Ease of Use vs. Security: The Zoom ConundrumEase of Use vs. Security: The Zoom Conundrum

The trade-offs between security and ease of use have long plagued technology. Dispense with passwords, and users are happy until they are hacked. Users prefer things to be easy and straightforward, but they are often the weakest link in any system. Many companies have been done in by an employee clicking on an email link to a voicemail message. This same challenge has affected communications and collaboration solutions. Complexity has been the bane of adoption in many organizations.

The challenge of a simple, easy to use collaboration solution was the core driver for a company named Zoom a few years ago. Fresh from the Cisco Webex experience, the Zoom team focused on simplicity and ease of use above all elements; the solution made it easy for the technically average to use Zoom effectively. The onboarding process was simple, both for a subscriber and their guests, the guests could even use a browser. The Zoom team took advantage of new web technologies like WebRTC and the emerging web real-time architectures to deliver a dramatically simpler experience. While Cisco was focused on a super-secure document storage system, Zoom made it easy to invite a customer to a video call.

As part of making that experience easier, Zoom calibrated the settings knobs to simplicity, often eschewing potential security considerations in the process. Consider screen sharing, a collaboration staple. When considering who can share a screen, the initial settings limitations reflect the security considerations. To reduce the security threat, many meetings apps limit screen sharing capabilities to the host or allow the host to have controls, but this limits a guest's easy ability to share. As the initial market for Zoom wasn’t the Fortune 100 IT departments, but rather SMBs and individual users, the product was implemented with screen sharing enabled for all participants by default. While the security control was there to limit sharing, the restriction was optional. Users didn’t need to learn complex controls to have the customer share something; it just worked. In fact, that has been the biggest compliment to Zoom — it just works.

If Zoom’s use was limited to the business market, this approach would work well. In the initial use in SMBs and smaller meetings, meeting invites were limited attendance and not openly advertised on the internet. Larger organizations that used Zoom tended to be more sophisticated (think Deloitte), and the users were more technologically savvy and could be trained on the security considerations.

Then came coronavirus, and with it, social distancing. This led Zoom to become the popular choice for social video meetings. Whether church groups, book clubs, or hobbyists, everyone is doing Zoom. Of course, this led to an issue: the Zoom Bomb. As Zoom meetings were advertised on social media (Facebook), they were now opened to being seen by the public, including a whole bunch of people home alone with time on their hands. As many hosts were also new to collaboration and Zoom, the open screen sharing was not well understood, leading to the potential of outsiders exposing screen images that were often offensive to the hosting group. Along with several other areas such as meta-data about the meetings, this became a major security knock-on Zoom. Just a tip for the uninitiated, any IP-based communications conferencing system knows every time any user talks and can track that data, even if the conference isn’t being recorded. It’s how the speaker selector conference bridge function works.

Zoom had to react at some point, and they changed the base configuration of screen sharing to “host only.” Prior to that, anyone could share. With this change, only the host is enabled to share in the initial meeting configuration and would be able/required to allow anyone else to share during the meeting. Simple, easy, secure.

Not so fast. Following the change, I had a Zoom call with a company, which was set up by their PR firm. After a few pleasantries, it came time to share the presentation, where it became clear quickly that the host wasn’t in the meeting. In reality, they used the meeting product the way many smaller companies use it; a single admin sets up meetings as requested by the staff and controls the use of the meeting service. Since the admin sets up the meetings using the account they control, unless they identify an additional host for that meeting, they are the host for the meeting and controls screen sharing. Unfortunately, this meant that sharing became a major issue and an alternative was used. As the admin doesn’t generally go to the meetings, the change in Zoom for security became a business process issue for a company using the product. Again, Zoom enables the identification of an alternate host for the meeting, so that could have been done, but it makes the set-up user experience more complex.

The challenge of matching ease of use and security will increasingly become an issue in organizations. As vendors and companies roll out products to a larger and less sophisticated user base, driving adoption through simplicity is critical, but security may be paramount. As organizations and vendors develop security solutions and respond to attacks on meeting and collaboration solutions, the resulting security systems and education must be implemented in a way that doesn’t undermine core business values or valuable capabilities. This will require a clear understanding of the trade-offs between security and ease of use and how to manage them.

For example, should the base configuration of the share capabilities of a meeting be an enterprise defined characteristic? Or is it departmental or employee role-based? Or is it based on meeting attendees, with sharing limited when there are non-employees in a meeting? With just the one feature of screen sharing opening a range of security questions, the overall management of security options and restrictions will be a major future consideration in deployments. Understanding the vision and flexibility a vendor will provide in this optimization could be a major factor in vendor considerations.