90-Day Security Plan Progress Report: May 6
We’re continuously making progress on our 90-day plan to improve the security and privacy of the Zoom platform. This week’s “Ask Eric Anything” webinar focused on highlights from the first 30 days, upcoming security changes to all Zoom accounts, and when to use a meeting or webinar for your Zoom event.
Zoom CEO Eric S. Yuan was joined this week by Zoom CPO Oded Gal and Lynn Haaland, Zoom’s Deputy General Counsel, Chief Compliance and Ethics Officer. Zoom CTO Brendan Ittelson and Alex Stamos, a security adviser to Zoom, also joined for the Q&A.
Here are some updates from the past week and what’s coming:
Key takeaways from this week’s session
Progress made in April
Here are some of the key milestones in the first 30 days of our 90-day security plan:
New security defaults on for Basic accounts
This weekend, we will require passwords on all Basic accounts, and set the defaults for waiting rooms on and screen shares for hosts only. At a future date, we will institute new defaults and settings for all Zoom accounts. Most notably, passwords will be required for all meetings (new and recurring) and webinars, including for phone attendees. We’ll also provide more management over virtual backgrounds and will disable the ability to join meetings from multiple devices. Look for additional communications on these changes in the coming weeks.
Zoom 5.0 reminder
Zoom 5.0 became generally available on April 27. A system-wide account enablement to AES 256-bit GCM encryption will occur on May 30, 2020, and only Zoom clients on version 5.0 or later, including Zoom Rooms, will be able to join Zoom Meetings starting that day. We encourage users to update to 5.0 today; Zoom admins should visit our IT administrators page to manage this update in their environment. Users can preview the GCM experience at zoom.us/testgcm.
Meetings vs. webinars
Oded gave context on the different ways of leveraging Zoom to securely host an online event. Meetings are much more commonly used, but you’ll have more control and better attendee management with webinars. Some of the key differences:
View our support article for a feature comparison, or watch this recording for examples and use cases.
Report a User
Lynn reiterated that offensive or abusive conduct violates Zoom’s terms of service and that reports filed using the Report a User feature go to our Trust & Safety team, which will review each report on a case-by-case basis and take appropriate action. That could include suspending or terminating the account or even involving law enforcement when warranted.
Here are some of the topics that were addressed live from webinar attendees this week:
Does 5.0 encryption affect the performance of the Zoom client?
Alex said that AES 256-bit GCM encryption is extremely efficient, and most modern devices have embedded hardware support to accelerate this type of encryption, which means very little to no impact on the performance of the Zoom platform.
Can I change my Personal Meeting ID (PMI)?
Free Zoom users cannot change their PMI; however, paid users have the option to change their PMI in their account settings.
Do webinars offer better protection against disruptions?
Webinars are great for hosts looking to prevent disruptions because webinar attendees have fewer interactive privileges without permission from the host.
Can admins control what virtual backgrounds are used in their organizations?
We are currently working on a feature where users are only allowed to use pre-approved virtual backgrounds uploaded by Zoom admins.
What are the options for authenticating users prior to meeting on Zoom?
There are three options you can choose from to authenticate users who are joining a Zoom Meeting. You can require the user to:
- Be signed into a Zoom account
- Sign in using a certain email domain
- Join using a single sign-on (SSO) provider
Thank you for your support
Thanks for attending this week’s session, and thank you to everyone who submitted questions! We are grateful for your support on our journey to make Zoom the world’s most secure enterprise communications platform.
If you missed this week’s session, you can watch the recording here: