April 24, 2020
remote work

Friction-Free Experience vs. Secure Access: Lessons From the "Zoombombing" Fallout

Corey Williams – Idaptive
Corey Williams Vice President, Marketing

The controversy and fallout resulting from the widespread reporting of bad actors gaining access to Zoom meetings is just another example of the constant struggle faced by developers and designers of how to balance a friction-free experience and ensuring secure access and privacy.

zoombombing

In the last few weeks, everyone has become familiar with "Zoombombing" — when  uninvited guests show up in your Zoom video meetings with the sole intention of disrupting them, whether the purpose of the meeting is business, education or a virtual gathering of friends. There have been reports of hackers shouting angry and violent comments, and some sharing lewd videos and images. With the world struggling to adapt to a new reality — which, for many, involves working from home for an extended period for the first time in their professional lives - the last thing anyone needs are additional headaches piled on by malicious individuals simply because they can. 

The challenge stems from the fact that Zoom meetings have default settings geared toward user convenience and a frictionless experience — rather than security and privacy. Hackers are able to guess at Zoom URLs and gain access with minimal barriers in their way. There are security measures in place within Zoom, but they aren't enabled by default and most users aren't even aware they can do things such as setting a meeting password, click the box that doesn't allow anyone to enter before the host, or an option that places all new guests in a virtual waiting room before they are approved by the host. Additionally, with Zoom going from a primarily office-based system to a global social outlet practically overnight, these outcomes were exacerbated. 

Zoom CEO Eric Yuan immediately issued an apology and said the company was working fast to address the concerns. His choice of words in his response was particularly significant. While acknowledging that default security measures were overlooked, he also said Zoom's "intentions are good." It is worth noting that this isn't the company's first run-in with security problems — Zoom stirred up controversy with a macOS auto-installer that bypassed typical user interactions to make the install experience more seamless than most other software. These choices, and this “Zoombombing” situation highlights an issue that is a much bigger industry challenge, and has been for a long time.

UX vs. Security

Steve Jobs made Apple into the most valuable company in the world with the ability to surprise and delight customers. The goal of productivity applications like Zoom is to surprise and delight users with an unexpectedly seamless and easy end-user experience. Users flock to a convenient and frictionless user experience which in turn often leads to mass adoption. In the race to make things seamless for people, there is a constant tension between limiting "friction" -— how many steps it takes to gain access to an application — and enforcing security. It is interesting to note that Zoom was founded by Yuan and other former WebEx engineers with the express intention of creating a more user-friendly video conferencing experience. It wasn't that they weren't aware of the potential security issues, it was that they made a conscious choice to weigh things more heavily on the side of a great UX. 

So when Yuan says their "intentions are good" he's right. Zoom had good intentions to improve the user experience, but the results were going to be inevitably unbalanced. It wasn't that they were caught unaware during the "Zoombombing" phenomenon, it was just that the practice exploited the seams where Zoom opted for convenience and accessibility over stringent security and at a time when the platform was experiencing a surge in use among individuals rather than businesses. They are far from alone in this - in fact, it's a constant struggle for most interface design. Driving innovation sometimes means sacrificing either the user experience or security. Neither is a preferred choice, but it's a choice that must be made. 

Striking the Right Balance

Fortunately, trying to find some balance between frictionless access and security is exactly what we at Idaptive do in our quest to provide organizations with Identity and Access Management solutions. As our CEO Danny Kibel writes, there are "two extremes" when it comes to security. "On one end, you can unplug everything from the internet, while constantly requiring physical and digital verification. That’s maximum security, but it’s also maximum inconvenience. On the other side, you can create a totally frictionless user experience, but leave your employees and systems completely exposed to malicious actors." Zoom — and others - felt strongly that they should bet on the intended users first, and hope that the malicious actors would be minimal. 

We see concepts like biometrics, behavioral, and other contextual data as being key to finding some sort of balance. We envision a "Zero Trust," password-less future where applications are able to consider a multitude of factors to recognize authorized users and identify risk — not with simple passwords, but with device usage tendencies, location, past behavior, and even typing particularities. The applications "know" you and can understand what is abnormal or suspicious without having to add newer and more stringent gates between the user and the application. 

While the headlines were quick to paint Zoom as being caught with their proverbial pants down over "Zoombombing," the truth is that the company set out with a clear and positive objective — and succeeded enormously — but had to make tough choices along the way. Not even five years ago, users (especially in the US) greatly valued convenience over privacy/security. But since the last US presidential election, the winds have dramatically shifted (likely sparked by the Cambridge Analytica/Facebook scandal and Russian election interference). Zoom didn’t shift with the times and what was their greatest strength — ease of use — has become their unexpected Achilles heel.

No one anticipated a global pandemic forcing hundreds of millions to suddenly have to figure out how to work or run classrooms from home. Unfortunately, times of chaos sometimes open doors for the opportunistic. What we have here is a lesson for all developers moving forward. We need to bridge the gap between user experience and security. Perhaps being forced into it by unforeseen and extenuating circumstances will give us the impetus for giant leaps forward. Now if you will excuse me, I am late for my Zoom meeting...

 

Corey Williams

Corey Williams – Idaptive
Corey
Williams
Vice President, Marketing

Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO)Adaptive Multi-factor Authentication (MFA)endpoint and mobile context, and User Behavior and Risk Analytics (UBA).

 While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.

Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.

Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods). 

Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University. 

CHAMELEON-LIKE SUPERPOWER

If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”