CIO Zoom 5.0 Video Conferencing Risks: Still not failsafe?
Zoom 5.0 video conference service (VS) is not safe for most businesses due to ongoing data security risks!
During the COVID-19 tidal wave, many millions in the workforce had to work at home, if possible. Many organizations needed to stand up missing video conferencing services fast. Growing numbers of remote workers adopted Zoom’s no/low cost, easy set-up, cloud-based service for high quality videoconferencing. As Zoom users skyrocketed, organizations revealed many severe security risks. Significant security findings showed up in data privacy, design/features, and encryption.
After many Zoom CEO apologies and promises, these security findings were addressed for each design/feature issue. Zoom’s acquisition of Keybase for improved encryption supports its data security. Finally, Zoom released V5.0 for an app security overhaul. It improves and hardens most security designs and features.
Can Zoom’s adoption rate keep burning bright?
Now, Zoom’s marketplace is shifting away from large enterprise businesses to smaller types of organizations and consumers. Going forward, many enterprises are leveraging other comprehensive telework suites with video conferencing services.
Today, there are more services to a teleworking tool suite than video conferencing. CIOs must build out more secure and robust enterprise telework service suites with VS platforms. Many enterprises already deploy more than one business video conference service. CIOs continue to leverage/upgrade global and regional non-Zoom VCS services.
Read more about Zoom’s V5.02 two remaining security risks and Zoom’s best-fit industry sectors with five VC recommendations.
Zoom’s Large Chinese Software Dev/Ops Sites – A Major Risk!
Most organizations use Chinese assemblies, parts, and products for global, cost-effective supply chains. In this case, the usual risk is critical supply issues for organizations. Businesses manage it all the time. These supply chains are typical for the US as well as other countries. With China, India, and other countries, there is a risk of stolen IP, fake products, and business app/models. Software outsourcing is usually smaller and modular components to control and manage these risks. But Zoom outsources almost all software to China.
Zoom’s three key software DevOps and R&D sites are in China. It owns two firms and the third firm called American Cloud Software Technology. It’s unclear who owns and controls it and what services it provides to Zoom. For Zoom, seventy percent of the workforce are non-US-based employees.
Zoom’s China-based IT operations support its global data centers in regional sites. It includes two regions in China and the US.
The Opaqueness of China Offshore Software
Organizations have little to no insight on the opaqueness of its Chinese operations. Zoom’s critical risk is using China’s resources, such as hardware, networks, and workforce. It includes development/operations (DevOps). These large offshore worksites raise the bar for high risk in the US, EU, and other countries to use it. Zoom has been banned by the US (federal government/military), Germany, India, Taiwan, and the UK. The other list includes high-profile global companies and is growing. There should be more country ban announcements.
China Government Involvement Risk
Despite all the security changes in V5.02, Zoom uses its DevOps sites within China. China-based tech firms are subject to Chinese government surveillance and data requests. Thus, Chinese-based turnkey technology apps are usually banned by countries, governments, or organizations. Why? These entities have a significant business/operational risk exposure. These key risks are Intellectual Property (IP), and sensitive customer/business data privacy. They must have a high-level of security. This size and type of software outsourcing is a very high-risk barrier for most organizations.
Use of Third-Party Software Development Kit (SDK) – Key Data Privacy Risk!
Most free app services make their money on up-selling more products/services and selling access to their customer data. Data extractions use third-party developers with a custom SDK for other companies. For example, Zoom has third-party SDKs, including Facebook. Zoom’s use of Facebook SDK has resulted in new user privacy lawsuits. Zoom’s US key cases fall under the California Unfair Competition Law, Consumers Legal Remedies Act, and the Consumer Privacy Act. Privacy investigation cases are also open in Massachusetts and New York. With the EU’s General Data Protection Regulation (GDPR), Zoom’s EU data privacy violations could have huge fines exposure too.
Data Privacy Risks are Critical
CIOs need to communicate frequently on the data privacy risks to their corporate leadership. Data collection by third-party SDKs for unauthorized purposes raises critical data privacy risks. Organizations must vet all third-party developer SDKs in apps. Software certification is easier on a case-by-case risk assessment for certification. The IT Governance, Risk, and Compliance (GRC) process must perform an SDK assessment. All new software needs continuous change management and code scanning. It will reveal any hidden features for risks—data privacy compliance and required risk controls and oversight management. Organizations can miss SDK risks for data in hidden software. SDK data risk can result in lost business, IP, R&D, and hefty governmental fines.
Who Should Use It?
Although Zoom V 5.0.2 product is a high-quality VCS, it is recommended for small businesses/ organizations and consumers. Both data privacy and business security risk still exist. Zoom’s app is not for every organization. See the table below for consumer and industry sector recommendations.
Consumer and Industry Sector Recommendations.
|CONSUMER / INDUSTRY SECTOR||USABILITY FOR KEY RISKS|
|Consumer/Religious/Social/Small Firms||YES, Use without any confidential data|
|Agriculture||YES, Limited and backup use|
|Biotech/Pharma – Products/Research/Vaccines||NO|
|Education||NO, Use school apps, limited backup use|
|Entertainment/Media||NO, Limited and backup use|
|Health Care Delivery/Products/Services||NO, Limit backup – pandemic telemedicine only|
|Real Estate Services – Consumer/Commercial||Yes, Limited transactions B-B, B-C|
|Travel and Leisure||Yes, B-B, B-C, C-C|
|Technology – R&D, Products, Services||NO|
Notes: B-B refers: business to business, B-C to business to consumer, and C-C to consumer to consumer.
Video Conferencing Services (VS) Recommendations
VS apps, and well as any other new telework app, apply these key recommendations:
- Never trust any software development code,
- Always apply timely security updates; such as Cisco WebEx, all others; Use Zoom 5.02/03,
- Always run continuous change management (CCM) and code scanning processes for any hidden features, including data leakages,
- Always verify all invitees to enter a call/video session, and
- Use meeting invites instead of your VS personal room.
The organizational workforce size and mix will change post-pandemic. Chief Talent Officer (CTO) focus is changing too. CTOs must support an increasing shift in the mix of employees teleworking. New workforce structures and VSC tools need to be in place for the growing remote users. Pandemic aftermath projects around a 20 percent-plus increase in the workforce shift to telework with VS for the rightsized model. The entire reshaped workforce mix may downsize to 20 percent fewer workers post-pandemic.
The next note will provide insight reviews on top-tier enterprise telework with VCS suites.
Go here for more advice and insights:
“Recommendations for Key Management: General Part 1, SP 800-57 Part 1 Rev.5”, ITL Bulletin, Computer Security Resource Center, NIST, May 4, 2020.
“Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions,” ITL Bulletin, Computer Security Resource Center, NIST, March 20, 2020.
UNITED STATES SECURITIES AND EXCHANGE COMMISSION; FORM S-1 and FORM 10-K – ZOOM VIDEO COMMUNICATIONS, INC. on March 22, 2019, and January 31, 2020.
Copyright @ 2020 HAWALD ADVISORY, LLC. DISCLAIMER: This article is entirely my opinion without financial payments. The peer review was by Richard Stiennon and Jeff Vining. The image is by pixabay.com. Member of The Analyst Syndicate.