Zoom for Government enhances security with a Red Hat platform

Zoom Video Communications, Inc. (Zoom) is a globally recognized communications technology company, innovating since 2011. Beginning as a video communication solution, it has grown to offer much more, such as Zoom for Government. To help meet the Federal Risk and Authorization Management Program (FedRAMP) and the Department of Defense’s (DoD) stringent security requirements, Zoom runs this platform on Red Hat Enterprise Linux (RHEL). The company also relies on Red Hat Ansible Automation Platform and Red Hat Satellite for much of its infrastructure automation, compliance functions, and deployments.

Benefits:

• Met FedRAMP and DoD requirements
• Enabled efficient use of internal resources
• Implemented reliable and intelligent whitelisting for improved security

Communications technology and, more specifically, video meetings have become irreplaceable for business purposes and personal use. Even before the COVID-19 pandemic—when Zoom was one of the most downloaded mobile apps in the world—video conferencing was responsible for the impressive growth of the industry. 

Zoom has been innovating and growing to match the market’s demand for many years, which resulted in new offerings such as Zoom for Government. But the company needed an underlying operating system that would help it secure the necessary accreditations and fulfill the compliance requirements involved in the FedRAMP DoD adjudication processes. 

“In the short term, our goals are pretty simple,” said John Keese, Head of Technology Compliance at Zoom. “We want to tick all the boxes in our continuous compliance cycles required by FedRAMP and DoD Security Requirement Guidelines. It means that nothing we introduce to the environment is going to corrupt the control basis that we operate under. We are also continuously monitoring vulnerabilities in our Zoom for Government operating system (OS), images, containers, and tech stacks. Managing vulnerabilities to very short service-level agreements (SLAs) is a challenge and something that is reportable to FedRAMP and the DoD every month.” 

Going forward, Zoom will continue to scale up and reduce complexity in its software development lifecycle (SDLC). Automation and a stable Linux operating system are crucial to meeting FedRAMP and DoD requirements—both now and in the future. 

Zak Peirce, Head of Data Center Operations at Zoom, had no doubt about using Red Hat solutions. “I’ve always been a Red Hat guy,” said Peirce. “I’d choose Red Hat as my enterprise platform of choice to run a solid enterprise system.” 

According to Keese, Zoom and the U.S. Government recognize Red Hat Enterprise Linux (RHEL) as the Linux version of choice. To put itself in the best position to enter the DoD Contrail Service Orchestration space, Zoom for Government deployed Red Hat Enterprise Linux as the foundation of a consistent, stable, and high-performance platform across hybrid cloud deployments. Importantly, the Red Hat-based platform also supports applicable Security Technical Implementation Guides (STIG).

In addition to Red Hat Enterprise Linux, the company relies on Red Hat Ansible Automation Platform for much of its infrastructure automation, compliance functions, and deployments. It also employs Ansible STIGs to secure its systems even further and support simplification.

“We rely quite a bit on Red Hat servers, which means we don’t need a separate active directory server. So, we can have fewer servers connected to the Internet because we can have them within our security boundaries,” said Peirce. This is also true for Red Hat Satellite and Red Hat Enterprise Linux identity management (IdM) services that help Zoom keep its servers inside its boundary. 

How Zoom meets FedRAMP and DoD requirements

Red Hat puts a great deal of thought into FedRAMP and DoD compliance as part of its development process to help Zoom for Government achieve compliance. “Red Hat touches almost every base that we are required to implement for a U.S. Government environment and makes doing that easy. I use it because it’s the de facto standard. There’s quite a great deal of caring on FedRAMP and DoD requirements, and that's just part of the process of developing well,” said Ryan Kimbrell, Senior Cloud Operations Engineer at Zoom.

At Zoom, security is paramount, and the company uses sophisticated tools to secure its infrastructure, including DISA STIG. According to Kimbrell, the Red Hat publication of its DISA STIG Ansible playbook allows Zoom to run it across everything. “The playbook gets us probably 80% of the way to DISA STIG compliance,” said Kimbrell.

Small things also make a big difference. The resources on the Red Hat website, including the Common Vulnerabilities and Exposures (CVE) database and the Red Hat security advisory (RHSA), are invaluable when working with the U.S. Government. “Every week we have to do security scans against every system in the environment,” said Kimbrell. “And those scanners list vulnerabilities in packages that are on the operating systems. Any time that occurs, we can immediately go to the Red Hat site, and get full explanations of the vulnerabilities, which help determine if we’re affected. Nobody else does that for other Linux distributions. It would quickly become a nightmare trying to run a production government environment without it because we would have to do all that research every month ourselves.”

Additional FedRAMP and DoD compliance and security requirements are fulfilled thanks to Red Hat IdM capabilities, which are used for group management, user management, and multifactor authentication. This ultimately helps Zoom meet its controls, while Red Hat Satellite adds another layer of security. “It provides us with the ability to see what our environment is doing before our security scanner,” said Peirce.

When providing the U.S. Government with communication tools, it is vital to provide security and align with all the necessary requirements and regulations. Zoom for Government can do that. “Compliance is nothing but discipline. And Red Hat has the discipline that we need,” said Keese.

Enabled efficient use of internal resources 

The DoD has stringent controls for application whitelisting. When Zoom began working with FedRAMP and the DoD, it discovered that the tool the DoD used for whitelisting was very expensive and ran on an operating system that Zoom didn’t want to introduce to its space. The solution was a RHEL 8 feature—file access policy daemon (fapolicyd), a user space daemon that determines access rights to files.

“It allowed us to avoid the acquisition of the tool the DoD was using, the introduction of another operating system, and hiring new staff to run it,” said Keese. “And more recently, we were able to remove a file integrity management tool (FIM) that we had in place and realize some cost-savings.” Peirce added that the fapolicyd feature in Red Hat Enterprise Linux helped Zoom meet compliance requirements while reducing constraints on infrastructure and staff, making the operation more efficient and cost-effective. 

What’s more, Red Hat IdM helped Zoom save on licensing from third-party providers. By sticking to one toolset, Zoom has realized cost savings and simpler operations. 

Kimbrell calls whitelisting an “automatic scheduled outage in every system.” This is because when updating systems, users tend to accept everything without much review. This is another situation where fapolicyd shines and helps the company provide a more secure environment. 

“With fapolicyd, we can run the daemon in a very good debug mode, and it tells us exactly what’s getting denied and why, which allows us to make good decisions on what to allow,” said Kimbrell. “And it’s easier to manage than other application whitelisting solutions.”

Zoom for Government relies on Red Hat Enterprise Linux and other Red Hat tools to ensure the regular adjudication process runs smoothly, with Red Hat involved in almost every step of the process.

Peirce commented that he finds the entire ecosystem useful. “I know that when I update IdM, it’s going to work with my Red Hat systems. I know that when I update the System Security Services Daemon (SSSD) agent, it’s going to work. And then the ability to use Red Hat Satellite to host those packages, keep my systems up to date, and manage the exact packages that go onto my systems helps me test my systems and make sure that the development stage and production are the same. All the pieces help us to run our operation.”

And to continue with the smooth operation, Zoom has started using Red Hat Ansible Automation Platform, helping the company be more efficient and deploy applications faster in a more uniform way.

With Zoom’s plans for continuous improvement, Red Hat is a trusted companion that will accompany the video communications provider on its journey, and there seems to be no sign of stopping.