Wednesday, August 5, 2020

CEO Report: 90 Days Done, What’s Next for Zoom

During the first few months of 2020, the Zoom team worked around the clock to support the tremendous influx of new and different types of users on our platform. The sudden and increased demand on our systems was unlike anything most companies have ever experienced. As March came to a close, we realized that our singular mission to deliver frictionless video communications to hundreds of millions of daily meeting participants needed to include an equivalent focus on security and privacy – areas where we needed to do more.

 

On April 1, 2020, we pledged to make a number of enhancements to address security and privacy. The 90-day program we rolled out that day refocused our company on 7 commitments that embedded security and privacy permanently in Zoom’s DNA. Today I will provide a status update on each of those commitments, as well as share our path forward.

 

Commitment #1: Enact a feature freeze, effective April 1, and shift all our engineering resources to focus on our biggest trust, safety, and privacy issues.

 

Status: We enacted a 90-day freeze on all features not related to privacy, safety, or security. With all of our engineering and product resources aimed in this direction, we released over 100 features including the following:

 

 Zoom 5.0

 

o AES 256 GCM encryption (available to all users, free and paid)
o UI updates – Security icon, green encryption shield with data center location click through
o Report a User
o Meeting defaults – password, waiting room, and limited screen sharing
o Other features – host disable multiple device login, unmute consent, cloud recording expiration, tighter Zoom Chat controls, and more

 Acquired Keybase and started building end-to-end encryption (for all users, free and paid)

 

 Offered customized data routing by geography

 

Going forward, we have put mechanisms in place to make sure that security and privacy remain a priority in each phase of our product and feature development:

 

 Design phase: Security requirements, risk assessment, threat modeling
 Build: Secure code guidelines, self-service scanning, CI/CD tools
 Test: Security testing, automated test execution, web testing tools
 Stage: Secure configuration, integrity monitoring, validate requirements
 Production: Monitoring the security of our system, system health, threat landscape

 

Commitment #2: Conduct a comprehensive review with third-party experts and representative users to understand and ensure the security and privacy of all of our new use cases.

 

Status: We have worked with a group of third-party experts to review and make enhancements to our products, practices, and policies, including our CISO advisory council, Lea Kissner, Alex Stamos, Luta Security, Bishop Fox, Trail of Bits, NCC Group, Praetorian, Crowdstrike, Center for Democracy and Technology, and other organizations in the privacy, safety, and inclusion spaces. The contributions of everyone on this list have been tremendous and we are so grateful for their help.

 

Commitment #3: Prepare a transparency report that details information related to requests for data, records, or content.

 

Status: We have made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records, or content. We look forward to providing the fiscal Q2 data in our first report later this year. In the meantime, we have recently created a guide for how we respond to government requests. We also updated our privacy policies, mostly to make them easier to understand, and added a separate California Privacy Rights Statement. You can find these documents on zoom.com/privacy-and-legal.

 

Commitment #4: Enhance our current bug bounty program.

 

Status: We have developed a Central Bug Repository and related workflow processes. This repository takes vulnerability reports from HackerOne, Bugcrowd, and security@zoom.us (the latter of which does not require an NDA) triaged through Praetorian. We established an ongoing review process with daily meetings, and improved our coordination with security researchers and third-party assessors. We also hired a Head of Vulnerability and Bug Bounty, several additional appsec engineers, and are in the process of hiring more security engineers, all dedicated to addressing vulnerabilities. In the meantime, we’re focused on improving our response times. Overall, our bug bounty process is solid, and will only be stronger as we accomplish our hiring objectives. We are grateful to Luta Security for their help in this process.

 

Commitment #5: Launch a CISO council in partnership with leading CISOs from across the industry to facilitate an ongoing dialogue regarding security and privacy best practices.

 

Status: We launched our CISO council, composed of 36 CISOs from a variety of industries, including SentinelOne, Arizona State University, HSBC, and Sanofi. This council, led by our Deputy CIO Gary Sorrentino, has met four times over the past three months and advised on important matters such as regional data center selection, encryption, meeting authentication, and features such as Report a User, Passwords, and Waiting Rooms. The council has proven to be such a success, we will extend this program with CISO Roundtables — interactive discussions between CISO customers and our security team leaders to understand the measures that Zoom has taken and will take in the future to ensure the security and privacy of our platform. Interested CISOs and CIOs can ask their Zoom Account Executive for more information.

 

Commitment #6: Engage a series of simultaneous white box penetration tests to further identify and address issues.

 

Status: Zoom engaged multiple firms – Trail of Bits, NCC Group, and Bishop Fox – to review our entire platform. Their scope of work covered:

 

 Zoom production environment, both public and co-located data centers:

 

o Cloud configuration
o External IP space
o Internal production network

 

 Zoom core web application and Zoom corporate network:

 

o Internal network
o External perimeter

 

 Public API for common clients

 

o Mobile clients
o Desktop clients

 

Zoom is committed to continuous third-party penetration tests as a foundation of its security program.

 

Commitment #7: Host a weekly webinar on Wednesdays to provide privacy and security updates to our community.

 

Status: Including the webinar this week, we have hosted 13 of these webinars total, every Wednesday since April 1. These virtual events featured a number of our executives and consultants who took live questions from the attendees. We also shared a recap and recording of the webinars on our blog every Wednesday. We will continue these webinars, the next on July 15, and then move to a monthly cadence.

 

Other key updates

 

We’ve taken some additional noteworthy steps:

 

 We made several key leadership additions or changes since April 1, including:

 

o Velchamy Sankarlingham, President of Product and Engineering
o Jason Lee, Chief Information Security Officer
o Damien Hooper-Campbell, Chief Diversity Officer
o Aparna Bawa was named Chief Operating Officer, and now oversees Zoom’s security efforts
o Lynn Haaland, Deputy General Counsel and Chief Compliance and Ethics Officer, also was named Chief Privacy Officer
o H.R. McMaster added to the Zoom Board of Directors
o Josh Kallmer, Global Head of Public Policy and Government Relations
o Ginny Lee, Associate General Counsel, Privacy
o Mara Davis, Associate General Counsel, Compliance & Ethics
o Head of Vulnerability and Bug Bounty, starts 7/13
o Andy Grant, Head of Offensive Security, starts 7/13

 

 Zoom Phone added to Zoom for Government, which is already authorized under the U.S. Federal Risk and Authorization Management Program (FedRAMP)

 

 We remain committed to significantly growing our US-based engineering team to support increased usage with new offices based in Phoenix, Arizona and Pittsburgh, Pennsylvania

 

Where do we go from here

 

This period has brought about meaningful change at our company and made the safety, privacy, and security of our platform central to all we do, as we strive to be worthy of the trust customers place in us. I am proud of, and humbled by, the role Zoom has played in connecting the world in crisis, and in all that our team has accomplished in the past 90 days to better secure our platform.

 

But we cannot and will not stop here. Privacy and security are ongoing priorities for Zoom, and this 90-day period – while fruitful – was just a first step. Throughout this report I have provided information on new processes and people that will help Zoom on our journey to becoming the most frictionless and secure video communications platform in the world.

 

Thank you to our users for your support, patience, and trust. Our core value as a company is to care, and we hope we have shown that through our actions over these past 90 days — and will continue to show it through future actions.

Email This Post Email This Post