An increasing number of companies would be using cloud-based video and live streaming in varied ways: from how-to instructions for customer service to company profiles for marketing, branding and recruiting to live streaming for internal communication and investor relations.
This has given rise to increasing challenges for data protection and security, including protection from unauthorized access, secure authentication, the prevention of illegal processing, compliance with internal regulations and compliance with the EU General Data Protection Regulation (GDPR).
Natalia Kermode, Managing Director of Sales at cloud-based Enterprise Video Platform (EVP), movingimage, provides us a checklist for enterprise video security management.
Infrastructure – Is Thorough Data Protection Compliance Guaranteed?
“Video content containing personal information needs to be kept in compliance with the highest data protection regulations, and companies must be able to provide proof of this at any time. For this reason, I recommend using European data centers for hosting the platform. Companies should also ensure that the entire infrastructure fulfills the strict European standards. The operator of the connected content delivery network (CDN) must also be able to prove that their infrastructure fulfills the EU data protection regulations outside of Europe as well.”
Authentication – How Secure Is The Access?
“If not all employees are permitted to view, edit, share, or perform any kind of action on each saved video, companies must be able to clearly identify approved users of the platform or video. This starts with user authentication. For user login, large companies often use a classic password-based login supplemented by single-sign-on systems or multifactor authentication that combines several processes with one another.
This level of authentication can only be supported by an EVP that is capable of authentication methods such as SAML, smart cards, one-time passwords (OTP), or biometric recognition.”
Authorization – Who has which rights?
“Once a user has been identified, this does not automatically mean that said person can use all functions. For example, they might be able to view videos or participate in webinars, but not to edit or share the content. For this reason, it is important to be able to issue user rights in a granular way.”
“Since there is a great deal of administrative effort required to configure rights on an individual user basis within large companies, a rights model based on user groups and roles presents a good alternative. This allows complex rights configuration that involves just a few components to be carried out in a simple, transparent way for a large number of users.”
“Automatic user management using information saved in a company directory such as LDAP or Active Directory is recommended for large organizations that – for example – live-stream town hall meetings for thousands of users. This allows user accounts with the right role and group allocations to be automatically created, changed, or deleted in a role-based manner.”
Audit Compliance – Who Did What, and When?
“In industries such as finance, legal requirements call for transparency. Companies in this sector are obligated to document information such as when a given video was published, where and by whom, all in an audit-compliant manner. Data-protection-compliant, tamper-proof logging must be used to make this possible. Videos should also be archived even after they are deleted. To this end, a lower quality, storage-space-saving version of the video should be maintained to fulfill the burden of proof.”
Security Guidelines For Video Playback – Where Can the Video Be Distributed?
“I also recommend to take another security aspect into account: playback. Some videos – for example – are only suitable for certain divisions, customers, or partners, or selected locations in certain countries. It is important to maintain control of video distribution via IP address filters, token authentication, or geo-blocking, and to encrypt this via SSL.”
“In order to prevent confidential content from landing in the wrong hands, end users will have to select the correct security guideline when uploading – to extensively configure the protective mechanisms.”