How to Keep Your Zoom Meetings Secure
With the COVID-19 pandemic forcing millions of employees and students to work and learn from home, Zoom usage has grown by a factor of 20 since December 2019. But along with that increased usage has come increased scrutiny over security concerns in light of "Zoombombing"—when interlopers interrupt Zoom conferences with everything from noise and revolting images to displays of white supremacy and anti-semitism—and account user names and passwords leaked on the dark web.
Some major organizations, including the New York Department of Education, Siemens, and Stanchart, have banned Zoom entirely. Zoom's competitors have jumped on the bandwagon, too. Google—whose Meet product competes with Zoom—has banned employees from using Zoom on company-issued computers And Microsoft seized the opportunity to criticize Zoom in a recent ad for its own Teams product.
Zoom announced last month it was freezing the development of new features and focusing on improving security, making changes such as enabling the waiting room by default, giving hosts a security toolbar, and no longer displaying the meeting ID on screen.
So just how secure is Zoom, and should corporations and educational institutions stop using it? According to three experts we talked to, the answers to those questions are "not as secure as some other options" and "no, so long as users take advantage of the privacy and security options Zoom offers." And the bottom line is that the features that made Zoom so popular also make it inherently less secure than some alternatives.
We sent questions via email to Steve Vonder Haar, senior analyst for enterprise streaming and intelligent video at Wainhouse Research; Andy Howard, who runs Howard & Associates, a consulting firm that assists enterprises with their video strategies; and Liam Moran, Streaming Media contributing editor and instructional resources systems specialist at University of Illinois at Urbana-Champaign. Here are their edited answers to our questions.
How serious do you think the security concerns are with Zoom? What, in particular, are the issues that users should be concerned about?
Steve Vonder Haar: Security is a serious issue for any enterprise. When flaws are exposed for any vendor, that represents a problem. Most of Zoom’s "security issues," however, really stem from how defaults have been set for end-users. The Zoom platform can address many of the notable "Zoom-bombing" issues that have come to light by simply changing the settings that are used to manage meetings. Zoom is easy to use—in part—because the defaults are set in a way that minimizes the barriers that can come with initiating a video conference. Set the defaults more stringently? Voila! You have more security. In most instances, Zoom is deployed in corporate settings where IT managers are toggling the security levels for solutions that are provided employees. Some of that security oversight can be lost when individuals are implementing solutions on their own while working remotely. Certainly, the security issues are a black eye for Zoom. But they really don’t reflect shortcomings in the product itself.
Andy Howard: Information security is always important and even more important in times when people are working remotely. That being said, I believe that much of the security concerns that are being brought up about Zoom are completely overblown. Any product or service is only as secure as the people who are using it set it up to be. Zoom’s goal when they started was to make video communications as frictionless as possible
Zoom always has had additional measures to lock down meetings (passcodes, waiting rooms, single sign-on, and so forth), but many did not turn those on because they never had an issue.
Unfortunately, the media and even the government has also blown this out of proportion and also has been inaccurate in many cases. For example, these Zoom meetings did not get “hacked”. No one broke into anyone’s computer and took it over. No one can listen in on your meeting without you knowing it. People simply did not lock down their meetings and bad people disrupted them. That can happen on any platform (video or otherwise) when people know the URL for how to get in!
Zoom is extremely secure when you implement the security mechanisms that are provided (see next section). Examples:
- Zoom enables HIPAA compliance and works with many healthcare organizations globally.
- Zoom works with many of the largest government agencies in the world and has received FedRAMP authorization which allows U.S. Federal Government agencies and contractors to securely use Zoom for Government for video meetings, API integrations, and more.
- Zoom works with many of the largest financial services companies in the world who obviously have strict security guidelines.
Liam Moran: Zoom has demonstrated for several months that they prioritize user experience over security to an unusual excess, starting at least with the discovery last July that it was installing a node.js webserver on MacOS computers to launch the application from browser links more smoothly. The most significant current security concerns relate to the ease with which bad actors have managed to enter Zoom sessions and until the bad press, that was a price they were willing to pay for making it easier for intended low-tech-comfort users to get into calls.
Similarly with the lack of end-to-end encryption: that's a necessary security lapse since Zoom transcodes for the various resolutions at the server side rather than the client-side (like Jitsi does, and why Jitsi only works well for Chrome that supports simultaneous encoding to a few bitrates in-browser). The routing of calls through servers located in the (People's Republic of China) has drawn a lot of attention, but I buy Zoom's explanation and find it unlikely that Unit 61398 would need to do something as obvious as routing calls through local servers to intercept signals if they wanted them. See their response to the CitizenLab.ca report that addresses that discovery, but not the potentially more concerning and as-of-now still embargoed security failure in their waiting room implementation from the Citizen Lab report.
What steps can users take to use Zoom safely?
Howard: There are many layers of security that can be implemented, but the following are the ones that are most impactful:
- Enable the Waiting Room feature. This basically allows you as the host to allow or disallow people into the meeting. This is now on by default.
- Enable passwords for your meetings. This is one that Zoom recently changed and made it so meeting passwords are on by default. I struggle with this one a bit. I have already had some situations where users had difficulty getting into the meeting because they did not have the password.
- Turn off screen sharing – especially if you are hosting a large public meeting. This is the primary way that people have taken over the Zoom meetings because they share inappropriate content on the screen share. Zoom also recently changed the default for this feature to Host only, but of course the Host can allow other participants to share also.
- Allow only Authenticated Users to Join – The authentication feature is particularly important for educational environments, but can be valuable in other verticals as well. For the educational example, you can lock down meeting to only people from a certain domain. Therefore only a user that is logged into Zoom with their school email is able to authenticate and join the meeting. I believe every educational environment should implement this.
Another way to control users in a large meeting setting is to set it up as a Webinar instead of a meeting. In this case, there is typically one or a few people that are doing most of the talking, and the others are consuming the information. You can promote people to be a panelist so they can participate also. Users can even “raise their hand” to request the ability to speak. The added bonus is that everyone will be muted by default which eliminates a lot of background noise that you have probably noticed in large meetings.
Most importantly, if you do not want potential bad actors to attend, make sure that you do not post your meeting information on Facebook, Twitter, LinkedIn, or any public forum where people can easily join.
Moran: Use a password for your room and distribute it securely to your session participants: for a school, that means through a secured LMS. As for end-to-end encryption: meh, any call involving more than a handful of people is inherently insecure unless you have absolute trust in each of them, so don't discuss trade secrets within a Zoom session if you don't want them getting out. Disallow all non-host session participants from sharing their screens and creating annotations.
Are you advising people to use or not use Zoom?
Vonder Haar: It all boils down to market education. If you can inform users of the need to manage the platform’s settings in a way that minimizes security risk, then there’s no reason to block usage of Zoom. The answer to the question really comes if you look in the mirror and engage in some realistic evaluation of your team. Will your users follow instructions and require minimal safeguards—like requiring passwords for meeting entry? If the answer is "yes," then there’s no problem. If "no," then you have to do a basic risk/benefit analysis. In most instances, I believe the benefits of using enriched video collaboration are far greater than the associated risks. But every business communicator has to make that judgment for themselves.
Howard: I absolutely am still advising people to use Zoom. In fact, I am working with one of the world’s largest professional services organizations to help them roll out Zoom company-wide both for remote workers as well as in conference rooms when they are back in the office. As they shut down their offices worldwide, they enabled over 80,000 Zoom licenses overnight. The positives that the Zoom service brings, especially in these times, far outweigh the negatives. And Zoom gives you a plethora of ways to lock down access to your meetings. Now that they have made those the defaults of the service, I believe there will be few issues moving forward.
Moran: Zoom is still an excellent product for teaching and learning, and they've handled the unprecedented swell in usage admirably well. I haven't been advising anyone not to use it for instructional purposes. If someone has concerns of any kind, I would show them how to use Teams, which is better in some ways (live automatic captions are baked-in) but lack breakout rooms. I would discourage its use for sensitive communications like private counseling or medical consults where you don't need mass-multiparty in any case.
Does it appear to you that Zoom is adequately addressing these concerns?
Vonder Haar: Zoom is responding as well—if not better—than would any other enterprise solutions vendor pushed into a similar position. It is unfair to expect any enterprise solution to graft in consumer-level sensibilities overnight, but Zoom management is doing what it can to acknowledge the shortcoming exposed by the crisis situation and focus development on updates that help address a broad swath of its issues in a relatively short timeframe.
Howard: I believe that they are. In this period of hyper growth, they have diverted their entire engineering force to focus on security in lieu of adding new features. They have implemented a new Chief Information Security Officer (CISO) council and Advisory Board and added one of the world’s most widely respected experts on cybersecurity as an Advisor.
As mentioned above, they also have changed many of the default settings that were causing issues (passwords, screen sharing, etc.) so that it is harder to join a meeting to which you were not invited. And they have already addressed all of the recent vulnerabilities that have been brought up by independent security researchers.
Moran: No. I don't think that Zoom is culturally or technologically capable of addressing these concerns. This is the bed they made when they prioritized user experience over security from the start and they'll sleep just fine in it. They have their Government tier that supposedly is secure but not being as seriously investigated as the consumer version; and for enough of their consumer customers, the prioritization of user experience over security is tolerable if not shared outright. Zoom's competition will fill in feature gaps and snatch up the market share that has concerns about security; Zoom will do just fine with the substantial remainder who, for the most part, has had good experiences of their own. Being first to the table is a big advantage, even more so when procurement processes are byzantine and hard to steer.
Even before the COVID-19 crisis hit, enterprise video was moving into a new phase, and organizations face more options than ever to address security and pricing concerns and solve the age-old CapEx vs. OpEx challenge
Tulix is giving K-12 schools 30Gbps of bandwidth for free, while Zoom is making its videoconferencing service available to K-12 teachers as well. Other companies are working to make the transition to work-from-home easier.