Zoom Taps Okta to Bring Zero-Trust Cybersecurity to Videoconferences

Okta and Zoom today announced an integration through which cybersecurity administrators will be able to centrally manage end-to-end encryption across the Zoom videoconferencing platform.

The Okta Authentication for End-to-End Encryption (E2EE) makes use of the Okta identity and access management platform to authenticate an attendee’s identity via email to enable organizations to ensure zero-trust policies are enforced.

Zoom account administrators can enable Okta Authentication for E2EE in the security tab of the Zoom web portal. Once the Zoom account admin has enabled this feature, a meeting attendee can share their identity by turning on the feature in their individual settings. Depending on the setting, those users may get verified automatically or be redirected to the Okta web page to finish authentication with their login credentials for two-factor authentication.

Once a meeting attendee is authenticated, a blue shield with a lock will appear next to their name in the meeting participant list. Anyone participating in the meeting can hover over the icon to see a card that displays authenticated information about that person, including their company domain and corresponding verified email address.

Chris Niggel, chief security officer (CSO) for Okta, said while Okta Authentication for E2EE will prevent unwanted individuals from guessing Zoom invites to enable them to hack into video conferences, also known as Zoom bombing, this capability should prove more crucial in the months ahead as cybercriminals become more adept at employing generative artificial intelligence (AI) platforms like ChatGPT to launch phishing attacks that compromise user credentials.

The overall goal is to provide organizations with frictionless methods for enforcing zero-trust policies in a way that doesn’t disrupt meeting workflows, noted Niggel.

A recent Okta survey found 97% of respondents are working for organizations that have a zero-trust initiative in place or would have one in place in the coming 12 to 18 months. The challenge, of course, is that zero-trust can’t be achieved by merely acquiring a new cybersecurity platform. Organizations need to craft cybersecurity policies based on identity that can then be consistently enforced across an enterprise. Zero-trust is more a way of thinking about cybersecurity rather than a platform that can be installed.

Regardless of approach to zero-trust, each organization will need to make a transition to identity-based cybersecurity at their own pace. Not every organization has the resources required to implement zero-trust policies overnight, but as external services such as Zoom enable these types of capabilities, the task should become easier. In fact, organizations may soon want to evaluate the level of cybersecurity being enabled by providers of these services more critically. Many of these services were initially selected by business units that generally lacked an appreciation for cybersecurity concerns.

In the meantime, use of Zoom and other services both inside and outside of the office is only going to continue to increase. More employees may be returning to the office, but many are also continuing to work remotely on more days than they did prior to the COVID-19 pandemic. The issue now is finding a way to ensure zero-trust policies are enforced no matter where a given end user is physically located.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 747 posts and counting.See all posts by mike-vizard