Re: Zoom - Penetration Test

["Shankar, Anurag" <ashankar () IU EDU>]

Sean,

 

Sorry I don’t have an answer for you but we too investigated the possibility of using Zoom (for Telemedicine/PHI) in 
2014.  We had to move because they said end to end encryption allows them to essentially claim the conduit exception 
(which we didn’t think they could) and were not willing to sign a BAA.  I believe they do now.

 

Regards,

 

Anurag

 

---

Anurag Shankar,  Ph.D.  Email: ashankar [at] iu.edu  Phone: +1 (812) 856-6978

Center for Applied Cybersecurity Research, Pervasive Technology Institute, Indiana University

2719 E. 10th Street, Suite 231, Bloomington, IN 47408

 

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of "Clark, Sean 
(OIT)" <Sean.Clark () UCDENVER EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Friday, September 23, 2016 at 2:01 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Zoom - Penetration Test

 

We are looking to use Zoom for highly confidential data and are asking them, per our usual process for evaluating cloud 
services for security and complaince, to provide us with evidence of a third party penetration test, and appropriate 
remediation.  Zoom has refused to perform a pen test or provide evidence that a pen test (and remediation) has been 
performed, but they have said that some of the organizations that use their product have performed pen tests of their 
app.

 

Have any of you performed a pen test of the Zoom app, or seen evidence of such? 

 

Sean Clark

Information Security Officer

Director of IT Security and Compliance

Office of Information Technology

CU Denver | CU Anschutz

Sean.Clark () UCDenver edu

303-724-0486

Attachment: smime.p7s
Description: