Enabling and Securing Zoom meetings

Introduction to Zoombombing

It’s difficult to underestimate the effect that the current COVID-19 pandemic has on our way of life.   The need to work in isolation to prevent the spread of the virus while remaining connected to the people in our lives is a challenge.  Creating the right environment to support remote workers has caught many businesses unprepared. While we’re all doing our best to support the remote workforce, during times like these there are those out there that will use the situation to their own advantage.

Recently a new phenomenon has entered our collective lexicon:  Zoombombing.  Zoombombing is when an uninvited or unauthorized party is able to gain access to a Zoom meeting typically to disrupt the meeting, though some may simply lie quietly and “ghost” the meeting.  In either case, it garnered national attention including notices from the FBI and states’ attorneys general that such activities are illegal (news report). 

Immediate steps to protect your meeting from Zoombombers

Zoom has released a set of best practices aimed at mitigating these intrusions.   You can almost think of them in the same terms of protecting a private party. These include:

  1. Keep the meeting to yourself – Do not announce your meeting publicly if you can avoid it.  Doing so will only let bad actors know where and when to attack. 
  2. Password protect your meeting –  This will help ensure that only invited participants will be able to access the meeting and not just anyone who found the link from a web search.  Only people who hold an approved invitation (in this case the password) even have a chance to join.
  3. Turn off the “Join Before Host” feature –  This will prevent folks from rushing the room before the host in charge of the meeting has a chance to see who’s attending.   
  4. Turn on the “Waiting Room” feature – A good host would provide his guests someplace to wait until time to enter.   A Zoom waiting room, though, serves a much more important security purpose. It allows the host to confirm that someone should be in the meeting before explicitly admitting them to the meeting.
  5. Lock the meeting – Once all the authorized attendees have been admitted, you can lock the meeting to prevent anyone else from joining. 
  6. Scan the room – Keep an eye on the participant list to ensure that everyone is accounted for throughout the meeting.
  7. Don’t show or tell too much –  When sharing information on your screen, be mindful of the content that you are displaying.  If you can’t be absolutely confident that everyone in the meeting is authorized, you need to assume that anything displayed can be screen-captured by a nefarious actor.


Strategic steps to protect your organization

Taking these steps will provide an immediate layer of security that can be leveraged by anyone who uses Zoom.  Organizational security, though, needs a multi-layered, longer-term approach to solve organizational-level problems. 

A key aspect of any organizational security program is the process of Identity and Access Management (IAM).  This involves maintaining the data and rules related to determining what resources a person should have access to.  IAM then uses those rules to provide real-time enforcement. All these rules and enforcement mechanisms can be very complex, but not always.  IAM is not a one size fits all proposition. Many small to medium size businesses may not have an IAM solution perhaps because they don’t feel they have the need, can’t justify the cost, or have the time to implement one.

COVID-19 has changed at least part of the equation. The NEED to securely provide employees access to services and applications to do their job has come to the forefront of just about every organization out there, irrespective of their size.

Both Okta and Ping, leading providers of identity for the enterprise, are addressing the COST issue by offering “Emergency Remote Work” programs for free for a limited time.  

These offers include:

  • Single Sign On – to make accessing applications faster and more secure
  • Multi-factor Authentication – for an additional layer of security
  • Integration – with up to 5 applications in some cases, unlimited in others
  • Directory Services – to safely store your critical identity data

IDMWORKS, a leader in Identity and Access Management Professional Services, has made available a two-week accelerated implementation package to dramatically decrease the TIME to value and ensure your employees have easy access to the applications they need WITHOUT sacrificing security.

There is little doubt that the current pandemic has altered our way of life for the time-being.  The way we work, the way we move about, even the way our children “attend” school have all changed dramatically.  What hasn’t changed, and perhaps has significantly increased, is our need to engage virtually with others and the need to do it safely and securely.