Breathe easy. At the application level, our platform meets the most stringent standards with TLS, SRTP, H.235, and up to AES 256-bit encryption. At the network level, our hosting facilities are SOC 2 and HIPAA compliant, and include the 24/7 protection needed to meet any regulatory requirement.
Security by Design
Security starts with sound processes. Vidyo maintains an information security governance policy that controls the way the confidentiality, integrity, and availability of information is handled, thereby preventing misuse and malicious damage that could impact Vidyo operations and ultimately our customers and partners.
The information security governance policy follows the domains of the ISO 27001 information security framework. These provide the guidelines necessary to enable compliance with various regulations regarding the oversight and management of information security and investigation services.
Signaling is the way different components within the Vidyo architecture communicate with one another. Protecting the information passed in this machine-to-machine communication from would-be hackers is important for securing the network. The VidyoConnect service leverages AES encryption over TLS for Vidyo endpoint and server communications with certificate support. Vidyo supports elliptic curve Diffie-Hellman (ECDH), Diffie-Hellman (DH), or RSA for key exchanges. The media encryption keys are also negotiated over this secure connection and are then used to encrypt the SRTP media traffic
User Login and Database Security
Protecting the login process from eavesdroppers and hackers is fundamental to securing the VidyoConnect service. Vidyo protects this process by establishing a critical front line of defense in a manner similar to the way online banking access is secured using TLS. The VidyoConnect service supports using industry-standard public key infrastructure, whereby each component is issued a digital certificate by a trusted third-party certifying authority. This allows endpoints to verify the identity of VidyoConnect and also helps prevent malicious users from eavesdropping on communication. With TLS security enabled, the VidyoConnect service always establishes an encrypted HTTPS channel with each Vidyo endpoint that attempts to access the system. Before transmitting any login information, the Vidyo endpoint or web browser validates the VidyoConnect certificate and verifies it was issued by a trusted thirdparty certifying authority. Once the certificate is verfied, login and password information is transmitted securely to VidyoConnect over the same encrypted HTTPS channel.
For HTTPS connections, the ciphers and key exchange method used are dependent on what the end user’s browser can support. However, Vidyo infrastructure components prefer to use the strongest available ciphers and will reject the use of known weak ciphers.
To safeguard user login credentials, no login information is retained by the Vidyo soft clients. For organizations that use an external database for user account management, LDAP, SAML, and Active Directory (AD) are supported. When LDAP/SAML/AD are used, no passwords are stored within VidyoConnect. Additionally, password policies are supported via LDAP integration with the corporate directory system (such as AD, Oracle, Novell, etc.).
For users authenticated using SAML, VidyoConnect acts as a service provider and can authenticate users via external SAML 2.0 identity providers. Leveraging SAML provides a secure way to authenticate users without storing or exposing credential data on VidyoConnect.
For users who are not using LDAP/SAML/AD, password information is always hashed and salted using PBKDF2 in the VidyoConnect database. This ensures passwords cannot be revealed even if a security breach occurs.
VidyoCloud employs AES encryption over industry-standard SRTP for audio, video, and shared content. This helps protect the content of your Vidyo conferences from being intercepted and decoded without your knowledge.
Component Authentication (Spoof Prevention) and Session Security
“Spoofing” refers to a tactic used by hackers to “steal” the identity of a trusted component of a network in order to gain access. Vidyo helps prevent spoofing through a rigorous component authentication scheme. Each server in the VidyoConnect network has a unique identifier that is communicated to the portal application over a secure link and is otherwise not accessible. New components added to the VidyoConnect network go to the portal application for configuration. If the portal application does not have a configuration defined for that machine’s specific ID, the machine is blocked from joining the network until the VidyoConnect administrator accepts the new ID and manually configures the component.
On the client side, a unique token is used to authenticate the endpoint to the portal application in lieu of the password, and the administrator of the portal application can define expiration rules requiring users to reauthenticate.