Educause Security Discussion mailing list archives
Re: Zoom - Penetration Test
From: "Shankar, Anurag" <ashankar () IU EDU>
Date: Mon, 26 Sep 2016 16:30:46 +0000
I completely agree with Nick. One of the reasons for engaging a vendor is so you can transfer risk. I used the HIPAA Security Rule Toolkit when we did an assessment of Box prior to allowing PHI on our Enterprise instance. It asks a thousand questions, which I think was overkill. I found that the purely technical was less important than the attitude, how serious and willing the vendor is to work with you to alleviate your security concerns. You must ask to see their books because often, the compliance documentation is good enough, particularly documented policies, to show if they are managing risk well. Due diligence is good but you can also go too far. Pen testing a vendor definitely falls in that category in my book, especially if you are not doing it for your own systems. Regards, Anurag --- Anurag Shankar, Ph.D. Email: ashankar [at] iu.edu Phone: +1 (812) 856-6978 Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University 2719 E. 10th Street, Suite 231, Bloomington, IN 47408 From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Nicholas Garigliano <ngarigl8 () NAZ EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Monday, September 26, 2016 at 10:47 AM To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Zoom - Penetration Test Hi Sean, A "Pen Test" can mean different things to different people. There are no hard and fast rules as to what constitutes a penetration test. It depends on what your expectations are, the expertise and reputation of the 3rd party vendor performing the test, and the thoroughness of the test. As far has having someone do a test of Zoom I would be extremely cautious. It would depend on Zoom's SLA (you should not do any testing without prior written documentation from Zoom highlighting what is allowed and not allowed and have this vetted by your legal department) and how much you are willing to spend. And remember, a pen test is just a point in time measurement. I am sure that Zoom's architecture is evolving and very dynamic, like most. What is "secure" today may not be "secure" tomorrow. I would be more concerned about their written policies and procedures and whether or not they have any of the appropriate ISO certifications (use AWS as a benchmark?). Do they have dedicated Security and/or Risk management staff? At what level does security get involved in upper management, i.e. do they have a CISO? Do they have dedicated security staff? What monitoring do they have in place? How much info are they actually willing to share? And of course, if you are putting data in the cloud, the onus is on you to store and transmit that data securely, with the realization that if you do not control the hardware, you do not really control the data. Hope this helps! Nick Garigliano, CISSP, GCIH, GPEN Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 On Fri, Sep 23, 2016 at 2:01 PM, Clark, Sean (OIT) <Sean.Clark () ucdenver edu> wrote: We are looking to use Zoom for highly confidential data and are asking them, per our usual process for evaluating cloud services for security and complaince, to provide us with evidence of a third party penetration test, and appropriate remediation. Zoom has refused to perform a pen test or provide evidence that a pen test (and remediation) has been performed, but they have said that some of the organizations that use their product have performed pen tests of their app. Have any of you performed a pen test of the Zoom app, or seen evidence of such? Sean Clark Information Security Officer Director of IT Security and Compliance Office of Information Technology CU Denver | CU Anschutz Sean.Clark () UCDenver edu 303-724-0486
Attachment:
smime.p7s
Description:
Current thread:
- Zoom - Penetration Test Clark, Sean (OIT) (Sep 23)
- Re: Zoom - Penetration Test Paul B. Henson (Sep 24)
- Re: Zoom - Penetration Test Nicholas Garigliano (Sep 26)
- Re: Zoom - Penetration Test Shankar, Anurag (Sep 26)
- <Possible follow-ups>
- Re: Zoom - Penetration Test Shankar, Anurag (Sep 23)