Zoom Hits Milestone on 90-Day Security Plan, Releases Zoom 5.0

Robust Security Enhancements Include Support for AES 256-Bit GCM Encryption

Today we announced robust security enhancements with the upcoming general availability of Zoom 5.0, a key milestone in our 90-day plan to proactively identify, address, and enhance the security and privacy capabilities of the Zoom platform. By adding support for AES 256-bit GCM encryption, Zoom will provide increased protection for meeting data and resistance against tampering. “I am proud to reach this step in our 90-day plan, but this is just the beginning. We built our business by delivering happiness to our customers. We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform,” said Eric S. Yuan, CEO of Zoom. "When faced with questions over security and privacy, Zoom reacted quickly and very publicly to the challenges, including their CEO holding weekly public security briefings," notes Wayne Kurtzman, IDC Research Director for Social, Communities, and Collaboration. "Zoom was also quick to take actions on changing the defaults that helped address meeting privacy concerns, as well as setting a 90-day plan for deeper actions, and communicating it publicly." “We take a holistic view of our users’ privacy and our platform’s security,” said Oded Gal, CPO of Zoom. “From our network to our feature set to our user experience, everything is being put through rigorous scrutiny. On the back end, AES 256-bit GCM encryption will raise the bar for securing our users’ real-time content in transit."

• 256-bit AES-GCM encryption: Zoom is upgrading to the 256-bit AES-GCM encryption standard, which offers increased protection of your meeting data in transit and resistance against tampering. This provides confidentiality and integrity assurances on your Zoom Meeting, Zoom Webinars, and Zoom Phone data. Zoom 5.0, which is slated for release within the week, supports 256-bit AES-GCM encryption, and this standard will take effect once all accounts are enabled with 256-bit AES-GCM. System-wide account enablement will take place on May 30.
• Data routing control: Zoom lets customers make choices about the Zoom data center that will be used for processing certain customer data when a customer with a paid account hosts a meeting or webinar. Account owners and admins on paid accounts can, at the account, group, or user level, opt in or out of specific Zoom data centers that will be used for the processing of participants’ real-time meeting and webinar video, audio, and shared content during the hosting of meetings and webinars.

• Security icon: Zoom’s security features, which had previously been accessed throughout the meeting menus, are now grouped together and found by clicking the Security icon in the meeting menu bar on the host's interface.
• Robust host controls: Hosts will be able to “Report a User” to Zoom via the Security icon. They may also disable the ability for participants to rename themselves. For education customers, screen sharing now defaults to the host only.
• Waiting Room default-on: Waiting Room, an existing feature that allows a host to keep participants in individual virtual waiting rooms before they are admitted to a meeting, is now on by default for education, Basic, and single-license Pro accounts. All hosts may now also turn on the Waiting Room while their meeting is already in progress.
• Meeting password complexity and default-on: Meeting passwords, an existing Zoom feature, is now on by default for most customers, including all Basic, single-license Pro, and K-12 customers. For administered accounts, account admins now have the ability to define password complexity (such as length, alphanumeric, and special character requirements). Additionally, Zoom Phone admins may now adjust the length of the pin required for accessing voicemail.
• Cloud recording passwords: Passwords are now set by default to all those accessing cloud recordings aside from the meeting host and require a complex password. For administered accounts, account admins now have the ability to define password complexity.
• Secure account contact sharing: Zoom 5.0 will support a new data structure for larger organizations, allowing them to link contacts across multiple accounts so people can easily and securely search and find meetings, chat, and phone contacts.
• Dashboard enhancement: Admins on business, enterprise, and education plans can view how their meetings are connecting to Zoom data centers in their Zoom Dashboard. This includes any data centers connected to HTTP Tunnel servers, as well as Zoom Conference Room Connectors and gateways.
• Additional: Users may now opt to have their Zoom Team Chat notifications not show a snippet of their chat; new non-PMI meetings now have 11-digit IDs for added complexity; and during a meeting, the meeting ID and Invite option have been moved from the main Zoom interface to the Participants menu, making it harder for a user to accidentally share their meeting ID.

Many of the above features are available today. Report a User and our new encryption standard will be supported in Zoom 5.0, releasing within the week. To update your Zoom app, please visit zoom.com/download or update within the client. For more updates on the Zoom’s progress on its 90-day plan, please subscribe to the Zoom blog at the top of this page or bookmark blog.zoom.us.

Editor’s note: This blog post was edited on Aug. 2, 2021 to include the most up to date information on Zoom encryption.

Editor’s note: This blog post was revised on 4/20/2023 to include the most up to date information on our data routing control feature.