The American digital conferencing solution company Zoom has recently experienced a major upsurge of popularity in its offerings due to the recent Covid-19 pandemic. As a part of many company's Business Continuity Planning efforts, there has been a major need for meetings and other business-focused gatherings to take place online rather than in-person. Zoom supports this by being practical, affordable and easy to pick up. These attributes have led to the Cloud-based conferencing solution to be adopted by government, enterprise, educational and many more organizations.
Despite the positive attributes of Zoom's services, the company has recently been in the spotlight in relation to security concerns. Aside from a number of security vulnerabilities, Zoom has been questioned about its claims relating to end-to-end encryption that is used to secure calls with their services. Another area that has been questioned are its encryption standards - aledgedly Zoom claimed that the AES256 encryption standard was used to secure calls, but researchers at Citizen Labs found that AES128 in ECB mode, a significantly weaker algorithm and not the recommended standard, was used. Data sovereignty issues have also been identified in Zoom's services as a number of their encryption servers are in different jurisdictions.
Although InPhySec acknowledges these security issues with the Zoom conferencing application, we feel that the takeaway message from this isn't necessarily to do with Zoom's solutions themselves. The messages we have identified are more on a general level that can be applied to any cloud solutions.
Message 1:
Perform extensive research when selecting Cloud applications that fit your business needs.
Rather than taking marketed statistics and perceived popularity of Cloud applications as major consideration points, we would advise for legitimate technical detail sources, such as whitepapers, to be analysed against your businesses' specific use case and requirements to determine the suitability of potential Cloud applications. For example, designing a Weighted Decision Matrix is a quick and objective method for comparing various applications against your needs. As a part of this, we highly recommend performing a risk analysis in terms of what data is to be secured with said applications. In the case of Zoom, it's revealed encryption standards may be suitable for lectures or classes in an educational environment. However, these encryption standards and the identified data sovereignty issues may cause for Zoom to be insufficient in environments where highly confidential or sensitive information needs to be discussed.
NetSkope's Cloud Confidence Index (CCI) is a scoring system for Cloud applications which may prove to be invaluable while selecting Cloud applications for your business; it objectively states the enterprise readiness of over 30,000 applications, with the weighting of these ratings being adjustable depending on your business requirements.
Message 2:
Consider multiple levels of security to protect Cloud applications in the event of unforeseen compromises.
Relying on the security mechanisms of a given Cloud application may be high risk, despite if it is deemed to be "secure", as there is only a single point of failure which if compromised could cause a security breach. Additionally, if unforeseen exploits or security weaknesses are identified then the strength of the originally deemed "secure" app is lowered. For these reasons, it is recommended to investigate controls which can be used to secure these Cloud applications; this will essentially add an additional layer of security which adversaries would need to break through, irrespective of how secure the Cloud applications themselves are. Given the unique operation of Cloud applications as opposed to previous on-premise applications, a next generation Cloud Access Security Broker (CASB) solution such as NetSkope is recommended. This security mechanism would also be especially useful in environments where it is not practical or feasible to upgrade existing applications and solutions for newer "secure" ones, as it would significantly reduce the risk of these applications being exploited.
