The rush to work from home as a result of the coronavirus pandemic has led to a rapid adoption of video-based meeting services, often without organizations having the time to perform necessary due diligence to evaluate security and compliance capabilities. Of late, a few security-related issues have arisen around Zoom Meetings, leading Zoom founder Eric Yuan to pen a blog post stating that he has implemented a 90-day feature development freeze to focus resources on addressing security issues.
As you can imagine, Zoom’s competitors have used these issues to reinforce their own commitments to security as they attempt to differentiate themselves in the marketplace.
Most recently, Zoom’s encryption model has come under attack, underscoring an issue that isn’t unique to Zoom. Like Cisco and Symphony, Zoom offers end-to-end encryption for its messaging app. However, Zoom doesn’t provide end-to-end encryption for meetings. Rather, as described her, it encrypts voice and video data in transit between the Zoom client or Zoom Room endpoint to Zoom’s servers, but once the data reaches the servers, Zoom must decrypt the data to support recording, transcription, and a variety of other features. Zoom isn’t alone in this respect. For meeting vendors to offer advanced features such as transcription and recording; take advantage of emerging AI capabilities like facial recognition; or support third-party integrations, they must be able to unencrypt video and audio data to analyze it.
The common model for encryption among meeting applications is data at rest (on the provider’s servers) and in motion (e.g., endpoint to server). Cisco is worth noting as an exception, as it does offer an end-to-end encryption option for Webex Meetings.
However, as Cisco notes, using this option disables its web app, recording, the ability for participants to join a meeting before the host arrives, and the use of video endpoints. Another vendor, Wire, offers end-to-end encryption for videoconferencing and messaging, but has a limit of 10 participants per call. The fact that most all video meeting vendors have neither end-to-end encryption nor the ability for customers to manage their own encryption keys as standard in their services means that government entities can obtain a warrant and tap meetings.
Most cloud providers, including Cisco, Google, and Microsoft, publish transparency reports that list government requests for data. Yuan’s blog post notes that Zoom will soon likewise do the same to address concerns about meeting data the government might be requesting to access. More to the point, the debate over end-to-end encryption brings up the question as to whether or not enterprises truly need it to meet their security and compliance needs. Obviously, the unique needs of the organization will drive requirements.
Those operating in regulated industries, conducting meetings in which personally identifiable information is shared (e.g., telemedicine), or involved in national security, will likely have more stringent security requirements than say an analyst firm having an internal meeting to discuss an upcoming research project. For those organizations that truly can’t take the risk of a meeting vendor, or third-party entity, gaining access to meeting data, on-premises meeting platform options from vendors such as Cisco, Compunetix, and Pexip may suffice. Using these kinds of platforms means that a company is buying, deploying, and managing its own conferencing infrastructure within its data center, or within a public cloud service that it controls.
For those responsible for information security and/or collaboration, it’s worth taking some time to understand the security capabilities of vendors in use, and those you may be evaluating for future use. Start first with documenting your own requirements for information protection and privacy and conduct a thorough assessment of whether or not cloud providers can meet your needs, or if you will need to consider an on-premises option.