Status Update

Apr 14, 2020

Hi, folks. Thank you very much for joining our webcast. We are living through some very extraordinary times, and all of us are having to learn to adapt of working from home, playing from home, and essentially just continuing life with some modicum of normalcy. Video collaboration has played an incredible role, and I'm very proud of the 8x8 team as well as the Jitsi open source community. We have seen incredible adoption of our video product from a few 100,000 monthly active users to well north of 11 and a half million as of last night. That is absolutely incredible, and we're very pleased that we're making a difference in the way how you live, work, and play. What we wanna talk about today is the next step in that evolution. What we wanna discuss is Intuit privacy and security. And as part of that, what we will be talking about today is we will have Ray, who will represent the industry and will be bringing up all the practical challenges and needs of that industry. Emil Iwab, who is the inventor of Jitsi, as well as the head of video collaboration at 8x8, will talk to you about two offerings. One is a paid offering, which is designed much more for what small businesses and enterprises need, as well as end to end encryption, which we release the origin the design spec to the Jitsi community, and we are vetting it with them to get their feedback and comments. And we encourage your feedback and comments so we can evolve that into a product. In addition to that, Dan Deklek, who is our chief product officer, will talk to you about how we design our products from a from privacy and security perspective and also talk to you a little bit about our road map. Then finally, Michael Armour, who is our CISO, will spend some time on practical tips so that we can ensure that video collaboration for you is private and secure. Video has made an amazing difference in all our various lives. We have stayed connected at a time when we are all socially distant. We've been able to preserve the social in social distancing. But it's absolutely imperative to ensure that we're meeting people's expectation of privacy and security, and we wanna work with you and partner with you to continue on this journey. The Jitsi open source community has been an incredible source for us, and their brainpower as well as their feedback has been absolutely critical in evolving our products to get them to the next level. We encourage you all getting involved to help us help you get the products you deserve so that you're able to continue to be effective working from home, playing from home, and frankly living through these very turbulent times. And with that, let me turn it over to Ray. Ray, it's all yours. Hey, Vic. Thanks a lot. This is really exciting. Thank you so much, everyone, for joining today's webcast. I'm Ray Wong, the CEO of Constellation Research, and I'm going be talking about one of the hottest topics topics that's going on in this market. It is working from home. It is the point of video security. And it's my honor to be joined by Emil Evof, the founder of the Jitsi Org project, and more importantly, the head of product for eight by eight video meeting. I'm be joined by him. I'm also gonna be joined by Dan Deklitsch, the chief product officer at eight by eight, and Michael Armour, who's the CISO, chief information security officer, who's gonna be talking about a lot of interesting things about how they keep things safe and the perspective of what a CISO does. Now we're gonna be going deep on the practical point of video security, learning how eight by eight and Jitsi are basically addressing the need for secure video meetings. And it's much more important. It's talking about getting a clear perspective and understanding what are the key attributes of a secure video platform. But more importantly, we're gonna talk about what is the right solution for the right scenario. So, Emile, let's start out with you. As many of us know, Jitsi has started to gain a spotlight around the world. Lots of downloads. We'll talk about that. But how did this thing start out? You did this at the beginning as a college kind of project. Oh yeah. Those were the days indeed that started in 2003 at the University of Strasbourg. And a lot has changed since because it went from being a PhD validation tool to a community, to a startup, to end up here now at 8x8. So there is one thing, however, that hasn't changed all these years, and that's an unwavering commitment toward the open, the open source, open standards. We've always been community oriented and we're fortunate 8x8 fully supports these efforts and sponsors the project and its reference platform. So there are hundreds of contributors today that are helping us with it. There's a tens of thousands of adopters that are running their own, platforms that are running millions of users. And all these people are interested in private and secure video meetings, whether it's online platforms like Wisku or companies like Comcast or bank messaging platforms, or of course 8x8's video meetings that are also powered by GTN have more than 10,000,000 monthly active users these days. So almost every industry has been touched by this. You're saying telco, banking, financial services, and you just set records for downloads. Tell us about that in terms of monthly active users as well. Yeah, indeed. That's 10,000,000. We're happy to be able to help all these people in these tough times. Now with that many users, there's a massive concern about video security, video meeting security. What is the root of all this? Is this just media hype, sensationalism, people are just worried about to make a big deal out of it? Or is there some serious issues behind this? Well, you know, Ray, you can I think you can think about this as, lightning strikes? So that's that's a good example. I think you can absolutely go on with your life and, thinking that one will never strike you. And most people won't ever be struck by a lightning, but overall, many people do, get struck. And when they do, the consequences to their lives are dramatic. And, so countries around the world just came and looked with these regulations to make sure that homes and citizens are protected. So it's sort of the same thing here. Most people will never be targeted by attacks on their meeting content, but overall many will be. So so this is especially important in periods like now where, well, frankly, everyone is having meetings online. So you wanna make sure you reduce the impact, as much as possible. Enterprises would want to make sure that their employees and that their data is safe. So, this is where we come in. So what does that really mean though? Right? How do you go about securing video meetings correctly? Like do people even notice or do they only notice when it doesn't go well? So in many ways really, security is just a cornerstone of everything that you have to do. And so we make sure that we use the right standards. Everything that leaves the user's machine is always encrypted. In our case, using VTLS SRDP as mandated by the WebRTC stacks. And, and that's great. I mean, industry proven standards that protect all data on the network. That's great. But very excitingly, we're also making great progress on end to end encryption so that we can deny ourselves access to actual meeting content. And I'll talk a little bit more about that in a second, but something that is very core to us though, is that being an open source tech, anyone can see with their own eyes what we do and how we do it so they can verify that the levels of protection that they get are to their satisfaction, just so that there are no surprises later. You know, you say you're doing this, but it turns out you weren't. So I think you only get that when you're fully open. So, so that is subpar encryption. Okay. You know, it feels really tempting to ask that question. Doesn't it? People are like, come on, do I really need to be safe all the time? And when you think about it, you'll say, you probably wanna say something like, well, this is just a conversation between a friend of mine and me. Does it really need to be protected? And then have you ever really not told a friend anything confidential? Of course, you'd want it protected. But then you go, well, how about a pub meeting? Is that can I maybe keep that open? And, yeah, there are a bunch of conversations that happen in virtual happy hours that you absolutely don't want out there. So then you're like, okay. Fine. But public speaking, that should be fine. Right? Because there's nothing that you you would wanna protect there. And you're right. Maybe you have nothing to protect when you're when you're when you're emitting a a public broadcast, but the people who are receiving it, they might want to protect the fact that they're participating in that meeting. You know, it might be compromising for them. They might be living under an oppressive regime or, or they might be having problems with their employer or something. So, so really when you come to think of it, there's absolutely no case where you could just draw a line and say, yeah, I don't need encryption for that case. I don't, I don't think that that that such a case exists at all. So you're basically thinking about the spectrum that's required for security requirements to secure these meetings correctly. So how do you go about doing that? How do you secure video meetings the right way? Yeah, thank you. As I said earlier, we're really passionate about this thing. We think it's really time for the industry and the community to come together and to solve the need for true end to end encrypted video meetings. Meetings where the service provider simply doesn't have access to the content. The WebRTC team at Google have just greatly helped us by releasing new APIs. So that allowed us to take a first stab at the problem. And there are still things that need to be solved, we're still working on, things like key management, exchange and and all these. But we really, really like how this is shaping up. So why don't we have a look at this video? So you've been doing this for twenty years through Jitsi as and now as the head of products for eight by eight video meetings. I'm kinda curious of what your product road map is. What are you working on? What's happening there? I mean, we're nine years post WebRTC. It's solid, and there's still a lot of innovation. So tell us about that. Yeah. So, so let's talk about eight by eight video meetings indeed. It's, first of all, it's important to say that eight by eight video meetings consumes the open source Jitsi technology, just like anyone out there. So we just download the same Debian packages and and then we bundle them with the necessary layer of additions that end up building eight by eight video meetings. We launched eight by eight VC last fall. It's based on all of these on all this technology. And today we're announcing eight by eight video meetings pro. So this is where we will be focusing on solving some of these things that we cannot address in our free and anonymous platform. So this is a platform where we'd be able to leverage notions of identity and moderation control. And we think people will really like where we're going with this. So so, Neil, that's amazing. Right? We basically now have the ability to take, you know, a pro platform that's enterprise grade, the open source community that's involved in here as well, and bring all these things together. So let's take a moment and talk about what's happening with security. Dan, your pedigree is like security at scale. It screams Splunk. It screams big companies that have to think about security in ways that not everybody has to worry about, and you're taking care of that. And as part of this, you're figuring out how to evolve the infrastructure to handle not just security, but scalability. Tell us what you've learned and what's critical to success. Absolutely. Look. I always tell people, think about the security and the system as a large cake. It's the bottom of the cake that holds everything up, and that is the key for us going forward. There are three parts to our cake. The bottom of the cake is the infrastructure. Your infrastructure has to be secure, it has to be scalable, and so on and so on. In the middle sits the platform, which in our case is the X Series platform, And on top of the platform, you build the applications. All of these three parts of the cake have to come together in a logical, tasty way in order to allow you to build the solution that the customers will love as well as the solution that will scale to worldwide scale. So in the last couple of months, we have done an enormous amount of work looking at all the different layers of our technical stack. So at the bottom, we decided that we need infrastructure which is highly elastic, scalable, and we wanted something that is secure and ready for both government and enterprise workloads from the scratch. So as such, we selected Oracle Cloud as the core infrastructure on which we run. We are now in the process of moving Jitsi as well as eight by eight video meetings to run on top of the Oracle Cloud. Worldwide availability of Oracle Cloud was a key for us as well as their ability to secure the workloads from scratch. Our platform, the X Series platform, was built from day one over the last, oh, god knows, three, four years with encryption, compliance, and security in mind. The key with the platform such as X is that you abstract all the complicated and difficult things for your generic engineer. Right? You want the scale, data access, data modification, deployment, management, configuration. You want all of that to be pushed into the platform so that the engineers don't have to worry about it. Through that, you are actually able to build the system that scales to worldwide scale, is secure, and can work worldwide. So to give you an example, on top of the platform, we added functionality such as our video, which then resulted in the eight by eight video meetings product or CPaaS. CPaaS stands for communications platform as a service, which we use in Asia to power various Uber like services in Asia. The application stack then allows you to build the applications, but the applications themselves are easier to build because the engineers don't have to worry about all the functionality provided by the platform and infrastructure. So the time is spent on building the business logic and not your global configuration service or something like that. So I understand how you're thinking about security. Now the question is, what are you doing to support and scale it? More importantly, what about user experience? What are examples that you're developing with that you have in mind too? Right. That's the part that engineers never really want to talk about and they imagine it happens on its own. So look. At at eight by we we have some very interesting use cases for the UX team to deal with. I think at eight by eight, it's implied, but not necessarily obvious, that the speed and velocity with which a task can be executed is at the core of what the UX team is thinking about. Right? There are multiple angles to the UX and user's experience here. One is the ease of use for a user. Right? You as a user don't wanna randomly move your mouse all over the screen and keep you know, spend minutes clicking around on things that don't make any sense. The administrator in the enterprise has a completely different set of use cases. The administrator's job is at some point in time, eight by eight system will be deployed across your enterprise. It is your job as the administrator to make sure that it's done intelligently, cleanly, and to delight your end users. So it's our job at 8x8 and part of the UX team to think about how do we empower you, mister or miss admin, with the tooling, documentation, and services that you need in order to propagate 8x8 products through your enterprise. So ease of use is the key at eight by eight. Right? I I always get frustrated when I see enterprise applications which are clunky and old and nasty old interfaces. I want enterprise apps That's horrible. Exactly. Right? I mean, we we are in the twenty first century. The enterprise apps should be as easy to use, as clean, as simple as any of the consumer apps. So the UX teams always have multiple ways to skin the cat. Right? And they have to choose what matters for which user. The ability to perform a task quickly, simply, and easily is the key. And to me, our eight by eight meetings product that we are just launching is an excellent example of this. Think of it this way. It starts from the moment you get the link inviting you to a meeting. There is no download. You don't need to get anything. You don't need to configure anything. You click on the link and voila, you are in a meeting. There are several buttons, one to share the screen, one to talk to people, and so on and so on. Super simple, super clean, and I I love to talk about eight by eight video product as the example how UX should be done simply because it's clean, simple, and very modern. Okay. So like the adage we talk about faster, better, cheaper, you only get to choose two. You're actually doing something very interesting. You've got security, scalability, and UX. So really appreciate it. Thanks for sharing your point of view here, and Dan, and explaining how your teams are thinking about scalability and security without scalability without compromising security. Let's dive deeper on the point of security. One of the hardest jobs is getting testing right. And Michael, as a CISO, what are some of the key cybersecurity issues you see across the industry? And more importantly, what is keeping you up at night? Yeah. You know what, Ray? There is a lot going on in our industry right now. I feel like I haven't slept in a year. You know, one of the things that that, you know, is front and center is the fact that virtual meeting usage has exploded over the past eight weeks. Just a few weeks ago, you know, we had a few 100,000 active users use on eight by eight meetings. Now we have over 10,000,000. Absolute explosive usage. So that's been great from a business point of view. Now the downside to that is that the hacker community has taken notice, and this is the community that's been looking for a new attack surface to exploit for some time, and they've actually found it. They found it in the virtual meeting space. Now the FBI and other credible sources, have identified four key kind of product exploits that are of concern. The first involves meeting hijacking. Right? This is where somebody slides into your meeting unknown. They may drop expletives. They may drop content in. Certainly, that's an issue. Second involves the camera and microphone takeover. Right? This is where somebody, you know, shows up surreptitiously, and they record you without your knowledge. Definitely a privacy concern there. Third, you know, we've got a situation where some products have been disclosing personal information to unauthorized third parties. And then fourth, and lastly, you know, there's been communications intercept. You know, I'm thrilled to hear that, you know, Neil and others are talking about true end to end encryption. Right? And that will address that last particular risk factor. You know, protecting ourselves against known exploits and and future exploits that are probably still yet to come And, you know, staying focused on protecting our customers is really what's keeping me up at night. K. So not to put you on the spot, but have you guys been affected by any of these four areas in terms of the attacks? Yeah. You know what? I'm pleased to report that eight by eight meetings has proven resilient, to these known exploits. And that's not by chance. That's not by luck. I mean, there are two key factors that contribute to why our product has remained resilient. Number one, you know, the eight by eight meetings is powered by Jitsi, and the technology stack has been hardened by the Jitsi open source community. I mean, that's first and foremost. Secondly, the product's been built from the ground up with security and privacy in mind. This isn't a product that's been retrofit, you know, post build for security and compliance. It's been built from the ground up with security in mind. And, you know, for that reason, the product has demonstrated resilience in these really uncertain times. No. That's amazing. And you've got some great standards there that are required by standard bodies for the federal government, of course, and some ISO capabilities. Now question here really is encryption comes in different strengths, and can be applied in different ways. So you guys have a interesting graphic that talks about how to apply encryption at the right level. Wanna give us your take on what's going on? Absolutely. You know, encryption strengths vary from product to product. I mean, weak encryption can expose critical data elements, including the actual session data and the session IDs. You know, and that risk is is identified below the red line in the public category of the graphic. Now, unfortunately, there are still many products on the market still using weak or no encryption at all, and and that's really a problem. Now as a company, we have a strong point of view on public versus private. I mean, we believe strong encryption should be used in all cases, and that includes even, those that use meetings from home. Our core belief is security and privacy are nonnegotiable and should always be above the red line. Now eight by eight product design is working on advancing our encryption strength beyond the strong hip hop level, as you know, over on the right hand side. That level, does have a a decrypt and recrypt stage, at the video bridge, and our transition to to full end to end encryption is an important step in offering our customers the most secure virtual meeting experience possible. Now this is amazing. Thinking about the real life use case, the minimum level of security that's required, security is only as good as the weakest link as you know. Any advice for other CSOs that are out there? What should they be worried and thinking about right now? Right now, from a peer perspective, you know, you should you may be allowing product information, or products to use, you know, less secure algorithms for encryption, and that's a really bad idea. You know, my rec my recommendation is, you know, don't leave your organization exposed, and don't put yourself in that risky position. Use products that offer the strongest encryption level possible. Michael, thank you. That abundance of caution message is so important. You know, we've come to the end of our conversation today. And more importantly, Emil, thank you for sharing your story and thinking about Jitsi and eight by eight video meetings. Dan, thank you for bringing us up to speed on eight by eight and the security and scalability that's required. And more more importantly, Michael, thank you for sharing your thoughts on security and how eight by eight puts this at the center, the center of their approach to developing products. It's from the ground up. It's not retrofit in. And as we all know, secure video communications is very important. It's the foundational pillar in the shift to work from home for collaboration, for innovation, for building new brand new business models. And while this brings us to the end of the conversation today, I think it's important go to 8by8.com, learn more about what the right solution is for the right scenario and how eight by eight can help you with a solution that addresses security, scale, and great UX. So thank you very much. Once again, I'm Ray Wong with Constellation Research. Stay safe, and here's to good health and secure video communications.