It is a known fact that COVID-19 has challenged the world to work from home and interact from a distance that was not adopted in the same way from all countries before. For instance, online conferencing is not a preferred option in Korea. In my case, some of my customers who are 4-hours away still want my team and I to visit them for a 30-minute introductory meeting. Despite this preference, people have had to adopt digital engagement technology in order to do business during COVID-19. The essential nature of online conferencing is the new normal to meet and I'd like to review the Zoom cybersecurity incidents as a case study when a platform neglects to evolve its cybersecurity posture. 

As the world transitioned to working digitally, Zoom had a huge opportunity to meet the needs of consumers during the initial onslaught of COVID-19. Zoom is a video-conferencing platform that gained popularity for use in business meetings and online classes at schools due to its low cost and usability. Zoom's share value nearly doubled despite the US Nasdaq index dropping more than 10% since the beginning of 2020.  

However, the predominant use of Zoom did not last long due to an explosion of a series of security incidents. For example, one attacker joined a school's virtual Zoom classroom without permission and uploaded pornographic images. The hijacking incident like this called "Zoom bombing" is emerging nationwide since March. It was also confirmed that more than 500,000 Zoom accounts are for sale on the Dark Web. And Zoom routed data through China for non-China users. CEO Eric Yuan admitted their call data were routed "by mistake" to cope with a huge increase in demand saying “In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect." 

Zoom's personal information processing is also a serious problem for privacy. On March 30th, Robert Cullen of Sacramento filed a suit against Zoom for alleged contravention of California's new data privacy laws, by not adequately obtaining informed consent from users regarding the data transfer, Vice.com has reported. Zoom also faces investor lawsuit over privacy and security flaws on April, 8th about shortcomings in the app’s software encryption, including its alleged vulnerability to hackers, as well as the unauthorized disclosure of personal information to third parties including Facebook. Zoom CEO Eric Yuan stated that Zoom will not sell user data from a message on their blog posted on April 1st. It was also announced on April 22nd that they will add major security controls with new release v5.0 in 90-day plan. Enhancements included authentication through password use to join meetings, meeting IDs, and new encryption.

With this unexpected COVID-19, digital transformation and cloud adoption are accelerating inevitably and companies like Zoom are forced to adopt quickly. It's crucial to learn from past security incidents to assess potential gaps and prevent future threats. Let's lock the stable door before the horse has bolted. I've drawn 4 conclusions from the Zoom case study: 

  1. Always verify with Principle of Least Privilege (PoLP): You have lots of options for identity and access management. The challenge here is that the stronger authentication is less friendly. When it comes to competitive identity and access management solutions in the digital world, key to success is how to balance security and user experience. You can consider AI powered adaptive access technology to find sweet spot in between.
  2. Data must be protected everywhere: Personal data to consume for various personalization requires more protection and lots of enterprises have security controls for data protection addressing compliances such as GDPR and PIPA. But one thing you have to keep in mind is that your data is going to cloud outside your data center and managed by them. You should consider how to protect not only personal data but also confidential corporate data. It should be encrypted with secure keys owned by you. Access to data should be monitored without missing holes including privileged users such as system administrators and developers.
  3. Identify threat and act immediately with insight: For cloud transformation, you might experience more skill gaps and lack of resources to leverage cloud native security, augment security controls over the cloud and install new security process. Threat actors can attack you while you are struggling there. You can check more details about how much incident response and security automation can save cost from 2020 Cost of a Data Breach Report.
  4. Build sustainable security governance: Security policy and governance should be established and consistently managed. Protecting enterprise cloud is not accomplished by adding a few more controls or point solutions alone. Success requires a holistic approach to ensure the continued security of the workload.

If you need some help on your journey to cloud, IBM helps enterprise customers move more securely and confidently to hybrid multi cloud solutions and integrates security into every phase off your journey so that you can lead in cloud transformation--securely.