Zoom's CEO appeared on CNN 4/5/20, admitting they've “moved too fast” and “had some missteps.” The recent issues were summarized by the BBC (see “Dismal Security” section). Zoom stated that they’d freeze other feature development for 90 days while remediating.
Microsoft Teams is a more secure platform, but some of its security features aren't on by default. For the best detail, watch Enabling’s webinar on Teams Security. It outlines how to navigate the tradeoffs between productivity and security. Several lessons from Zoom’s news are summarized here.
How to avoid Zoombombing with Teams:
There are several settings necessary to keep intruders from sharing or interrupting Teams meetings. The main steps are to:
- Ensure those that join your meetings are attendees (and not presenters)
- Use lobby to prevent attendees from joining automatically
- Mute all attendees to keep attendees from interrupting
Marquette University has compiled for a summary of these settings with screenshots.
How Microsoft Protects Passwords
One of the reasons Zoom was so easy to set up was that it hadn’t been enforcing passwords. Microsoft’s considers identity to be the security perimeter (and the most vigorously attacked by bad actors).
The login process for MSFT Teams is governed by Azure AD. Examples of how Azure AD can protect identities include:
- Admins can specify lengths/complexity of passwords.
- Security pros can scan their AAD tenants and determine which users have weak dictionary passwords.
- Hosts can be prompted for a second factor of authentication as they login to O365, and conditions can be set to control access (i.e. if a login comes from a non-domain-joined PC from Nigeria, block access).
Support for End-to-end encryption
Without end-to-end encryption, it’s possible to intercept videoconferences. It’s no wonder controversy erupted when the UK government used it for work-from home conferences.
Network communications in Teams are encrypted by default. By requiring all servers to use certificates and by using OAUTH, TLS, Secure Real-Time Transport Protocol (SRTP), and other industry-standard encryption techniques, including 256-bit Advanced Encryption Standard (AES) encryption, all Teams data is protected on the network. This comes from Microsoft’s Security and Teams page.
The UK government decided to share their Personal Zoom Meeting IDs in a screenshot, which violates a Zoom advice to “Avoid using your Personal Meeting ID (PMI) to host public events.” Teams creates unique meeting IDs and won’t allow external conferees to eavesdrop on standing, virtual meetings.
Microsoft’s Trust Center defines the details of how MSFT will not share data with third parties. Only a contracted “subprocessors” have access to customer data, limited to that for which MSFT contracts them. Each organization has controls to protect data from leaking through Teams.
A CompSci Professor at Princeton grabbed headlines by saying “Zoom is malware.” Enabling’s take is less brash. For organizations that are more concerned about security and productivity, Teams does make the industry’s best solution. Teams and Zoom aren’t squarely in the same product category, since video conferencing is just one spoke attaching to Teams’ hub of communications.
As with any software decision, some tradeoffs must be made, but Teams users can rest assured that security is not an afterthought.
Postscript - Teams is also available in a new consumer version, https://www.microsoft.com/en-us/microsoft-365/microsoft-teams/teams-for-home for families/friends to use during shelter-in-place. All of the features mentioned above have not been vetted for the consumer version (nor consumer Skype).