Security


As the leading provider of enterprise video platforms to some of the world's largest organizations, Vbrick has heavily invested in ensuring that the security needs of its customers – from Fortune 10 corporations to the Federal Government – are met and exceeded.Vbrick solutions are built and maintained with security in mind, from the infrastructure level through to our enterprise video platform application layer and the operational processes required by the most exacting government and commercial cloud-platform specifications.

Infrastructure Layer

Vbrick leverages Amazon Web Services the worldwide leading Cloud infrastructure provider, to deliver solutions that are highly available, scalable and secure. AWS maintains state of the art security at their data centers and maintain practices intended to ensure maximum physical security of those premises. AWS has physical and environmental security capabilities which meet or exceed the capabilities of other major providers. AWS has implemented a world-class network infrastructure that is carefully monitored and managed. This capability includes Distributed Denial of Service (DDoS) monitoring and protection, encrypted communications, and support for network Security Groups and Access Control Lists. The infrastructure that AWS provides to Vbrick is designed and managed in alignment with best security practices and compliance programs for security standards such as ISO 27001, FedRamp, PCI DSS Level 1, SSAE 16. The Vbrick Rev platform inherits applicable AWS compliance and certifications as part of a shared responsibility model.

Certifications / Attestations


C5 [Germany]Cyber Essentials Plus [UK]DoD SRGFedRAMPFIPSIRAP [Australia]ISO 9001ISO 27001ISO 27017ISO 27018MLPS Level 3 [China]MTCS [Singapore]PCI DSS Level 1SEC Rule 17-a-4(f)SOC 1SOC 2SOC 3

Laws / Regulations / Privacy


DNB [Netherlands]EAREU Model ClausesFERPAGLBAHIPPAHITECHIRS 1075ITARMy Number Act [Japan]U.K. DPA – 1988VPAT / Section 508EU Data Protection DirectivePrivacy Act [Australia]Privacy Act [New Zealand]PDPA – 2010 [Malaysia]PDPA – 2012 [Singapore]PIPEDA [Canada]Spanish DPA Authorization

Alignments / Frameworks


CISCJISCLIACMS EDGECMSRCSAEU-US Privacy ShieldFISCFISMAG-Cloud [UK]GxP (PDA CFR 21 Part 11)ICREAIT Grundschutz [Germany]MITA 3.0MPAANISTPHRUptime Institute TiersUK Cloud Security Principles

The Rev platform is deployed as a high availability cluster across multiple AWS availability zones and supports full DR capabilities in an alternate AWS region. This provides for massive scalability and near real-time replication of video content and metadata to disaster recovery sites.

Application Layer

Rev offers many layers of security including user authentication and encryption to ensure that only authorized users are able to view specific videos and to keep data safe at rest and in transit. For user authentication, Rev integrates with an organization's LDAP or Active Directory service, importing user groups as defined by the company and ensuring that user information is always current via synchronization with the LDAP / AD system or Single Sign-on via SAML 2.0. Rev uses a role-based permissions model to determine what content users can view and the functionality available to them. Role-based permissions can be configured via groups or per user enabling each to view specific live or on-demand video, to upload video and to schedule live events. In video, that video or action on the video will not be exposed in their user interface. Additional security settings can be configured to support complex passwords, single sign on, HTTPS and user timeout settings.

Rev employs the following levels of encryption:

Video at rest/in storage: Rev stores video and other media assets using strong server-side, multi-factor encryption. Rev stores video metadata (e.g. title, description etc.) in its MongoDB database whose data store files are fully encrypted at rest with AES-256 encryption. The Rev Cloud also has a robust auditing feature that captures all additions and changes (e.g. videos added, users added, video modified, user modified etc.) made in the system. The auditing feature captures which user performed each change and at what time. It also captures a 'before and after' snapshot of changes performed in the system.
During playback: Video is served to the end user's browser for playback using TLS / SSL / HTTPS encryption. Rev's default playback format is encrypted HLS HTTP Live Stream (HLS). HLS is an adaptive live- and on-demand streaming protocol that allows a video client to seamlessly switch between lower and higher quality versions as network conditions deteriorate and improve. As an HTTP-based protocol, it is run over HTTPS for a secure streaming experience. For multicast playback, Rev uses Flash multicast, which in turn uses the RTMFP protocol. Data passed over TRMFP protocol is encrypted with cipher encryption algorithm.
Video in transit: To a computing endpoint for playback: All data in Rev – including videos that are transmitted between networks, hosts and user browsers – is required to use TLS/SSL/HTTPS encryption. Video is served to the end user's browser for playback using TLS/SSL/HTTPS encryption.
Video stored on the endpoint before or after playback: For internet-based video delivery, Rev uses Akamai's secure media delivery CDN service. This enables Rev to provide complete end-to-end encrypted and authorized video delivery to end users. The process extends the Rev user permissioning model to external CDNs to prevent an authorized user, for example, from sharing an underlying CDN URL with an unauthorized viewer.

Operational Layer

Vbrick has adopted NIST SP 800-53 Revision 4 as the basis for operating a secure information security program. Additionally, Vbrick is committed to meeting the requirements of FedRAMP. Not only do these standards have industry-wide recognition and acceptance, but they also provide an externally verifiable framework for operating our Cloud service and its supporting services securely.

Vbrick's implementation of these frameworks has resulted in the following:

  • Corporate management commitment to an Information Security* program with a dedicated executive champion
  • Fully documented operational and architectural processes which are derived from policy documents approved by executive management, covering subjects such as Access Control, Risk Assessment, Incident Response, Physical Security, Acquisitions, Planning and others
  • Certified CISM, CISSP security professionals on staff
Threat Protection Protocol:
  • Physical Security: Best of class AWS data center security with strict segregation of duties
  • Daily Proactive Analysis: Review of application logs, web application firewall logs and external security reports daily for vulnerabilities, attacks and process violations
  • Monthly Vulnerability Scanning: Monthly scanning, password updates and patching of OS vulnerabilities
  • Annual Penetration Testing: Performed by independent third party security organization
*Vbrick Information Security and Compliance Documentation and Vbrick System Boundary, Penetration and Scanning Data Documents available under NDA. For More Information Contact Us

GDPR Compliance

What is GDPR?

On May 25, 2018, the EU General Data Protection Regulation (GDPR) will become law in EU Member States and will govern the processing of EU personal data.

The GDPR replaces the existing patchwork of national data protection laws in EU Member States and brings a degree of consistency to the data protection landscape in Europe. GDPR includes the well-recognized privacy principles of transparency, fairness, and accountability.  The GDPR also adopted a risk-based approach that balances individual rights with participation in the global digital economy.

Vbrick Commitment to GDPR as a Data Processor

Security: Vbrick data protection and security processes have been developed based on NIST 800-53 revision 4 and are regularly subjected to third-party audits and testing for security, confidentiality, availability, processing integrity, and privacy controls. Vbrick allows customers to manage and control their users’ access to the application via role-based access.

Cross-border data flows: The GDPR continues to allow the flow of personal data across country borders, and includes provisions ensuring existing data transfer mechanisms remain valid going forward. Vbrick customers may leverage Vbrick’s EU data centre or if hosted in the US, Vbrick’s EU Privacy Shield Certification or sign model contractual clauses with Vbrick to legitimize their cross-border data flows.

Privacy impact assessments (PIAs): The GDPR requires PIAs for many types of data processing. Vbrick’s privacy team regularly and methodically conducts PIAs on features, technology, third party on-boarding, and operations related to our service. While we do not anticipate any significant changes to our already-thorough existing methods, our privacy team continues to monitor the GDPR to help ensure our PIAs fulfill any new requirements.

Security breaches: The GDPR introduces new notification rules for security breaches that result in a variety of harms to individuals. Vbrick has a formal internal incident response plan in place that aligns with these notification requirements.

Helping our Customers as Data Controllers

In addition to Vbrick’s own compliance obligations under the GDPR as a processor of customers’ personal data, Vbrick also assists our customers in meeting their obligations as data controllers under the GDPR in a variety of ways. Here are some highlights.

Data purging: To support customers’ compliance with the Right to be Forgotten, Vbrick offers a wide range of functionality and services to delete and purge data.

Access rights: Vbrick offers role based features to help customers comply with access rights under the GDPR.

Activity logging: To help customers protect personal data against security threats, Vbrick can log activity for each account. That includes successful logins and failed attempts as well as changes or additions to data by our customers and their end users. This will also help customers demonstrate access monitoring and oversight, displaying a high level of compliance assurance.

**Subject to Vbrick Non-Disclosure Agreement