Zoom Video Communications is a remote conferencing services company. Many organizations use their product for its video conferencing, online meetings, chat, and mobile collaboration to stay in contact with remote colleagues, customers, partners, etc. Zoom’s value and use has skyrocketed over the last several weeks, mostly due to the COVID-19 pandemic. Between December 2019 and March 2020, they have gone from 10 million users per day to 200 million. By clicking “Join,” we are trusting that Zoom will provide the necessary security to protect our personal information and the content of our Zoom sessions.
Unfortunately, last week, The Washington Post found that videos recorded through Zoom’s software were saved onto a separate online storage space without a password. And because Zoom uses a standard naming convention for every video recording, a simple online search revealed a stream of videos available for anyone to watch, download, or use for exploitation. Zoom failed to secure many video recordings covering sensitive business matters as well as the health, welfare, and education of our families, families, and loved ones.
Zoom, like many other companies before them, made a mistake. However, their mistake likely happened, in part, because of the current crisis and subsequent increase in demand for their product, which helps people stay connected in times of quarantine. Zoom may have had no choice but to forgo security and speed up efforts and in doing so, made a terrible choice between innovation and security leading to their resulting data breach.
Zoom has acknowledged their recent security issues and is working actively to correct them. But this news is a sober reminder of the blind trust placed in the hands of companies that have access to sensitive data and information. These companies need to have in place an automated platform to analyze, identify, and remediate cloud infrastructure. This will enable organizations to securely embrace public cloud, while giving developers the freedom to innovate without exposing the business to risk. In other words, a security automation platform will eliminate the choice companies like Zoom feel they are forced to make between innovation and security. This is a false choice. Companies no longer have to fear innovation, and the public should no longer have to fear their personal information being exposed to the world.
How would you know if your company had an open cloud resource? If you’re not yet a DivvyCloud customer, then you might find this demonstration interesting. Watch as Alex Corstorphine shows how to automate the remediation of an exposed S3 bucket.