  • Zoom only responds to valid law enforcement requests. If/when there’s a request for information, our policy is to comply only if the request follows a valid legal process and there is proper jurisdiction. 
  • Zoom does not provide the government direct and unrestricted access to our users’ data, and we do not provide the government with our encryption keys.

Zoom’s plan for end-to-end encryption

Zoom announced our intention to create an end-to-end encryption (E2EE) offering on May 7. We released the original cryptographic design May 22 on GitHub for feedback, and Lea said an updated version of the paper will be out soon. E2EE is an important security tool and doing this respectfully at scale for a product like Zoom hasn’t been done. We want to make E2EE widely available and are exploring ways to do so safely.

Product updates — Waiting Rooms & passwords

We have been enhancing our security features over the past couple of months to ensure our users have full control of the platform and their meeting experience. Oded reviewed some of the benefits of using Waiting Rooms and passwords:

In April, we made the change to have Waiting Rooms on by default and require passwords for free Basic and K-12 accounts. Soon we will also require all meetings scheduled under paid accounts to have either the Waiting Room or passwords enabled. The date for this requirement has not yet been set.

Meetings that have been scheduled before the effective date without a password will have waiting rooms enabled by default; however, admins and users can choose to enforce either a password, the Waiting Room, or both. We’ll provide more updates in the coming weeks. 

Q&A

Can I get a report of users on my account who don’t have passwords turned on?

Customers with more than 50 paid licenses can access a report that shows their organization’s scheduled meetings without passwords.

Will participants have to enter a password when entering a meeting?

Meeting passwords are embedded in the meeting invite URL, so if you click on the meeting invite URL, you will not need to enter a password. However, if you join a password-protected meeting by directly entering the meeting ID (and not clicking the link), you’ll have to manually enter the password.

When dialing in by phone, how do passwords work?

Participants joining by phone will enter the meeting using a shorter numeric password, which they can enter using their phone’s keypad. 

How do passwords and waiting rooms work on paid accounts for free users?

Any participant, free or paid, who joins a Zoom meeting will have to comply with the paid host’s meeting requirements, which may include a password, waiting room, or both.

When can we expect multi-factor authentication (MFA) to arrive on Zoom?

You can use MFA today through any identity provider (IDP) that supports SAML single sign-on (SSO).

Is Zoom considered HIPAA compliant?

Yes, we can help medical providers enable HIPAA compliance. We offer a number of features that create a HIPAA-compliant environment, including prohibiting recordings and creating business associate agreements (BAA). We designed Zoom for these use cases even before COVID-19. Reach out and we can help you set it up.

Is there a way to protect your webinar content against screen capture software? 

Zoom offers watermark features. When you screen share, the participants’ names will have identifying information attached to any screenshot they take, so you can track who leaked the meeting content. We also provide audio watermark capabilities to protect against shadow recording and help identify users who may have shared an audio recording. 

When will the 90-day plan end?

The 90-day period ends on July 1st, and our dedication to security and privacy is always a top priority and an integral part of our company’s DNA.

Can we control virtual backgrounds at the account or group level?

We’re adding an option for admin to control which virtual backgrounds are used. The admin can upload pre-approved backgrounds and allow hosts/participants to only use those backgrounds, and we will be developing that feature in the coming weeks.

With Zoom “zooming,” how do you plan to keep your customers happy?

Eric said it ultimately boils down to our company culture, which emphasizes caring for our customers. We remain committed to solving our customers’ business communication challenges, and we take careful action based on feedback to serve and support our customers. 

Thank you for your support

Thanks for attending this week’s session, and thank you to everyone who submitted questions! We truly appreciate your support on our journey to make Zoom the world’s most secure enterprise communications platform.

If you missed this week’s session, you can watch the recording here:

90-Day Security Plan Progress Report: June 3

Published by Zoom ( available on www.zoom.us )

As we continue on our 90-day plan to improve the security and privacy of our platform, this week’s “Ask Eric Anything” webinar focused on recent product security updates, including the successful rollout of Zoom 5.0 and GCM encryption for every free and paid Zoom account.

Zoom CEO Eric S. Yuan was joined by Zoom CPO Oded Gal for this week’s session. Zoom CTO Brendan Ittelson; Lea Kissner, former Global Lead of Privacy Technology at Google who is consulting with Zoom on privacy and encryption; Max Krohn, Head of Security Engineering at Zoom; and Lynn Haaland, Zoom Deputy General Counsel, Chief Compliance and Ethics Officer, joined for the Q&A session.

Zoom platform highlights from last month:

Updates from the past week and upcoming plans over the next few weeks:

Key takeaways from this week’s session

Zoom is now GCM encrypted

One of the most impactful changes we’ve made to date is Zoom 5.0, which supports AES 256-bit GCM encryption, one of the most secure encryption standards used today. This encryption was enabled system-wide on May 30 and is now available to all users — free and paid. Visit the Zoom 5.0 webpage to learn more about the security enhancements available on the Zoom platform. 

End-to-end encryption design

We continue to implement our end-to-end encryption design phases. We released our draft design Friday, May 22, on GitHub and are in the process of hosting discussions with cryptographic experts, nonprofits, advocacy groups, customers, and others to share more details and solicit feedback for the final design. Once we have assessed this feedback for integration into a final design, we will announce our engineering milestones and goals for deploying an end-to-end encryption offering for Zoom users.

Q&A

Here are some of the webinar attendee questions (and summarized answers) that were addressed live this week:

Why are we adding an option for owners/admins to manage virtual backgrounds?

Account admins were asking for more control over what their users can upload as virtual backgrounds, so we’re working to offer the ability for admins to upload a set of pre-approved backgrounds.

Any plans to add multi-factor authentication (MFA)?

Most of our enterprise customers use some form of MFA through single sign-on (SSO) providers like Okta and OneLogin to access Zoom. We plan to add MFA options for free and Pro users in the future.

Can you share best practices for hosting large public meetings?

We recommend using the webinar solution, which allows you to better control who can speak and present. Learn more in our meetings vs. webinars support article. If you require a meeting with everyone on video and audio, then best practice would be to create registrations for the meeting, turn on passwords and the Waiting Room, and only allow the host or co-hosts the ability to share their screen.

Will Zoom 5.0 affect participants without a Zoom account that wish to join?

You do not need a Zoom account to join a meeting if invited. Even on Zoom 5.0 or later, anyone can join a Zoom meeting without a Zoom account. If you have an account and are still on a pre-5.0 version, you’ll be prompted to update before you can join.

Does the webinar solution also use GCM encryption?

Yes, it’s the same AES-256 GCM encryption for our meeting and webinar products.

What are your expectations for the last 30 days of the 90-day plan?

We will continue raising the bar on security, privacy, and safety for the Zoom community and build on these efforts for the future. Some short-term goals include using feedback to build out our end-to-end encryption offering, additional password enhancements, more UI updates, and continued efforts to address meeting disruptions.

What happens when the 90-day plan is over?

The conclusion of the 90-day plan doesn’t mean our security/privacy efforts end. Far from it. User privacy and security will continue to be our focus going forward, and Zoom will continue to develop the most secure and frictionless video communication solution for our customers.

Thank you for your support

Thanks for attending this week’s session, and thank you to everyone who submitted questions! We truly appreciate your support on our journey to make Zoom the world’s most secure enterprise communications platform.

If you missed this week’s session, you can watch the recording here:

University of Sydney Leverages Zoom as It Faces Unique Challenges During COVID-19

Published by Zoom ( available on www.zoom.us )

The University of Sydney has an expansive network of students, faculty, and researchers from all over Australia and the world, and the organization relies on video communications now more than ever to drive internal collaboration and deliver its curriculum to students.  

“At this time, we’re facing some really unique challenges that we haven’t faced before,” said Jordan Catling, Associate Director of Client Technology at the University of Sydney. “Our No. 1 priority is making sure that we can continue providing the highest-quality education during this time, and Zoom has been particularly useful in that aspect. Zoom provides us with a flexible set of tools to allow our organization to continue teaching, learning, researching, and working together no matter where they are.” 

The University of Sydney had seen a significant increase in the use of Zoom’s platform since the start of the COVID-19 outbreak. Zoom’s cloud-based design and baked-in scalability has ensured it could handle these increases in demand and usage without any infrastructure changes or added management.  

“Over the past three months, we have increased our use of Zoom by over 20 times,” Catling said. “And it didn’t require us to do anything on our end to handle that increased usage. We didn’t need to quickly scale up or need to concentrate specifically on this platform to keep it running. Zoom has been scalable from the word ‘go.’ ” 

Zoom’s ease of use also makes it accessible to students, faculty, and administrators. “Zoom is very straightforward to use, which has been great for us from a support perspective,” Catling said. “It’s very intuitive and requires very little user guidance, so we can put it in front of just about anyone. Instead of the technology becoming the centerpiece of the meeting because it’s so difficult to use, we wanted the conversation and the collaboration to be the centerpiece of the meeting. Zoom enables that type of experience.” 

Read the full case study to learn how the University of Sydney first chose Zoom and its value in driving internal collaboration, reducing costs, and delivering higher education:

Download the case study