Checklist

An Enterprise Video Platform Must Fulfill the Following Security Requirements

Better safe than sorry. Requirements for security and data protection (GDPR)

movingimage releases a checklist to help companies understand the latest criteria for security and data protection when selecting an enterprise video platform (EVP).

More and more companies are using video and live streaming in increasingly varied ways: from how-to customer service instructions through company profiles for marketing, branding, and recruiting to live streaming for internal communication and investor relations. The widespread use of streaming has given rise to increasing challenges for data protection and security, including protection from unauthorized access, secure authentication, the prevention of illegal processing, compliance with internal regulations, and compliance with the EU General Data Protection Regulation (GDPR).

These challenges can be overcome with the help of a professional enterprise video platform (EVP), but not all EVPs provide extensive security measures. “When selecting a suitable EVP, companies need to ensure that the platform addresses legal requirements as well as specific security needs,” said Natalia Kermode, Managing Director of Sales Americas at movingimage. “The EVP must be capable of keeping internal and external videos available in a secure way, complying with regulations such as the EU General Data Protection Regulation (GDPR) and guaranteeing reliable distribution globally.”

movingimage specializes in cloud-based solutions for enterprise video management, and has developed a decisive set of security questions that companies should ask when selecting an EVP:

1. Infrastructure: Is thorough data protection compliance guaranteed?

Video content containing personal information needs to comply with the highest data protection regulations, and companies must be able to provide necessary proofs of this compliance at any time. Furthermore, operators of content delivery networks (CDN) should be able to prove that their infrastructure fulfills the EU data protection regulations outside of Europe as well. movingimage recommends using European data centers to host the platform, therefore guaranteeing its compliance.

2. Authentication: How secure is the access?

If access to viewing, editing, sharing, and other actions is limited, companies must be able to clearly identify approved users. Identification starts with user authentication: Large companies often use a classic, password-based login with single-sign-on systems or multifactor authentication that combines several processes to verify user login.
“This level of authentication can only be supported by an EVP that is capable of authentication methods such as SAML, one-time passwords (OTP), smart cards, or biometric recognition,” said Kermode.

3. Authorization: Who has which rights?

Even if a user has been identified, he doesn’t automatically grant access to all functions. For example, a user may be able to view videos or participate in webinars, but not to edit or share the content. Therefore, it’s important to be able to issue user rights in a granular way.
Since a great deal of administrative effort is required to configure rights on a user-level, especially within large companies, a rights model based on user groups and roles features a good alternative. This alternative allows complex rights configuration that involves a few components in a simple, transparent way.
Automatic user management using information saved in a company directory (e.g., ActiveDirectory or LDAP) is recommended for large organizations that live-stream town hall meetings for thousands of users. This method allows user accounts with the right role and group allocations to be automatically created, changed, or deleted in a rule-based manner.

4. Audit compliance: Who did what, and when?

In certain, data-sensitive industries (e.g., finance), legal requirements call for transparency. Such companies are obligated to document information (e.g., when a given video was published, where, and by whom) all in an audit-compliant manner. Data-protection-compliant, tamper-proof logging must be logged to allow auditing. Furthermore, videos should be archived after their deletion as a lower quality, storage-space-saving version of the video.

5. Security guidelines for video playback: Where can the video be distributed?

movingimage recommends taking another security aspect into consideration: playback. Some videos should only be made available within certain divisions, to certain customers or partners, or in selected locations. It’s important to maintain control of video distribution via IP address filters, geo-blocking, or token authentication, and to encrypt the data via SSL.
To prevent confidential content from landing in the wrong hands, end users need to select the correct security guideline when uploading to extensively configure the protective mechanisms. It’s always helpful to classify security guidelines and content levels within the company (e.g., “public,” “internal,” “confidential,” “secret.”) The security precautions can then be immediately and correctly configured and managed by an administrator.

To learn more: A fact sheet on this topic, “Secure Video Platform: Better Safe than Sorry,” is available here as a PDF.