Zoom

When asked what would be most important in justifying IT investments to their organization’s business management team in 2021, improved cybersecurity (47%), increased employee productivity (35%), and improved digital collaboration capabilities (30%) were the most-cited responses.

In addition, 25% stated that the broader use of online collaboration tools as part of daily work patterns would be the most significant lasting impact of the current COVID-19 business disruption on their organization’s longer-term IT strategy. The lasting tech legacy of COVID-19 will be the widespread adoption of digital collaboration tools.

Zoom has been offering an online collaboration solution since 2012 that provides speed, scale, and ease of use, but in early 2020, security became more of a concern than it already was as more organizations—many with little or no IT expertise—flocked to the platform, drawn by its well-known ease of use. Zoom quickly moved to address security concerns with architectural, administrative, and user interface adjustments. Zoom is designed to deliver a safe and secure virtual meeting environment when used with the appropriate settings and safeguards to protect meetings. IT administrators can configure the Zoom solution with specific default security settings, which can be locked so meeting hosts and users cannot modify them. Zoom secures meetings via multiple methods and technologies: two-factor authentication; end-to-end AES-256 GCM and TLS 1.2; passcode authentication; the ability to deny, block, or remove attendees; and the ability to lock meeting/webinar access.

Zoom is also designed to be easy and flexible to use via its intuitive user interface and one-click HD screen sharing. In addition, users can join from any device and save webinar settings as a template.

Despite this ongoing work, Zoom has been experiencing a “trust gap” with potential users across industries. This is not because of a lack of security or privacy features; Zoom’s security feature set is extensive and robust. This is more due to a lack of understanding of/hesitancy to accept Zoom’s assertions of their commitment to and expertise with security and privacy.

In April 2020, Zoom began with a 90-day plan, freezing features, conducting reviews with third-party experts, launching their CISO council to dialogue on security and privacy best practices, publishing a transparency report related to government and law enforcement requests for information, enhancing their bug bounty program, ramping up penetration testing to identify and address issues, and kicking off a weekly webinar to provide privacy and security updates to their community.

That work has driven feature enhancements like end-to-end encryption—after the feature freeze was lifted—via their acquisition of Keybase, numerous UI and feature enhancements, and a number of key hires of heavy hitters in the security and privacy space. Zoom’s audited security program is testament to Zoom’s alignment with customers’ needs across industries and verticals. Zoom’s security program includes numerous third-party certifications and attestations.

Zoom has closely aligned themselves to needs in vertical markets. One way they accomplish this is to ensure they comply with global privacy frameworks. They have implemented data protection and privacy practices deep into their products and processes.

In short, Zoom has experienced a level of growth that few other companies have experienced. It’s clear that Zoom has adapted quickly and decisively to the needs of their user community, from adding and enhancing security and privacy features, through educating their user community on best practices, to ensuring that they are compliant with global and regional standards and regulations. Atop all of this is third-party validation that they have performed on a regular cadence, which proves Zoom’s commitment to security and privacy for all their users, including those with the most stringent security and privacy requirements, like government, education, financial services, and healthcare.

Operational Efficiency

In this section, we cover a number of Zoom security capabilities needed to satisfy security and privacy requirements: end-to-end encryption, audio signatures, passcode protection, identity-based security, and in-meeting controls. While our evaluation focused on these key areas, it’s important to note that Zoom offers a wide variety of additional security capabilities.

Zoom offers client software packages for MacOS, Windows, iOS, Android, and Linux that leverage a range of encryption technologies to assist with user privacy and security. End-to-end encryption is optional for all Zoom users—free and paid—and is not enabled by default. When enabled, all data transmitted from a Zoom client to the Zoom cloud is encrypted in transit. Zoom’s end-to-end encryption, when enabled, ensures that communication between all meeting participants in a meeting is encrypted using cryptographic keys known only to the devices of those participants. This ensures that third parties, including Zoom, do not have access to the meeting’s private keys (see Figure 3).

Zoom offers a web interface that provides a number of features, including a complete management console, access to cloud recordings, an extensive set of API endpoints, and a web-based client for meetings. All customer data transmitted from a web browser to the Zoom Cloud, including on their website and via their web meeting client, is encrypted in transit using TLS 1.2 and DTLS with AES-256.

Zoom lets users know when someone connected is not fully encrypted and identifies them so they can remedy it. The in-meeting shield icon, which appears in the top-left corner of meetings, is intended to give users a clearer sense of their meeting’s security similar to how web browsers provide an indication in the navigation bar like a lock icon. When users’ data is running exclusively on Zoom clients like the Zoom mobile app or desktop version, it is securely tunneled end to end and the shield appears green.

Zoom offers methods for a range of third-party services and devices to connect with their system, leveraging communication protocols native to the specific third-party device or server. Encryption methods are limited to what’s possible on each device. In this case, customer data transmitted via these devices and services may not be encrypted in transit to and from Zoom’s cloud connectors. For example, if a user calls into a meeting over a telephone (Figure 3), then their audio would not be encrypted until that data reaches Zoom’s telephony gateway. Audio is encrypted at that point and is only decrypted once it reaches the destination clients. All other meeting data would be passed by the Zoom client and would still be encrypted end to end. Link level encryption for third-party H.323/SIP devices is supported and can be enforced as a mandatory control if the device has appropriate TLS 1.2 and AES encryption support.

Customers on paid accounts can customize their data center settings with respect to data in transit for Zoom meetings and Zoom video webinars at the account, group, or user level. Organizations can opt in to, or out of, specific data center regions with respect to meeting and/or webinar data in transit (Figure 4). If someone needs to join a meeting from an opted-out region they can, but the meeting data will still not pass through the opted-out data center.

This data center option feature gives organizations more control over their data and its interaction with Zoom’s global network and doesn’t affect data-at-rest locations. Long-term file storage is always in an organization’s home data center region.

Zoom offers pre-meeting, role-based security capabilities that are available to the meeting host, including secure log-in using standard username and password or single sign-on using Security Assertion Markup Language (SAML) and the enforcement of passcodes for both ad hoc meetings using Personal ID and scheduled meetings (see Figure 5).

The meeting host can selectively invite participants via email, instant message (IM), or text message (SMS), which provides greater control over the distribution of meeting access information. The host can also allow members from a certain domain to join a meeting and/or wait in a meeting’s waiting room. Meeting hosts can also customize the registration page with a banner and logo. By default, Zoom restricts participants to just those who are logged into Zoom (see Figure 6). Any of these features can be selectively locked by the administrator.

Zoom provides multiple methods for a host to secure and protect a meeting in progress, including the At-Risk Meeting Notifier, muting participants, stopping video, disabling chat, removing a user, reporting meeting offenders, locking meetings, and an option for reporting inappropriate conduct.

The At-Risk Meeting Notifier scans public social media and other websites for publicly shared Zoom meeting links. When the tool detects a meeting that looks to be at high risk of being disrupted, it automatically alerts the account owner by email and provides remediation advice like deleting the vulnerable meeting and creating a new one with a new meeting ID, enabling security settings, or using another Zoom solution, like Zoom Video Webinars or OnZoom.

If a meeting participant forgets to mute or they are otherwise disruptive or behaving inappropriately during the meeting, Zoom allows the meeting host to solve this problem by muting any or all participants.

For an added layer of security, Zoom allows the meeting host to disable a participant’s ability to unmute themselves. When the meeting host is ready to make the meeting interactive, they can simply hit the “Unmute All” button or allow participants to unmute themselves, which asks participants for unmute consent. The ease of screen sharing is one of Zoom’s advantages, but that can also leave the meeting open to unwanted disruptions. Zoom gives the meeting host the ability to restrict screen sharing to only the meeting host or limit users’ ability to start sharing if someone else is presenting. The meeting host can easily toggle these features on and off from the screen sharing menu, as well as the security menu (see Figure 7).

The in-meeting chat adds another dimension of collaboration to meetings, creating a place for questions to be asked and fielded later or for supplemental resources to be posted. But unrestricted chat can become distracting or unproductive at times. Zoom provides the ability to disable and enable chat when scheduling the meeting or at any time during the meeting.

The meeting host also has the ability to remove an attendee from the meeting at any point. For additional security, Zoom allows the host the ability to not allow participants to rejoin the meeting once they have been removed.

Once all attendees have arrived, the meeting host can easily lock the meeting from the security menu, preventing any additional attendees from joining. Zoom is designed to enable meeting hosts to know exactly who will be attending the meeting. When scheduling, meeting hosts can require attendees to register with their e-mail, name, and custom questions and then restrict users from changing their display name (see Figure 8).

Operational Efficiency

With Zoom, administrators can make it easy for meeting hosts and attendees to start, join, and collaborate securely across any device. Zoom syncs with multiple calendar systems and delivers streamlined video conferencing from desktop and mobile devices. Zoom offers centralized IT management and remote assistance to simplify deployment and support, including the ability to track utilization and usage trends; view version distribution; and assign granular permission settings, including account, group, and user levels (see Figure 9).

Flexibility

Users can join Zoom meetings using a desktop client, mobile app, or web client via the Zoom web portal. The Zoom web portal is primarily used for editing profiles, adjusting meeting and Zoom Phone settings, and accessing meeting recordings in the cloud. While Zoom supports connecting via web clients—Firefox, Chrome, Edge, and Safari—the desktop client or mobile app are recommended, as they offer a more feature-rich experience. Figure 10 shows a meeting with a participant using a smartphone while sharing a PowerPoint presentation.

Connecting to the meeting, sharing, and features and functionality are consistent across clients, which makes joining and actively participating in meetings from anywhere easy.

Why This Matters

When asked what would be most important in justifying IT investments to their organization’s business management team over the next 12 months, improved cybersecurity was the most-cited response (47% of respondents), followed by increased employee productivity (35%), and improved digital collaboration capabilities (30%).

ESG validated that Zoom effectively addresses these demands. Collaboration is essential, and the global pandemic has made it more essential. WFH mandates created new challenges for organizations, with security and ease of use at the top of the list. Zoom helps organizations securely connect teams, people, and organizations with strong features and best practices confirmed through hands-on testing to make it easy for administrators to manage and even easier for participants to use.

This ESG Technical Validation was commissioned by Zoom and is distributed under license from ESG.

¹ Source: ESG Research Report, 2021 Technology Spending Intentions Survey, Jan 2020. All ESG research references and charts in this technical review have been taken from this report, unless otherwise noted.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.