Educause Security Discussion mailing list archives
Re: Zoom - Penetration Test
From: Nicholas Garigliano <ngarigl8 () NAZ EDU>
Date: Mon, 26 Sep 2016 10:47:52 -0400
Hi Sean, A "Pen Test" can mean different things to different people. There are no hard and fast rules as to what constitutes a penetration test. It depends on what your expectations are, the expertise and reputation of the 3rd party vendor performing the test, and the thoroughness of the test. As far has having someone do a test of Zoom I would be extremely cautious. It would depend on Zoom's SLA (you should not do any testing without prior written documentation from Zoom highlighting what is allowed and not allowed and have this vetted by your legal department) and how much you are willing to spend. And remember, a pen test is just a point in time measurement. I am sure that Zoom's architecture is evolving and very dynamic, like most. What is "secure" today may not be "secure" tomorrow. I would be more concerned about their written policies and procedures and whether or not they have any of the appropriate ISO certifications (use AWS as a benchmark?). Do they have dedicated Security and/or Risk management staff? At what level does security get involved in upper management, i.e. do they have a CISO? Do they have dedicated security staff? What monitoring do they have in place? How much info are they actually willing to share? And of course, if you are putting data in the cloud, the onus is on you to store and transmit that data securely, with the realization that if you do not control the hardware, you do not really control the data. Hope this helps! Nick Garigliano, CISSP, GCIH, GPEN Network Security Engineer Enterprise & Network Solutions Nazareth College 585 389-2109 On Fri, Sep 23, 2016 at 2:01 PM, Clark, Sean (OIT) <Sean.Clark () ucdenver edu> wrote:
We are looking to use Zoom for highly confidential data and are asking them, per our usual process for evaluating cloud services for security and complaince, to provide us with evidence of a third party penetration test, and appropriate remediation. Zoom has refused to perform a pen test or provide evidence that a pen test (and remediation) has been performed, but they have said that some of the organizations that use their product have performed pen tests of their app. Have any of you performed a pen test of the Zoom app, or seen evidence of such? Sean Clark Information Security Officer Director of IT Security and Compliance Office of Information Technology CU Denver | CU Anschutz Sean.Clark () UCDenver edu 303-724-0486
Current thread:
- Zoom - Penetration Test Clark, Sean (OIT) (Sep 23)
- Re: Zoom - Penetration Test Paul B. Henson (Sep 24)
- Re: Zoom - Penetration Test Nicholas Garigliano (Sep 26)
- Re: Zoom - Penetration Test Shankar, Anurag (Sep 26)
- <Possible follow-ups>
- Re: Zoom - Penetration Test Shankar, Anurag (Sep 23)