Educause Security Discussion mailing list archives
Re: [Ext] Re: [SECURITY] Utilizing zoom
From: "Leber, Dennis E" <dleber () UTHSC EDU>
Date: Thu, 2 Apr 2020 20:01:30 +0000
I appreciate all the feedback, and want to expand on my posting. At no time was this meant to appear as placing fault to anyone. I was simply sharing in the event others may have similar architecture. We all have our organizations best interest in mind and never do things careless or without large amounts of consideration. Nor is what we do a competition or an attempt to demonstrate who is better or wrong; we all have the same goal in mind; helping our orgs stay safe, and each other make sound security choices. My intention is to share a risk assessment approach to deciding how to best protect your organization. I am glad it enabled discussion, I welcome all information that aids in making decisions, I am not too proud to take information and observations and include that in my decisions and change my recommendation if that data warrants it. I am glad that I have this source available, and this collected brain trust to rely on. Thanks to all of you, and I apologize that I did not fully author my posting in a better, more thought out manner. Respectfully, [https://uthsc.edu/brand/images/email-signature/shortsig-green-horizontal.png] Dennis E. Leber Chief Information Security Officer (CISO) The University of Tennessee Health Science Center Office of Cybersecurity 877 Madison Ave 6th Floor Memphis, TN 38163 dleber () uthsc edu t: 901.448.5848 c: 270.307.1609 https://www.uthsc.edu/its/cybersecurity/ ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Hagan, Sean <sean.hagan () YC EDU> Sent: Thursday, April 2, 2020 2:35 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [Ext] Re: [SECURITY] Utilizing zoom Not trying to pick out either your or Dennis' responses, but just generally I have to say I'm a little surprised at the sudden and seemingly significant blowback that Zoom is getting. If we stopped using every SaaS application or piece of technology that had a security vulnerability or that didn't behave in the manner we expected, or that was at risk of attack due to its popularity, we'd be left with etch-a-sketches (actually, I could never get those to work right, so I'd be left with nothing). I certainly appreciate all the information and opinions being shared and am constantly evaluating them against my own experiences, but so far I feel like Zoom has been a pretty good partner - providing useful technology at a critical time and actively responding to issues and concerns raised. So many of the recently reported issues seem to be more user training/knowledge or enterprise management/configuration issues than they are Zoom product failures. Certainly we can argue that some default settings should be modified by the vendor (and in fact it appears they are now for K-12 environments, as an example), but this is not unique to Zoom. Admittedly, the encryption issue may indeed be a major deal for some organizations. Anyway, I don't own any stock in Zoom (or the competition), don't know anyone who works there, and will continue to look forward to opinions and knowledge on either side of the issue. For my own organization, I don't see us swearing it off - just continuing to impress upon our user base the importance of proper configuration, hygiene, and general computing best practices. Good luck to everyone in your decisions and in your online and remote teaching/learning/working efforts! Sean ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Kimmitt, Jonathan <jonathan-kimmitt () UTULSA EDU> Sent: Thursday, April 2, 2020 12:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [Ext] Re: [SECURITY] Utilizing zoom And just to be clear… I’m not opposed to using a product that has had problems in the past… as long as they have responded correctly and fixed the problems… I would rather work with a software partner that has been tested and responded well, then a new/unknown product that hasn’t been tested… So while I am looking at all options to protect my campus, I don’t want to kneejerk away from zoom, if they are working to fix the problems…. I only want to move if it’s the correct decision. -Jonathan From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kimmitt, Jonathan Sent: Thursday, April 2, 2020 2:08 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [Ext] Re: [SECURITY] Utilizing zoom We were in the process of purchasing Zoom for our telehealth…. With the recent information I am more inclined to reverse that decision….. However, while we can get a BAA with Microsoft Teams (and we already do), what steps do we need to do to make sure that Teams meets the requirements for telehealth? Is there any published checklists that will help in the process? -Jonathan ~ Jonathan Kimmitt CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E, GSNA Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Leber, Dennis E Sent: Thursday, April 2, 2020 1:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] [Ext] Re: [SECURITY] Utilizing zoom Our team conducted a risk analysis of Zoom; attached is our summary. NASA, Tesla, and others have immediately stopped the use of Zoom. [https://linkprotect.cudasvc.com/url?a=https%3a%2f%2futhsc.edu%2fbrand%2fimages%2femail-signature%2fshortsig-green-horizontal.png&c=E,1,qNpHiBCwSBUxXZUVP8LSKErh4eFk-ha8vQu2I-JTJasWHza0ijlWlfKLh0eMWW_IXa8okK8UVtOSYRmH2BHOUJ2jOCyBjtyRQEAmyfOAVC1ZuDFYBpovDjJ-Ds0,&typo=1] Dennis E. Leber Chief Information Security Officer (CISO) The University of Tennessee Health Science Center Office of Cybersecurity 877 Madison Ave 6th Floor Memphis, TN 38163 dleber () uthsc edu<mailto:dleber () uthsc edu> t: 901.448.5848 c: 270.307.1609 https://www.uthsc.edu/its/cybersecurity/<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.uthsc.edu%2Fits%2Fcybersecurity%2F&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666509206&sdata=O2Wu0ewUN4%2FmMGvaIaAkdI%2BUZ3zr2zajgMIlG67lveA%3D&reserved=0> ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Menne, Michael S <michael.menne () MNSU EDU<mailto:michael.menne () MNSU EDU>> Sent: Thursday, April 2, 2020 1:22 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: [Ext] Re: [SECURITY] Utilizing zoom We are using Zoom for telehealth. Zoom has a Healthcare option that disables recording capability and encrypts chat messages. There may be other things as well that I'm not aware of. I've seen several local providers (including Mayo Clinic) use Zoom for Telehealth. On 4/2/20, 1:21 PM, "The EDUCAUSE Security Community Group Listserv on behalf of Rick DeCaro" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of Rick.Decaro () LOGAN EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU%20on%20behalf%20of%20Rick.Decaro () LOGAN EDU>> wrote: +1 for piloting Doxy.me. We also considered Zoom, Spruce and Teams. Rick DeCaro Director of Information Technology | Logan University 1851 Schoettler Road | Chesterfield, MO 63017 Phone: (636) 230-1760 | Logan.edu<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fLogan.edu&c=E,1,SN1yuJKwj4Lh9FZqEC2PnbAASly9DE59IKqcaUjNxYUdU0i_jKpBQ5rAGJ1uGrS1uwKjBbFPXa3mKxWNtWcUazHqxpChtvbQ724yvHKZEAlxMMMd9Q,,&typo=1> -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Bill Thompson Sent: Thursday, April 02, 2020 1:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Utilizing zoom This e-mail was received from an external source. Please be cautious when replying, clicking links or opening attachments. Our counseling center looked at Zoom for Healthcare and decided to pilot doxy.me<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fdoxy.me&c=E,1,qNrUwGtP2y7VkMMLwGAboArOH1RS-O8SVFvL07A1BZmLftUIRwDmXb9GmsGuyDRUnf_yZsE1GlnGtQVJAY9SXAwd08GMjZbe0fPKOlduNDHhR3g,&typo=1> instead primarily for the integrated teleconsent feature. Best, Bill On Thu, Apr 2, 2020 at 2:14 PM Mark Reboli <mreboli () misericordia edu<mailto:mreboli () misericordia edu>> wrote: > > Question: Like most of you we have multiple options for telehealth and addressing clinical hour needs for our students. I am looking at the different options and any concerns with utilizing Zoom over some other solutions. Any guidance would be appreciated. > > > > Thank you > > > > M > > > > Mark Reboli > > Network/Telecom Manager > > Misericordia University > > (570) 674-6753 > > > > This e-mail and accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. > > > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email > reply. Additional participation and subscription information can be > found at > https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww. > educause.edu%2Fcommunity&data=02%7C01%7Crick.decaro%40LOGAN.EDU%7C > ab6aa00ac3f346dd35f208d7d7323272%7C12b0502287ae4711b25c041c20615f0a%7C > 0%7C0%7C637214482910331728&sdata=nOY6jM%2BU6xGn%2B3e42wLgOo866US6B > Omk3K%2B32mCvfCM%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C8e3e5a15bc7e4f1dc95808d7d7329f0f%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C1%7C637214484734119332&sdata=8ptcXQxkkSwMEFiafRymKmeisbezmBP9O4zx2IYng7k%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666519205&sdata=XBvhkBBLhvAuyZceFRc%2BT5OeyCcvO8rwYAvkUwaUPKg%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C8e3e5a15bc7e4f1dc95808d7d7329f0f%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C1%7C637214484734129328&sdata=rfaRxNdsecHlDGiAUr9DSWNMPXquGGgu4lSmlFSawzE%3D&reserved=0<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666529199&sdata=ODgBAP031qpn2HbOW%2Bf4jaZJ1DrwHKo5woEmUy%2F3txU%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666529199&sdata=ODgBAP031qpn2HbOW%2Bf4jaZJ1DrwHKo5woEmUy%2F3txU%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666539194&sdata=DlO94T4QCxkWuyukLwIsM0vBfwVXhuKZI8X6aEfVJzI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Ca47e94d8d617449e390b08d7d739202f%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637214512666549191&sdata=TMzO0xnWpyjOd3rjuv02%2BlL4pHAbunW1wysjxp%2Ffy80%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity&c=E,1,g9F71mwU3CBxTo3LTjoksxvO2O2CFVHbxNU0YQPlPzMGdlQ4NtuU7DOiT226i-0iK3Ux35fp-g7bnPgWjzaqeyuC--SOPVLziDGM2vJmMxU4eFwMDFGpFQ,,&typo=1> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Utilizing zoom Mark Reboli (Apr 02)
- Re: Utilizing zoom Bill Thompson (Apr 02)
- Re: Utilizing zoom Rick DeCaro (Apr 02)
- Re: Utilizing zoom Menne, Michael S (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Leber, Dennis E (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Alexandre Adao (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Kimmitt, Jonathan (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Kimmitt, Jonathan (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Hagan, Sean (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Leber, Dennis E (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Jim A. Bole (Apr 02)
- Re: Utilizing zoom Rick DeCaro (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Kevin Wilcox (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Kimmitt, Jonathan (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Thomas Carter (Apr 02)
- Re: Utilizing zoom Bill Thompson (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Jeremy Livingston (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Ron Lee (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Hart, Michael (Apr 02)
- Re: [Ext] Re: [SECURITY] Utilizing zoom Alex Keller (Apr 02)