BSI recognizes the first DIN SPEC for video communication as a new product category of the IT Security Label

The German Federal Office for Information Security (BSI) has published a new product category "video conferencing services" for the IT Security Label. The BSI officially announced this new category in the Federal Gazette on Friday, March 15.

Zoom is particularly pleased that the basis for the new IT Security Label product category is DIN SPEC 27008. Zoom developed this DIN SPEC together with Microsoft, alfaview, and Teamviewer and published it in January 2024.

Robert Graham, Customer Security Assurance Lead in the EMEA region, says: "The recognition of the DIN SPEC as a technical security requirement for the IT Security Label is a milestone for consumers. Essential security features of labeled video conferencing services can now be recognized at first glance. The promise of IT security becomes even more transparent and enables discerning users to make an informed purchasing decision.  At Zoom, we are particularly proud that our industry initiative has succeeded in laying the foundation for this new  IT security label product category for which we are currently in the application process. "

With the new product category of video conferencing services, consumers can now better assess providers’  security in this area. The security features of the products are presented in an understandable way. For example, the label of the IT security certification contains a link and a QR code that users can use to access the product-specific information page at the BSI. Here, they receive information about the duration of the label, the security features of the service, and current status information, e.g. whether a vulnerability is known or an update is available.

Providers of video conferencing services can apply for the voluntary security label from the BSI. To do so, their services must meet the requirements of DIN SPEC 27008. Should vulnerabilities arise, updates must be provided quickly. The label is issued for a period of four years. Compliance is checked by the BSI throughout the term.

Background:

In 2022, Zoom launched a DIN-SPEC initiative for video conferencing services and, together with Microsoft, alfaview, and Teamviewer, defined security criteria from the consumer’s perspective. These guidelines serve to minimize risks to users' information security and privacy. These include appropriate update management, up-to-date encryption technologies, transparency during the video conference, e.g. about who is connected, appropriate password requirements, secure authentication mechanisms for account protection, and secure data center operations.

1) Why is the Certification of IT Security for Videoconferencing Providers a milestone for consumers?

While enterprises often devote significant resources to validating the security of their various providers, for numerous reasons, this isn't always an option for consumers. Nonetheless, consumers are more security savvy today and expect their providers to have the relevant security measures in place. This certification, designed specifically for consumers, gives them reassurance that the provider has met exacting security standards for videoconferencing.  

2) To what extent is the Certification of IT Security for Videoconferencing Providers reliable and impartial assurance? 

This certification was developed by an industry working group, represented by numerous videoconferencing providers. Each contributed significant security and compliance expertise in the process. As such, consumers can be confident that the certification is representative of the current market offerings and state-of-the-art security available today.

3) Why is consumer security so important to Zoom and why did it spearhead the DIN Spec 27008 initiative?

Zoom takes information security very seriously. Our customers can and should expect that we protect both their data and the Zoom platform. Certifications like the DIN Spec 27008 are the best way for customers to gain peace of mind when it comes to security in videoconferencing.

4) How did the collaboration with the BSI come about?

Videoconferencing and virtual collaboration are indispensable for businesses and consumers alike. That's why Zoom and other name-brand providers saw a need to help consumers validate and compare security protections offered in the marketplace through the DIN Spec 27008. But in order to properly validate adherence to this important standard, it's essential that firms have a way to perform that validation through consistent and high-quality testing. BSI brought this piece of expertise to the process having already published security labels for other product categories like email services and broadband routers.