8x8, Inc. (EGHT) Earnings Call Transcript & Summary

Hi, folks. Thank you very much for joining our webcast. We are living through some very extraordinary times. And all of us are having to learn to adapt of working from home, playing from home and essentially just continuing life with some modicum of normalcy. Video collaboration has played an incredible role and I'm very proud of the 8x8 team as well as the Jitsi open-source community. We have seen incredible adoption of our video product. From a few hundred thousand monthly active users to well north of 11.5 million as of last night, that is absolutely incredible, and we're very pleased that we're making a difference in the way how we live, work and play. What we want to talk about today is the next step in that evolution. What we want to discuss is end-to-end privacy and security. And as part of that, what we will be talking about today is we will have Ray, who will represent the industry and will be bringing up all the practical challenges and needs of that industry. Emil Ivov, who is the inventor of Jitsi as well as the Head of Video Collaboration at 8x8, will talk to you about 2 offerings. One is a paid offering which is designed much more for what small businesses and enterprises need; as well as end-to-end encryption, which we released the original -- the design spec to the Jitsi community, and we are vetting it with them to get their feedback and comments, and we encourage your feedback and comments so we can involve that into the product. In addition to that, Dan Deklich, who is our Chief Product Officer, will talk to you about how we design our products from a privacy and security perspective and also talk to you a little bit about our road map. Then finally, Michael Armer, who is our CISO, will spend some time on practical tips so that we can ensure that video collaboration for you is private and secure. Video has made an amazing difference in all our various lives. We have stayed connected at a time when we are all socially distant. We've been able to preserve the social in social distancing. But it's absolutely imperative to ensure that we're meeting people's expectation of privacy and security, and we want to work with you and partner with you to continue on this journey. The Jitsi open-source community has been an incredible source for us, and their brain power as well as their feedback has been absolutely critical in evolving our products to get them to the next level. We encourage you all getting involved to help us help you get the products you deserve so that you're able to continue to be effective working from home, playing from home and frankly, living through these very turbulent times. And with that, let me turn it over to Ray. Ray, it's all yours.

Hey, Vik, thanks a lot. This is really exciting. Thank you so much, everyone, for joining today's webcast. I'm Ray Wang, the CEO of Constellation Research, and I'm going to be talking about one of the hottest topics that's going on in this market. It is working from home. It is the point of video security. And it's my honor to be joined by Emil Ivov, the founder of the Jitsi.org project, and more importantly, the Head of Product for 8x8 Video Meeting. I'm going to be joined by him. I'm also going to be joined by Dan Deklich, the Chief Product Officer at 8x8; and Michael Armer, who's the CISO, Chief Information Security Officer, who's going to be talking about a lot of interesting things about how they keep things safe and the perspective of what a CISO does. Now we're going to be going deep on the practical points of video security, learning how 8x8 and Jitsi are basically addressing the need for secure video meetings. And it's much more important. It's talking about getting a clear perspective and understanding what are the key attributes of a secure video platform. But more importantly, we're going to talk about what is the right solution for the right scenario.

So Emil, let's start out with you. As many of us know, Jitsi has started to gain a spotlight around the world. Lots of downloads, we'll talk about that. But how did these things start out? You did this at the beginning as a college kind of project.

Oh, yes, those were really the days. Indeed, that started in 2003 at the University of Strasbourg. And a lot has changed since because it went from being a PhD validation tool to a community, to a start-up, to end up here now at 8x8. So there is one thing, however, that hasn't changed all these years, and that's an unwavering commitment toward the open: the open source, open standards. We've always been community-oriented. And we're fortunate that 8x8 fully supports these efforts and sponsors the project and its reference platform. So there are hundreds of contributors today that are helping us with it. There's tens of thousands of adopters that are running their own platforms, they're running millions of users. And all these people are interested in private and secure video meetings, whether it's online platforms like WeSchool or companies like Comcast or bank messaging platforms or, of course, 8x8's video meetings that are also powered by Jitsi and that have more than 10 million monthly active users these days.

So almost every industry has been touched by this. You're saying telco, banking, financial services. And you just set a record for downloads. Tell us about that in terms of monthly active users as well.

Yes. Indeed, that's 10 million. We're happy to be able to help all these people in these tough times.

Now with that many users, there's a massive concern about video security, video meeting security. What is the root of all this? Is this just media hype, sensationalism, people are just worried about it, to make a big deal out of it? Or is there some serious issues behind this?

Well, Ray, I think you can think about this as a lightning strike. So that's a good example, I think. You can absolutely go on with your life and thinking that one will never strike you. And most people won't ever be struck by a lightning. But overall, many people do get struck. And when they do, the consequences to their lives are dramatic. And so countries around the world just came up with these regulations to make sure that homes and citizens are protected. So it's really the same thing here. Most people will never be targeted by attacks on their meeting content. But overall, many will be. So this is especially important in periods like now where, well, frankly, everyone is having meetings online. So you want to make sure you reduce the impact as much as possible. Enterprises would want to make sure that their employees and that their data is safe. So this is where we come in.

So what does that really mean, though, right? How do you go about securing video meetings correctly? Like do people even notice? Or do they only notice when it doesn't go well?

So in many ways, really, security is just a cornerstone of everything that you have to do. And so we make sure that we use the right standards. Everything that leaves the user's machine is always encrypted. In our case, using DTLS-SRTP as mandated by the WebRTC specs. And that's great. I mean industry-proven standards that protect all data on the network, that's great. But very excitingly, we're also making great progress on end-to-end encryption so that we can deny ourselves access to actual meeting content. And I'll talk a little bit more about that in a second. But something that is very core to us, though, is that being an open-source stack, anyone can see with their own eyes what we do and how we do it. So they can verify that the levels of protection that they get are to their satisfaction just so that there are no surprises later. You say you're doing this, but it turns out you weren't. So I think you only get that when you're fully open.

So then is subpar encryption okay?

It feels really tempting to ask that question, doesn't it? If people are like, come on, do I really need to be safe all the time? And when you think about it, you'll say, you probably want to say something like, well, this is just the conversation between a friend of mine and me. Does it really need to be protected? And then, have you ever really not told a friend anything confidential? Of course, you'd want it protected. But then you go, well, how about a pub meeting? Is that -- can I maybe keep that open? And yes, there are a bunch of conversations that happen in virtual happy hours that you absolutely don't want out there. So then you're like, okay, fine. But public speaking, that should be fine, right? Because there's nothing that you would want to protect there. And you're right, maybe you have nothing to protect when you're leading a public broadcast. But the people who are receiving it, they might want to protect the fact that they're participating in that meeting. It might be compromising for them. They might be living under an oppressive regime or they might be having problems with their employer or something. So really, when you come to think of it, there's absolutely no case where you could just draw a line and say, yes, I don't need encryption for that case. I don't think that such a case exists at all.

So you're basically thinking about the spectrum that's required for security requirements to secure these meetings correctly. So how do you go about doing that? How do you secure video meetings the right way?

Yes. Thank you. As I said earlier, we're really passionate about this thing. We think it's really time for the industry and the community to come together and to solve the need for true end-to-end encrypted video meetings, meetings where the service provider simply doesn't have access to the content. The WebRTC team at Google have just greatly helped us by releasing new APIs. So that allowed us to take a first stab at the problem. And there are still things that need to be solved, and we're still working on things like team management, exchange and all these. But we really, really like how this is shaping up. So why don't we have a look at this video? [Presentation]

So you've been doing this for 20 years through Jitsi. And now as the Head of Products for 8x8 Video Meetings, I'm kind of curious of what your product road map is. What are you working on? What's happening there? I mean we're 9 years post-WebRTC. It's solid and there's still a lot of innovation. So tell us about that.

Yes. So let's talk about 8x8 Video Meetings, indeed. It's -- so first of all, it's important to say that 8x8 Video Meetings consumes the open-source Jitsi technology, just like anyone out there. So we just download the same Debian packages, and then we bundle them with the necessary layer of additions that end up building 8x8 Video Meetings. We launched 8x8.vc last fall. It's based on all this technology. And today, we are announcing 8x8 Video Meetings pro. So this is where we will be focusing and solving some of these things that we cannot address in our free and anonymous platform. So this is a platform where we'd be able to leverage notions of identity and moderation control. And we think people will really like where we're going with this.

So Emil, that's amazing, right? We basically now have the ability to take a pro platform that's enterprise grade, the open-source community that's involved in here as well and bring all these things together. So let's take a moment and talk about what's happening with security. Dan, your pedigree is like security at scale. It screams Splunk. It screams big companies that have to think about security in ways that not everybody has to worry about, and you're taking care of that. And as part of this, you're figuring out how to evolve the infrastructure to handle not just security but scalability. Tell us what you've learned and what's critical to success.

Absolutely. Look, I always tell people, think about the security and the system as a large cake. It's the bottom of the cake that holds everything up, and that is the key for us going forward. There are 3 parts to our cake. The bottom of the cake is the infrastructure. Your infrastructure has to be secure, it has to be scalable and so on and so on. In the middle sits the platform, which in our case is the X Series platform. And on top of the platform, you build the applications. All of these 3 parts of the cake have to come together in a logical, tasty way in order to allow you to build the solution that the customers will love as well as the solution that will scale to worldwide scale. So in the last couple of months, we have done an enormous amount of work looking at all the different layers of our technical stack. So at the bottom, we decided that we need infrastructure, which is highly elastic, scalable. And we wanted something that is secure and ready for both government and enterprise workloads from the scratch. So as such, we selected Oracle Cloud as the core infrastructure on which we run. We are now in the process of moving Jitsi as well as 8x8 Video Meetings to run on top of the Oracle Cloud. Worldwide availability of Oracle Cloud was a key for us as well as their ability to secure the workloads from scratch. Our platform, the X Series platform, was built from day 1 over the last -- oh, God knows, 3, 4 years with encryption, compliance and security in mind. The key with a platform such as X is that you abstract all the complicated and difficult things for your generic engineer, right? You want the scale, data access, data modification, deployment, management, configuration, you want all of that to be pushed into the platform so that engineers don't have to worry about it. Through that, you are actually able to build the system that scales to worldwide scale, is secure and can work worldwide. So to give you an example, on top of the platform, we added functionality such as our video, which then resulted in the 8x8 Video Meetings product, or CPaaS. CPaaS stands for communications platform as a service, which we use in Asia to power various Uber-like services in Asia. The application stack then allows you to build the applications, but the applications themselves are easier to build because the engineers don't have to worry about all the functionality provided by the platform and infrastructure. So the time is spent on building the business logic and not your global configuration service or something like that.

So I understand how you're thinking about security. Now the question is, what are you doing to support and scale it, right? And more importantly, what about user experience? What examples that you're developing with that you have in mind, too.

Right. That's the part that engineers never really want to talk about and they imagine it happens on its own. So look, at 8x8, we have some very interesting use cases for the UX team to deal with. I think at 8x8, it's implied but not necessarily obvious that the speed and velocity with which a task can be executed is at the core of what the UX team is thinking about, right? There are multiple angles to the UX end users' experience here. One is the ease of use for a user, right? You as a user don't want to randomly move your mouse all over the screen and keep -- spend minutes clicking around on things that don't make any sense. The administrator in the enterprise has a completely different set of use cases. The administrator's job is, at some point in time, 8x8's system will be deployed across your enterprise. It is your job as the administrator to make sure that it's done intelligently, cleanly and to delight your end users. So it's our job at 8x8 and part of the UX team to think about how do we empower you, Mr. or Ms. Admin, with the tooling, documentation and services that you need in order to propagate 8x8 products through your enterprise. So ease of use is the key at 8x8, right? I always get frustrated when I see enterprise applications which are clunky and old and nasty, old interfaces. I want an enterprise that's...

That's horrible.

Exactly, right? I mean we are in the 21st century. The enterprise apps should be as easy to use, as clean, as simple as any of the consumer apps. So the UX teams always have multiple ways to skin the cat, right? And they have to choose what matters for which user. The ability to perform a task quickly, simply and easily is the key. And to me, our 8x8 Meetings product that we are just launching is an excellent example of this. Think of it this way: it starts from the moment you get the link inviting you to a meeting. There is no download. You don't need to get anything. You don't need to configure anything. You click on the link and voila, you are in a meeting. There are several buttons, one to share the screen, one to talk to people and so on and so on. Super simple, super clean. And I love to talk about 8x8 video product as the example how UX should be done simply because it's clean, simple and very modern.

Okay. So like the adage, we talk about faster, better, cheaper, you only get to choose 2, you're actually doing something very interesting. You've got security, scalability and UX. So really appreciate it. Thanks for sharing your point of view here and -- Dan, and explaining how your teams are thinking about scalability and security without -- scalability without compromising security. Let's dive deeper, on the point of security, one of the hardest jobs is getting testing right. And Michael, as a CISO, what are some of the key cybersecurity issues you see across the industry? And more importantly, what is keeping you up at night?

Yes. You know what, Ray, there is a lot going on in our industry right now. I feel like I haven't slept in a year. One of the things that is front and center is the fact that virtual meeting usage has exploded over the past 8 weeks. Just a few weeks ago, we had a few hundred thousand active users use -- on 8x8 Meetings. Now we have over 10 million. Explosive usage. So that's been great from a business point of view. Now the downside to that is that the hacker community has taken notice, and this is a community that's been looking for a new attack surface to exploit for some time, and they've actually found it. They found it in the virtual meeting space. Now the FBI and other credible sources have identified 4 key kind of product exploits that are of concern. The first involves meeting hijacking, right? This is where somebody slides into your meeting, unknown. They may drop explicitives, they may drop content in. Certainly, that's an issue. Second involves the camera and microphone takeover, right? This is where somebody shows up surreptitiously and they record you without your knowledge, definitely a privacy concern there. Third, we've got a situation where some products have been disclosing personal information to unauthorized third parties. And then fourth and lastly, there's been communications intercept. I'm thrilled to hear that Emil and others are talking about true end-to-end encryption, right? And that will address that last particular risk vector. Protecting ourselves against known exploits and future exploits that are probably still yet to come and staying focused on protecting our customers is really what's keeping me up at night.

Okay. So not to put you on the spot, but have you guys been affected by any of these 4 areas in terms of the attacks?

Yes. You know what, I'm pleased to report that 8x8 Meetings has proven resilient to these known exploits. And that's not by chance, that's not by luck. I mean there are 2 key factors that contribute to why our product has remained resilient. Number one, 8x8 Meetings is powered by Jitsi, and the technology stack has been hardened by the Jitsi open-source community. I mean that's first and foremost. Secondly, the product has been built from the ground up with security and privacy in mind. This isn't a product that's been retrofit post-build for security and compliance. It's been built from the ground up with security in mind. And for that reason, the product has demonstrated resilience in these really uncertain times.

No, that's amazing. And you've got some great standards there that are required by standard bodies for the federal government, of course, and some ISO capabilities. Now question here really is, encryption comes in different strengths and can be applied in different ways. So you guys have an interesting graphic that talks about how to apply encryption at the right level. Want to give us your take on what's going on?

Absolutely. Encryption strengths vary from product to product. I mean weak encryption can expose critical data elements including the actual session data and the session IDs. And that risk is identified below the red line in the public category of the graphic. Now unfortunately, there are still many products on the market still using weak or no encryption at all, and that's really a problem. Now as a company, we have a strong point of view on public versus private. I mean we believe strong encryption should be used in all cases. And that includes even those that use meetings from home. Our core belief is security and privacy are nonnegotiable and should always be above the red line. Now 8x8 product design is working on advancing our encryption strength beyond the strong hip-hop level, as you note over on the right-hand side. That level does have a decrypt and recrypt stage at the video bridge. And our transition to full end-to-end encryption is an important step in offering our customers the most secure virtual meeting experience possible.

Now this is amazing, thinking about the real-life use case, the minimum level of security that's required. Security is only as good as the weakest link, as you know. Any advice for other CISOs that are out there? What should they be worried and thinking about right now?

Right now, from a peer perspective, you should -- you may be allowing product information or products to use less secure algorithms for encryption. And that's a really bad idea. My recommendation is don't leave your organization exposed and don't put yourself in that risky position. Use products that offer the strongest encryption level possible.

Michael, thank you. That abundance of caution message is so important. We've come to the end of our conversation today. And more importantly, Emil, thank you for sharing your story and thinking about Jitsi and 8x8 Video Meetings. Dan, thank you for bringing us up to speed on 8x8 and the security and scalability that's required. And more importantly, Michael, thank you for sharing your thoughts on security and how 8x8 puts this at the center, the center of their approach to developing products. It's from the ground up. It's not retrofit in. And as we all know, secure video communications is very important. It's the foundational pillar in the shift to work from home, for collaboration, for innovation, for building new, brand-new business models. And while this brings us to the end of the conversation today, I think it's important, go to 8x8.com, learn more about what the right solution is for the right scenario and how 8x8 can help you with a solution that addresses security, scale and great UX. So thank you very much. Once again, I'm Ray Wang with Constellation Research. Stay safe, and here's to good health and secure video communications.