Zoom: Our Top 12 Recommendations
Zoom: Our Top 12 Recommendations
Experienced CSO’s know that how any company responds to a security incident says a tremendous amount about an organisation. Companies quick to acknowledge errors are often quick to fix them as well.
It must be said that Zoom have responded to recent criticism in fairly impressive fashion. They have ‘held up their hands’, admitted their mistakes and with the release of v5 of their massively popular client attempted to quickly address many concerns.
Here at Options, we have read the Zoom articles with great interest, analysed the content, reviewed their security guidance and distilled these into a dozen findings;
1) Encryption: Zoom v5 brings support for GCM ‘high performance’ encryption, desirable due to the real-time demands of video and voice communications. Zoom are rolling out GCM at the end of May to both v5 clients and Zoom Rooms. You simply have to click on the ‘Encryption Shield’ icon so see if the meeting is secure or to view additional encryption details. A simple to use, effective and welcome addition.
2) Datacentre selection: In response to some meetings being connected to mainland China datacentres Zoom are allowing hosts to decide which datacentre region to use for scheduling their meetings and webinars. This is great for anyone concerned about data confidentiality, sovereignty or residency.
3) Report Users: Following numerous reports of inappropriate behaviour on calls, Zoom have introduced a new ‘ Report a User’ feature. Hosts can now easily report misbehaving users to Zoom’s Trust & Safety team.
4) Picture Profile: Again to prevent inappropriate behaviour account admins and hosts can prevent participants from showing or changing their profile pictures within a meeting. Again a relatively simple but highly effective control.
5) Passwords: Its well known that hosts should assign a password to all meetings, Zoom now require passwords to have a minimum of 6 characters, making it much harder for unauthorised users to gain access to meetings.
6) Cloud Recording: Hosts can now set expirations on their cloud recordings and can disable the sharing of their recordings. Great for helping with data retention policies.
7) Enable a ‘Waiting Room’: This will allow you to review who is attempting to join your meeting before admission. This vetting capability should help ensure that only invited guests get access to Zoom meetings..
8) Don’t use your ‘Personal Meeting ID’ for public meetings. Use a randomly generated meeting ID instead. This is a really great recommendation – random ID make it much harder for anyone to target your meetings.
9) Registered or ‘Domain Verified’ attendees: Host can require attendees to register their details before attending meetings. Zoom also offer the options to only permit users with email address using a certain domain. ‘approved’ domain. Catering to those wanting even greater vetting of attendees this can be a welcome addition for those requiring even greater security.
10) Lock meetings: Once your meeting starts you can choose to prevent any additional users from joining. Not just good from a security perspective – this allows hosts to focus on the ongoing meeting without interruption.
11) Control Screen Sharing, Private Chat and Host Mute: Sensible measures to help prevent unwanted chatter or interruptions. Hosts can toggle the ability of attendees to share their screens, chat or even mute attendees.
12) Remove Users: Last but by no means least – Zoom make it easy for a host to evict any unwanted attendee from a meeting and can prevent re-joining.
Options knows that software updates play a vital role in ensuring software is properly secured and fully supportable. This is why we partner with Ivanti, a leading provider of enterprise Patch Management Solutions.
Using Ivanti, Options is able to centrally manage updates for dozens of third applications that our clients depend upon, including Zoom and their plugins for Outlook, ensuring our customers can be at the front of benefiting from the latest Zoom security improvements.
– John Gracey, Chief Security Officer