The use of Zoom within DevOpsGroup

Between December 2019 and April 2020, largely driven by the Coronavirus pandemic, Zoom’s daily meeting participants have increased by 2900% from 10 million per day to 300 million per day. This surge in popularity and Zoom’s uptake by public bodies and governments around the globe have, quite rightfully, prompted increased scrutiny on its security practices.

Security:

DevOpsGroup has taken the following actions to ensure we communicate as securely as possible. All of these steps are in addition to the published improvements/fixes made by Zoom:

  • Enforced Encryption on all 3rd Party Endpoints
    • Zoom has clarified its position on end-to-end encryption here. Whilst we leverage the Cloud Recordings connector, data in transit to and at rest is encrypted.
  • Enabled password protection for all Cloud Recordings.
  • Enabled password protection for all Personal Meetings, Scheduled Meetings and Instant Meetings. The password is shared to invited individuals in the invitation email or is delivered within a direct URL as provided by the meeting host.
  • Removed China and Hong Kong data centres / Regions from hosting our meeting data. We remain connected to all other world regions to best support dial-in functionality from across the globe.

As of June 2020, Zoom has completed it’s implementation of AES 256 GCM Encryption which is mandatory for all zoom users via a forced software upgrade. All DevOpsGroup staff are now using this latest version.

Privacy and data collection:

DevOpsGroup Zoom Organisation administrators have the ability to see data for every meeting conducted within our organisation. The number of administrators with access to this data is kept at an absolute minimum as we strictly adhere to the principles of least privilege.

The data available to us focusses on the participants of a given meeting, with data designed to provide an insight into user’s experience for troubleshooting purposes.

This data includes the following for each participant:

  • Participant device CPU performance metrics at a system level and zoom level.
  • Network performance metrics for audio, video and screen sharing.
  • Zoom client version
  • The microphone, speaker and camera device name as it would be shown in your client settings.
  • The participant name as configured in the zoom client and as shown in meetings.
  • Location (derived via geo-IP)
  • Remote address and local address. (This shows the user’s external IP address as well as their IP address within their local network)
  • Type of device (Windows/Mac/iPad etc)