Zoom Video Communications, Inc. (Zoom) recently received a variety of third-party certifications and attestations, unveiled product innovations, and established programs, which collectively demonstrate the many initiatives undertaken at Zoom that help protect the security and privacy of its users.
“Safety, security, and privacy are at the core of how we make decisions at Zoom and enhance our platform,” said Zoom Chief Information Security Officer Jason Lee.
“We remain committed to being a platform that users can trust for all of their online interactions, information, and business.”
Third-party certifications and attestations demonstrate effectiveness
At Zoom, third-party certifications and standards are integral to its security program’s foundation. Zoom recently expanded its list of growing attestations with the following:
· Publication of a Data Protection Impact Assessment (DPIA) on Zoom’s Meetings, Webinar, and Chat services from SURF. SURF, the collaborative organization for IT in Dutch education and research, and Zoom agreed to several actions in the course of collaborating on the DPIA. These include new features, improved transparency and documentation, enhanced practices, and a measurement plan. Learn more about the outcomes here.
· Achievement of the Cyber Essentials Plus certification. This demonstrates Zoom’s commitment to the UK by achieving a security scheme, which makes it easier for local customers to assess the company’s IT systems. Learn more about this certification here.
· Provisional Authorization (PA) for Zoom for Government from Defense Information Systems Agency (DISA) for the Department of Defense (DoD) at Impact Level 4 (IL4). With this PA, the entire Zoom for Government platform will be available for use for those organizations in need of IL4-authorized solutions. Learn more about this authorization here.
· Common Criteria Certification. The Zoom Meeting Client is the first video communications client to attain certification for Common Criteria Evaluation Assurance Level 2 (v3.1 rev. 5), issued by the German Federal Office for Information Security (BSI). Learn more about the certification here.
· ISO/IEC 27001:2013 certification and SOC 2 + HITRUST requirements. Zoom Meetings, Zoom Phone, Zoom Chat, Zoom Rooms, and Zoom Webinar are now certified as International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) 27001:2013 compliant. Zoom also expanded the scope of its SOC 2 Type II report to include additional criteria to meet Health Information Trust Alliance Common Security Framework (HITRUST CSF) control requirements. Learn more here.
Features designed for security and privacy
In addition, Zoom continues to enhance its security features for all users with the introduction of recent innovations such as automatic updates in the Zoom client. With automatic updates, Zoom is helping users to receive important security fixes and other features, improving their overall experience with the Zoom platform.
Innovations that will soon be available include a Bring Your Own Key (BYOK) offering, which will be released this year, and Zoom’s end-to-end encryption (E2EE) offering will be rolled out to Zoom Phone, for one-on-one, intra-account phone calls that occur via the Zoom client later this year.
Industry collaboration for a more secure future
To meet the growing needs of its global customer base, Zoom has established programs that bring in expertise and skills from around the world to inform security innovation and identify potential threats. These include a CISO Council to foster a strategic feedback loop for upcoming security and privacy innovation, and the development of a Data Security and Protection (DSP) Toolkit in support of the National Health Service (NHS). Additionally, Zoom offers bespoke solutions for specific audiences across industries and locations, such as:
· Zoom X powered by Telekom. Zoom and Deutsche Telekom committed to developing a joint solution specifically for the German market called Zoom X powered by Telekom, which combines the experience customers love from Zoom with the trusted network and service delivered by Deutsche Telekom. Leveraging Zoom’s seamless video communications platform, customers are enabled to set up and manage meetings intuitively across all end devices.
· Zoom for Government. Zoom for Government, which is designed for U.S. federal agencies, is also available to U.S. state and local government customers, as well as other approved businesses and organizations that support the U.S. government. Zoom for Government includes 256-bit AES-GCM encryption as well as optional end-to-end encryption (E2EE) for Zoom Meetings. The Zoom for Government platform (which includes Zoom Meetings, Zoom Webinar, Zoom Chat, and Zoom Phone) has achieved the following:
- FedRAMP Moderate authorization in February 2019
- An Authorization to Operate with Conditions (ATO-C) at Department of Defense Impact Level 4 (DoD IL4) for ZoomMeetings with the Department of the U.S. Air Force in June 2021
- A Provisional Authorization from the Defense Information Systems Agency for DoD IL4 in March 2022
- A Criminal Justice Information Services (CJIS) attestation in January 2022 A HIPAA attestation in March 2021
Tapping into the power of the security community
In addition to the daily testing that Zoom conducts on its solutions and infrastructure, Zoom invested in a skilled global team of security researchers via a private bug bounty program. Hosted on HackerOne’s platform, the world’s most trusted provider of ethical hacking solutions, the program led to the recruitment of over 800 security researchers whose collective work resulted in the submission of numerous bug reports, and awards of over $2.4 million in bug bounty payments since the program was introduced. In 2021 alone, Zoom awarded over $1.8 million across 401 reports.
Furthering education on Zoom security and privacy features
Zoom keeps privacy and security top of mind for all end users. Zoom launched its Trust Center, a one-stop shop for assets and information on Zoom compliance, privacy, safety, and security. It includes compliance and corporate governance resources, a detailed privacy overview, security resources and certifications, a detailed trust and safety overview, and more. Zoom also recently introduced its Learning Center, which provides a series of free courses to get the most out of Zoom. Users can complete a “Zoom Security Basics” training and earn the “Security Champion” badge. The Zoom Trust Center and Learning Center also contain information on Zoom’s security features and how to keep meetings secure. This includes pre-meeting and in-meeting settings such as passwords set at the individual meeting, user, group, or account level; meeting Waiting Rooms; the ability to lock a meeting, remove, mute or place participants on hold; and much more.