Zoom details security gains and privacy roadmap updates (Full Transcript)

[00:00:19] Speaker 1: Okay, great. I think we'll go ahead and get started now. Thanks everyone for joining us today. I'm Hilary Ross, Zoom Security Product Marketing Manager, and I'll be moderating today's event. Before we get started, a few quick housekeeping items. Please go ahead and add all your security and privacy questions to the Q&A panel, and we'll try to get to as many as possible. For questions on how to use certain features, we highly recommend you visit our knowledge base at support.zoom.us, watch our how-to videos on YouTube, read our blog posts, or attend a daily training. We'll add the links to these resources in the webinar chat. We are recording today's webinar, and we'll send the link to all the registrants. We're once again excited to provide you an update on all the progress we continue to make with respect to privacy and security, as well as the opportunity to ask Eric and a few of our top team members questions. Today, we're going to have Eric, our founder and CEO, kick off the webinar with some opening remarks. Gary Sorrentino, our Global Deputy Chief Information Officer, CIO, will moderate a fireside chat on Zoom security and privacy with key members of our team. He'll be followed by Rod Schultz, who will take us through some product and security updates that we have planned. And lastly, we'll open it up for Q&A. And before we conclude today's webinar, we're going to be raffling off a few Zoom t-shirts. We'll drop the raffle link in the webinar chat to enter. Just enter your information through the link and stay tuned to the end. And with that, I'll turn it over to Eric. Thanks.

[00:01:40] Speaker 2: Thank you, Hilary, and thank you all for joining me today. Thank you. So once again, we are very excited to welcome you back to our webinar, which we are continuing to host as part of our ongoing commitment to being transparent with our users about our privacy and security efforts, as well as share some product updates as well. So I'd be remiss if I didn't acknowledge the milestone that today's webinar represents. It is nearly one year since we first initiated the Ask Eric Anything webinar last spring as part of our 90-day plan, during which time we focused wholly on enhancing the privacy and security of our platform. Last March, the World Health Organization declared the COVID-19 outbreak a global pandemic, and shortly thereafter, the entire world, as we knew, was completely abandoned. Whether you were an executive for a global corporation needing to maintain business continuity, a schoolteacher educating students remotely, or a friend wanting to host a happy hour to spark some joy while social distancing, you had to manage unique challenges to keep your lives and livelihoods going. Video communications helped you do that. They were a lifeline for society, enabling all of us to continue work and school in a digital environment. We all live with this, but the data backs it up. According to a study conducted by Boston Consulting Group and commissioned by Zoom from 2019 to 2020, there was a 2.5 and a 3x increase in employees working remotely as businesses surveyed. This was very supported by a 2.4 to 2.7 times increase in employees using video conferencing solutions. Of these surveyed businesses, the total time spent on video conferencing solutions increased by 3x to 5x in 2020. At Zoom, we certainly saw this in action as it brought an influx of new users and brand new use cases to our platform. Uses of Zoom skyrocketed, as you all know, from 10 million daily meeting participants per day in December 2019 to 300 million in April 2020. And we found ourselves working around the clock to help businesses, schools, and others across the world stay connected. In part because we had so many new users using our platform in new and different ways, we enacted a 90-day plan in April 2020 to ensure privacy and security were on top priority and the cornerstone of everything we do. While we accomplished a great deal in those 90 days, it was just one step, and it set us on a path to make continued progress. As you can see on this slide. Highlights during the months of April, May, and June included the release of Zoom 5.0, which included a number of security enhancements and features to help users protect their meetings. Additionally, we acquired Kibis, a great company, and based on Kibis technology, we launched our end-to-end encryption, and also we launched our CISO console as well, and enabled the control over data routing. During July and August, we improved waiting room notifications and the implementation of passcode and waiting room options at the top of meeting schedules. Also in September and October, we expanded support for two-factor authentication and also released our first one of end-to-end encryption offering based on the Kibis technology. In November and December, to help users combat meeting disruptions, we implemented the at-risk meeting notifier that scans public social media posts and other websites for publicly shared Zoom meetings link. We also made enhancements to authentication profiles. And in January and February, we implemented more end-to-end encryption feature parity and launched our Trust Center. And later this month, we are launching a new feature called the Chat Educator tool, which Rod will elaborate more later on. And as part of our ongoing commitment to privacy and security, we continued to build out our strong security team. Here's a snapshot of some of the members of our security team who have joined Zoom recently to help us further strengthen our platform. I will now hand it over to our Deputy Chief Information Officer, Gary Sorrentino, who will moderate a five-second chat on Zoom's security and privacy with key members of our team.

[00:07:29] Speaker 3: Thank you so much, Eric. So to give us a little look under the hood, we've brought together today a few key members of Zoom's privacy and security team to share more insights from Zoom's security journey over the last 12 months, as well as discuss some of our ongoing commitments to privacy and security across our platform. But with that, I'd like to welcome Richard Farley, Zoom's Deputy CISO, Randy Barr, our Head of Product Security, Lynn Holland, our Chief Privacy Officer and Chief Compliance and Ethics Officer, as well as Rod Schultz, our Head of Product Security and Privacy. So before we begin, it would be great if you could all just give a brief self-introduction. So Lynn, let's start with you.

[00:08:14] Speaker 4: Great. Thank you so much, Gary, and thank you for the invitation today. My name, as Gary has said, is Lynn Holland. I joined Zoom in January 2020, and I'm just really thrilled to be a part of this team and be continuing to work with Eric, our COO of Brnovava, and others here on Zoom's tremendous journey. Prior to joining Zoom, I was the Chief Compliance and Ethics Officer and Chief Counsel for Cyber and Deputy GC at PepsiCo. And before that, I was at the U.S. government as a prosecutor for many years. So thank you again. I'm delighted to be here.

[00:08:53] Speaker 3: Let's move over to Richard.

[00:08:55] Speaker 5: Thanks, Gary. I'm Richard Farley. I'm the Deputy CISO, and I'm within Jason Lee, our CISO's organization, helping him to implement and manage our security program. My particular... I've been at Zoom for coming up on two and a half years now. So I'm one of the folks that's been around for a little bit of time here at Zoom. My focus areas within the security team are our cyber risk management function, our security awareness and training and documentation program, as well as what we call security standards compliance. So working towards various different certifications and managing the definition of the security controls that we are implementing to keep our infrastructure secure. And then finally, what we call our customer security assurance function, which is meeting with our customers to talk about our security program, assisting our sales team during pre-sales efforts, and meeting with customers to answer their security questions related to our program.

[00:10:03] Speaker 6: Great. Thanks, Richard. Over to you, Randy. Thanks, Gary. My name is Randy Barr. I head up the product security team at Zoom. I joined in January, like Lynn, last year, and as you can imagine, was part of the many changes that Zoom experienced back then as a user base, demand, and everything grew dramatically over the world in a matter of days. I'm currently managing three security programs that includes security operations engineering, threat and vulnerability management, and trust and safety security engineering team. Prior to joining Zoom for the past 20 years, I held CISO positions across multiple verticals with a focus on cloud services. I'm excited to be here today to talk about the unique challenges presented by virtual work, but especially as we begin to emerge slowly but surely into the new norm of work. But even as we begin to emerge, Zoom will not let our guard down when it comes to information security, and I'm looking forward to hearing more during the fireside chat.

[00:11:00] Speaker 7: Great. Thank you so very much. Rod, over to you. Thanks, Gary. I'm Rod Schultz. I'm head of product security and privacy. I joined the team in September. My background was I came out of engineering, so I started my career at Cisco, went to Apple, then to Adobe, and then spent the last five and a half years in the startup space, five of those in doing cybersecurity, doing cryptographic key management. I was the chief product officer for Rubicon Labs. At Zoom, I'm focused on creating trust on the product, so anything that interfaces with the customer starts to come to me, and that trust really begins with data protection, data control, and trust and safety with the platform in general. I'm excited to be here and really excited to start building out a very interesting and expanding platform as Zoom really kind of moves into the next phase of its growth.

[00:11:58] Speaker 3: Great. Well, thank you all. Let's get started. So, Richard, got to throw the first one to you. We heard Eric mention the word 90-day, 90-day plan. So during Zoom's 90-day plan last year, the company undertook a development freeze. What did we actually accomplish?

[00:12:15] Speaker 5: Yeah, it was a pretty intensive effort on the part of the entire company, but particularly within the engineering and security and privacy teams. We shifted all of our engineering resources to focus on enhancing the security and privacy features of the Zoom platform, and during that time, we released well over 100 security and privacy-related features as part of that initiative. That includes the Zoom 5.0 release, which enhanced our really foundational encryption to AES 256-bit GCP for all of our meetings, and that's for all of our users, whether those users are paying for their subscriptions to Zoom or whether they're on a free plan. We made significant UI updates to the user interface to put the security controls for meetings front and center in front of the meeting hosts so that the hosts could have full control over their meetings in real time, accessing our security features with just a couple of clicks. So things like controlling admission to the meeting via the waiting room or turning on and off the ability for participants to share their screen or kicking out a user, rejecting a user from a meeting, or fully locking the meeting once all of the participants are on board in the meeting. We also set stricter security settings as the default for all of our users, such as meeting passcodes and the waiting room feature, and we gave the account administrators the ability to customize data routing globally across the entire global Zoom network by giving them the option to include or exclude individual Zoom data centers from transiting meeting traffic. But we didn't stop just with the 90-day plan. I think as Eric alluded to, toward the end of the year, last year, we expanded support for multi-factor authentication for all of our users. So even for users who are not on an enterprise single sign-on platform, they have the ability to add multi-factor authentication to their account to ensure that they're the only ones that can log into their account. We also released our full end-to-end encryption capability that's available to all of our users, and that was done shortly after the 90-day plan was complete. So with that end-to-end encryption, the encryption keys that protect your meeting are generated by the meeting participants rather than Zoom servers, and nothing on the network in between the participants of the meeting can see that encrypted traffic.

[00:14:52] Speaker 3: Wow, that seems like a lot. So Randy, let's move over to you. Do you have any best practices from expanding the security program in general?

[00:15:01] Speaker 6: Gary, as you know, to an extent, security professionals worry for a living. And that's why we're here. It's our job to assess the risks, identify the possible blind spots, and before they even swell into problems. But we thrive on environments where we can control and with some degree of predictability and oversight. But certainly, we had a very big task facing us last year. Organizations were looking to us to make sure that we kept the show on the road, so to speak, ensuring that operations could continue in the most secure way possible. But a couple of takeaways that I had in the past year, one of them is having a strong team focused on delivering on objectives and continuously reviewing how that aligns with the current state, either security initiatives or potentially, or potential actors out in the wild. But by tracking specific projects and tasks and stressing the importance of having dates assigned to each of these security tasks allows us to better track what our progress is and where the potential opportunities to opportunities later improve on. That's one takeaway. The other takeaway, and this is something that was alluded to earlier, is that we leverage our culture of transparency. And that it's reflected in the letter that Eric sent out last year, right before, yeah, about a year ago, as Eric mentioned. And there are three things in that that I took away from that, that we continue to have in our security program here. And that is that transparency has always been part of our core of our culture. We're committed to being open and honest with each other in meetings internally to find ways to improve on any processes that we need to look at, identify the right owners that can take on those responsibilities, and then making sure that we get updated regularly on that. And then finally, we want to enable all of our users, whether it's our employees at Zoom or individuals that use our service, to be able to take steps on their own to best utilize any of the applications that we use for employees, or even our platform that our participants use today. So those are the two main takeaways. I mean, there's obviously a lot more when it comes to security, a number of different practices, but happy to dive a little deeper with any specific questions that people have.

[00:17:15] Speaker 3: Great. So Lynn, we've heard from Richard, we've heard from Randy, we've heard a lot of things on security. We've done a lot since last spring, including on the privacy front. Anything particular you want to highlight for us?

[00:17:27] Speaker 4: Thank you so much, Gary. I appreciate it. Well, you've heard me say it before, but I think one thing, at least speaking for myself, and I've heard many others say that Zoom, we're really proud of the work that we've done with schools and particular trying to keep and help keep K-12 schools, excuse me, open last spring during that really difficult time. We've also received some great recognition, for example, from Common Sense Media, which honored Zoom for education with a strong privacy rating previously. Thank you. Excuse me for my voice.

[00:18:04] Speaker 3: Okay. So Richard, let's go back to you. So we did a lot, but how did Zoom approach staffing up and organizing the security team during this last year?

[00:18:17] Speaker 5: Yeah, good question. I think I've probably done more interviewing of candidates in the past year than my entire career combined. It's probably true of Randy and Lynn as well. I've been on CISSP since 2002, so quite some time. Back then, we had what we call the 10 domains or specialties of security. I think it's now eight. But there is a very, very broad and diverse set of skills required to have a robust and strong security program. Over the past year, we've added more than 200 staff just to the security organization in the past year. And that doesn't even include the hiring that Lynn has done in the privacy area and our product management organization, Preston Safety, and our actual software development teams. But some of the areas that we've done this hiring in are security product and program management. So establishing our security strategy and our security portfolio of the various different programs within security. Our security engineering function and support of the software developers. So ensuring the security of our software development lifecycle, establishing secure coding standards and conducting security code, secure coding training for our software developers, doing design reviews, managing open source security, managing cryptography and key management, all of those sorts of things. And then security operations engineering, Randy talked about, he can talk more about his team. So threat and vulnerability management, DevOps for our security tools and supporting our identity and access management security. Physical security, even though we're all still working at home for the most part, we still do have offices and we still have data centers. And so physical security, as well as business resilience is a big part of our program. Security assurance, so our bug bounty program, our red team, our enterprise IT security, right? We're not just a fast company, we're also a business. So we have our own internal business IT applications that we need to ensure are protected. Third party security, so doing vendor risk assessments. And then we get into things like security operations center. So we have a 24 by seven SOC, always have eyes on glass monitoring and conducting investigations on alerts that we might get from security signal throughout the infrastructure, detection and response. So we have a threat hunting team, threat intelligence team looking for signs out there in the deep dark web that there might be attacks mounting against Zoom. And then of course, incident response. And I talked about the areas that I'm directly responsible for, which is our common controls framework, our certifications, our customer security assurance function, our cyber risk management function. And then also very important is security awareness training for our employees and documentation governance over our policy standards and procedures. So there's a huge range of individual skills and expertise that are required to have a robust security organization. And we've done hiring in all of those areas, significant hiring in the past year.

[00:21:34] Speaker 3: Great, great. So Randy, Richard told us about our hiring. Why don't you tell us about how we utilize third party experts last year?

[00:21:43] Speaker 6: Yeah, so we brought on board a few folks to help us in this area. So we partnered with respected security leaders such as Leah Kistner, Alex Stamos, and partnered with other firms like Luda Security, Bishop Fox, Trail of Bits, NCC Group, and the list goes on. And majority of these firms that we work with were acting as the extension of our security program as our security team. And they came on board to help us in identifying some opportunities where we can improve on security. Part of that helped drive some of the initiatives and help us identify the additional resources that we need. Going back to covering some of the questions that you asked about growing the team and how do we organize the projects, as we continue to identify these opportunities with the help of our own security teams, our extended security team members, like those partners that we work with, we identified groups of projects that we needed to work on. And then as we grew the team, we assigned those team members to those projects. One of the great things that the security leaders, including Jason, has done is making sure that we track and understand on a weekly basis, then on a monthly basis as security leaders, and then present where we're at in the overall state of the security program. And do we need to shift our direction in any way based on what we know from what Richard has shared, such as threat intel, other assessments that we did. But bringing in those third-party experts helped us in many regards. And as I said, most of them were extensions of our security team, but mostly focused on the offensive security and the bug bounty program.

[00:23:30] Speaker 3: Maybe just give us a suggestion. What were some of the suggestions they suggested that we actually put in place?

[00:23:37] Speaker 6: One of the things that we work closely on is developing processes that aligns to what some of the other industries are using when it comes to managing vulnerabilities. And how do you prioritize that as well as process improvements internally? And how do we manage some of the implementation of those remediation during that process as well?

[00:24:01] Speaker 3: Great. So Lynn, we heard about in our 90-day challenge and everything that we did, we heard about a transparency report. So why did Zoom decide to create a transparency report?

[00:24:12] Speaker 4: Well, and I think my voice is back. So bear with me. I think it'll last. Like many companies, as part of continuing to grow and improve our trust and safety function in our program, we published a transparency report to provide details related to government and law enforcement requests for data, for records and content. So together with our government requests guide that we had published previously, the transparency report can help users and also those government agencies understand our principles and our processes for responding to those types of requests.

[00:24:50] Speaker 3: Great. Great answer. Okay, Richard, let's go back to you. How did some of the security enhancements complement Zoom's pursuit of certifications and accreditations?

[00:25:02] Speaker 5: Yeah, I think it made it much easier for us to manage our certification efforts and we expect that that's going to continue going forward. So just some examples of that. In the past couple of months, we completed the update of our SIG, which is the standardized information gathering framework, a set of questions that are commonly asked of SAS vendors when companies are trying to acquire SAS services. Based on all of the enhancements that we've made and the maturation of our security processes, it made it much easier for us to have a fuller and more complete and robust set of answers in that SIG and an associated report called the CAIC or CAIQ document. I think additionally, we completed our 2020 SOC 2, type 2 report late last year. I would say that that report is more robust and comprehensive than what we had in prior years, building on the enhancements that we made during 2020. We also completed a third-party audit and attestation on our compliance with HIPAA. And so that was very helpful, the enhancements that we made. We achieved a cyber essential certification under the UK government's National Cybersecurity Center framework. We also completed a third-party assessment to validate that our platform meets the requirements of Japan's FISC security guidelines on computer systems for financial institutions operating in Japan. And then going forward, we're looking at this year adding the HITRUST set of controls to the scope of our SOC 2 audit. Again, that'll be conducted later this year. And then I think probably one of the larger initiatives that we're working on is ISO 27001. And we expect to have that certification before the end of this year. In parallel with the certification and attestation efforts, we're enhancing what we call our common controls framework and mapping to various other frameworks to streamline any future certification goals that we might have. And our sales team comes to us all the time with various different requests from customers, particularly outside of the US to show that we're compliant with various different frameworks that are tied to those geographic regions or specific countries. And so our common controls framework will make it much easier for us to quickly work towards those certifications or attestations under those frameworks. And then I guess the last thing I should note is that we're working on making our certification reports and other evidence available to our users via self-service on our trust center portal later this year, which I think somebody may be talking about later on in the presentation.

[00:28:06] Speaker 3: Great, a lot there. So Randy, I heard Eric talk about the CISO Council and we've actually had some interviews with the CISO Council here before. But how did Zoom utilize its CISO Council to help adopt security and privacy best practices?

[00:28:20] Speaker 6: Yeah, it's a great program. Obviously we have over 35 CISOs, as you know, and it covered around seven verticals. And they advise on matters such as our regional data center selection, the feature that we enabled, encryption, authentication, and a few other features. I participated in some of these meetings along with you and talked a little bit about our program. What does it look like? And leverage that opportunity to see how we can benchmark how other CISOs are implementing their security programs similar to the focus that we wanted to present. So we got some good feedback in that regard, not just on the program, but also the feature functionality that we wanted to get some guidance on. The other teams also participated in some of these CISO meetings and CISO Council meetings, and it included Andy Grant from our Offensive Security Program to talk more about the red teaming approach, the other pen testers that we're looking to bring on board to the other firms that we're partnered with as our extension of our security program. And then also, we also had other security team members participate as well, such as Red on the Bug Bounding Program, just giving an update on where we're at, the approach that we're taking and receiving feedback from that. The thing that I enjoy the most about the Security Council, and I think you've experienced this too, Gary, is that the common feedback that we get from the Security Council is very similar to all the other security leaders and IT leaders outside of the Security Council. And they say that they have a vested interest in Zoom's success for their security program. And the reason why they have that vested interest is that they want to contribute more so that they can be part of protecting their employees, not just their employees, but also their loved ones that use Zoom for school or staying in touch with other family members and continuing to participate in other activities in light of being sheltered at home. So it's a number of benefits. One is how do we improve our process, our program, our approach, but also getting that sense of contributing back to just more than just what we're offering today and giving back to their family.

[00:30:34] Speaker 3: That's great. That's great. So Lynn, what are you planning to tackle in the future with regard to privacy?

[00:30:41] Speaker 4: That's a big question, Gary, but I'll try to do my best to summarize that here. Well, as you've heard, Richard and Randy both touch upon already here today. In addition to focusing on security, Zoom has been working hard for months to continue to build a company-wide privacy program that strengthens how we protect people's information and privacy. In addition to bringing on those expert privacy lawyers that you saw earlier in the deck with those terrific security team members, we're also learning and continuing to do more to focus on our new consumer use cases, including building more transparency and choice into our core products and focusing on helping all of the people who use our products, whether it's all the way from large companies to individuals, understand how the data that they share in meetings and other Zoom products can be used.

[00:31:31] Speaker 3: Great. So Rod, I didn't forget about you. We know you're out there, but I think this is a good segue into the next section. So let's give you a question that'll really lead to the next section. Well, so many things have changed in the technology landscape during the pandemic, and we've all seen that. Of these industry improvements, what industry trends are you incorporating into our future privacy and security products and platforms?

[00:31:55] Speaker 7: Yeah, it's a really interesting question, Gary. When we look at product security and privacy, I kind of break it down into a few categories. It looks at like authentication, authorization, data protection. When you start to look at authentication, we want to do a better job on the platform of creating trust. And what that means is we want to extend that trust out from the Zoom binary out to the user. So one of the things we're really looking at is providing better user identity, and how would you attest to your user identity on a platform so that we know that I'm really speaking to Gary and it's not to someone else if we've never met. And as the world changes, and as we move to these very, very distant connections that Zoom is attempting to solidify, we want to make sure that people can trust one another. And that's one of the areas that we're really focused on in privacy and security.

[00:32:40] Speaker 3: Great. Well, I want to thank everybody for your thoughtful answers today during our fireside chat. And building on this discussion we just had, let's take this opportunity to preview the product and security updates that we're planning for the future. So Rod, what a great segue. I'm turning it over to you.

[00:32:56] Speaker 7: Awesome. Thanks, Gary. So as Eric mentioned earlier, we're planning to launch this chat etiquette tool on March 21st. And I want to talk a little bit about what that is. So the tool automatically identifies keywords and text patterns in Zoom chat and in meeting chats. And it prevents users from sharing unwanted messages, such as those that include inappropriate language. The best way to really think about this, Gary, is that it really keeps honest people honest. The job of this tool is to encourage people and create some very light guardrails. We think this is going to be critical, especially in the education space, as people really want to say, hey, listen, these are the appropriate things you should be doing. We're not looking to report people. We're just looking to encourage you to do the right thing. So we developed this tool based on customer feedback. And it's important to note that chat etiquette policies are defined by the account admins, not by Zoom. So these are not things that we have an impact on. These are all done by the admins. And it's solely client-side. Meaning this tool does not send message information, like data, metadata, and events, to the account admin or to Zoom, whether the message triggers chat etiquette policies or not. Okay? That's really important. And the chat etiquette tool works on both default encryption meetings and end-to-end encryption meetings, which is another area that we're really focusing on a lot, is getting feature parity between those two types of meetings. And chat etiquette events are not logged locally on the device. So customers who are interested in the tool can reach out to their customer success managers to set this up. We also want to take this opportunity to highlight Zoom's future security roadmap. So in the coming months, we're planning to roll out the following features. First, we'll be opening bring your own key for users or for enterprise. What that is, is we're getting a lot of demand in the space so that there's cryptographic separation of data. So today, data at rest is encrypted in the Zoom cloud, but customers want to have their own keys and they want to be able to control those keys. And they want to give Zoom access to those keys and revoke access to those keys at their discretion. So this is something that we're really working on. It's called customer managed keys by a lot of people. We call it BYOK. And we're really focused on that. Second, for phase two of our end-to-end encryption offering with better identity management with single sign-on. Next week, Max Krohn, who's head of security engineering and I are presenting at Octane, we'll talk through a lot of the things and the features that we're working on and the cryptographic details. So if you're interested in how it works and how we start to hook the Zoom identity experience into an IDP like Okta, definitely check out Octane next week. And third, we're going to really start to double down on this and start to find other ways to create user identity where the person can really attest as I spoke about earlier. And we're going to start to look at other IDP providers and see where we can expand from there. And with that, I'm going to turn it back to Hilary.

[00:35:40] Speaker 1: Great. Thanks so much, Rod. We'll now open the webinar up for Q&A. And we have about seven minutes, so we'll try to get to as many as possible. We had several people write in with healthcare-related questions. The first is, my family has been using Zoom for medical appointments. During these telehealth visits, how does Zoom work to protect people's privacy and security with this sensitive information?

[00:36:07] Speaker 4: So I'm happy to jump in on that one, Hilary, if you'd like me to. We are recognized and are proud of the crucial role that Zoom is increasingly playing in healthcare, with healthcare and the delivery of healthcare to patients. As providers look to deploy and expand their capabilities, certainly remote and even when we go back to work, Zoom for healthcare is well-positioned to meet those needs. One of the reasons so many care providers do choose Zoom is the HIPAA compliance framework that we have. For those, again, who might not be familiar, HIPAA is the Health Insurance Portability... I'm sorry, the Portability and Accountability Act. It is a federal law that lays out privacy and security standards that protect the confidentiality of protected health information. Many of you who are interested in HIPAA, of course, probably already know PHI. That stands for Protected Health Information. And under the act, there are national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. So Zoom's HIPAA offering allows these healthcare customers to leverage the Zoom platform while still maintaining the privacy and security and compliance under HIPAA.

[00:37:22] Speaker 1: Great. Thanks, Lynn. And a quick follow-up question to that. Does Zoom have a white paper or best practices recommended settings for HIPAA customers? This might include things like not recording in the cloud or taking other precautions.

[00:37:36] Speaker 4: We do. I would point everybody to a HIPAA compliance data sheet that we have at HTTP Zoom, zoom.us docs. And then if you input zoom-hippa, you can find it there. In addition, we actually also have a November blog with Ron Emerson and a couple of other assets. But I would point you first to that HIPAA data sheet at Zoom.

[00:38:01] Speaker 1: Wonderful. Thanks. And a question for the security team members. Why is my security shield sometimes green and sometimes orange?

[00:38:12] Speaker 7: I can add a little bit of color to that, Hilary. What we did is as we were working with the UI elements for end-to-end encryption and enhanced encryption, we wanted to be very transparent with who was joining and how they were joining. So end-to-end encrypted meetings or enhanced encrypted meetings, we can guarantee and certify based upon keys and where those keys are derived. But certain types of meetings where people join by phone or people are joining by like a voice over IP bridge, we don't have visibility into what is happening to the other side. What we do is we identify a meeting. So in this case, this meeting is orange and we show there are exceptions. And those exceptions are based upon the fact that we just can't certify the cryptographic operations of what's going on once it passes the boundary. And that's why you start to see those color differentiations. The majority of meetings that I've attended and that most people attended, you'll basically see them being green. But occasionally, such as this one, you'll see some exceptions and you can click on that list and start to see who's joining by phone. Lynn and I had a conversation. We find this to be quite entertaining sometimes in long meetings to see who's joining and how they're joining.

[00:39:14] Speaker 1: Great. And a related question to that, Rod, does Zoom have any recommendations on the type of encryption people are using? For example, should they use the default or end-to-end encryption?

[00:39:26] Speaker 7: It's really gonna be up to your discretion. We encourage people to use the end-to-end encrypted meetings. One of the reasons why you may not choose to do that is you want to use Cloud Media Recordings. Today, Cloud Media Recordings are not supported for end-to-end encrypted meetings. The reason for that is that the way we've designed the key exchange is that the Zoom infrastructure is not part of that key exchange process. So we don't have the ability to effectively bridge a server into that meeting to record it. These are some features that we're looking at as customers really want that end-to-end encryption, but they also want these services that were built out with Zoom. And again, this is where we're moving with our feature parity. But I would say the number one question is, if you're looking for Cloud Media Recordings, you're gonna wanna use enhanced encryption. If you just wanna have end-to-end meetings with people and not archive that data, then we think that end-to-end encryption is a good choice.

[00:40:18] Speaker 1: Great. Thanks, Rod. And Brenda, the question for you, we get this a lot. What is the best way to invite participants to a meeting and ensure the highest level of security?

[00:40:30] Speaker 8: That's an absolutely wonderful question. And I think the main item there is make sure that when you're sharing the meeting invite with them, do it through a protected channel. So emailing the individual, a text message to the individual, any basically communication channel that you have with those folks that is secure in nature. So we would recommend, for example, against posting it on a social media site to invite people because that's then public and other people might be able to see it. Beyond the method that you have of sharing the invite information to the individual, you also have a number of meeting controls that you can do to limit who has access to the meeting if they do get the invite. So these are things where if you use features such as the waiting room, you can approve each individual before they actually join into your session. And we also have some of the features such as webinar, for example, which is like the session today where you have certain people that are on stage like we are today. And then you have viewers, for example, that can just view the session. So we've got a range of tools to help folks in protecting their meetings.

[00:41:49] Speaker 1: Great. Thanks, Brendan. And Gary, I think we just have time for one more question. So we have time to wrap up on time. A lot of companies are returning to partially return back to their office buildings this year once the vaccine is rolled out. Do we have any tips for helping businesses stay secure in this new environment?

[00:42:07] Speaker 3: Sure. So the first thing I think people need to do is they need to look at their data protection processes and they need to evolve. Things have changed and they need to evolve. They need to strategically leverage BYOD devices. Continuous training. Continuous training has always been a good thing. And they need to maximize their technology for not just security, but for flexibility. And we have a great blog called Securing Your Hybrid Workforce on our site.

[00:42:37] Speaker 1: Great. Thank you. That was our last question. I want to quickly announce the raffle winners as promised. The four lucky winners are Paul Benitez, Molly Christensen, Barbara Semeraro, and Freddie Mertz. We'll be following up with you via email to give you your t-shirts and swag. We have less than a minute left. Eric, any closing remarks you'd like to share today?

[00:43:01] Speaker 2: Oh, thank you for all the participants. Look forward to meeting you next month. Thank you all.

[00:43:09] Speaker 1: Great. Thanks, everyone.