nexmo opentok security - tokbox · nexmo opentok security nexmo recognizes that security is an...
TRANSCRIPT
Datasheet: OpenTok Security & ComplianceOverview | Use Cases | Benefits | Technical Specifications
Nexmo OpenTok SecurityNexmo recognizes that security is an essential consideration for
any business interested in integrating real time communications
into its website, app or service. OpenTok is a reliable and secure live
video platform on which you can build applications that meet your
company, industry and client security needs. We support the latest
security capabilities with advanced features to comply with industry
requirements and ensure that sensitive user information remains secure.
The OpenTok platform allows our customers to build HIPAA-compliant applications for the healthcare market. Nexmo will sign BAAs with companies to support their compliance due diligence.
Benefits
Pricing
• The OpenTok platform enables secure video interactions between patients, doctors, therapists, care providers and others.
• Our platform is designed so that you can build HIPAA compliant applications providing that developers architect their applications in a secure way.
The core security features of OpenTok, plus the additional security features outlined here, enable compliant applications. For BAAs contact sales.
HIPAA Compliance + BAA
Datasheet: Security & Compliance
Regional Zones gives customers the ability to host media traffic in specific regions, including the US, European Union, Germany and Canada, to meet specific compliance requirements of those regions.
With Encrypted Recording (also called Archiving), video recordings are always encrypted, both at-rest and in transit, providing the highest level of security for recordings. This enables customers to meet the most stringent of compliance and regulatory requirements.
Technical Specifications
Benefits
• Media and signalling traffic are hosted in the desired region
• Complies with stricter data privacy requirements
• Nexmo privacy and security policies apply
Benefits
• Data is encrypted both in transit and at rest hence ensuring the highest level of security.
• Useful for Healthcare & Finance customers to meet their strict data privacy compliance requirements.
• Entire workflow can be programmatically managed with easy to use APIs
Technical Specifications
• The service deploys the OpenTok media and signaling servers to data centers located in the required region.
• Redundancy is built in so that the loss of a data center in the region will not bring down the whole service
• Clients located outside the region are not blocked from connecting to sessions hosted in the region
• Operational logging data from clients and servers are sent encrypted to a logging server in the US with IP addresses stripped out. The OpenTok API server may be located outside the region.
• A unique 256-bit password is used to encrypt each recording in memory, which is encrypted and shared using a public key certificate you provide to OpenTok.
• Amazon S3 server-side encryption using S3-managed keys is also available.
• Decrypted archive file format - MPEG-TS
• Algorithm used for encryption - AES-256
• Generated password is encrypted using RSA encryption with OAEP padding
• Encrypted Recording can only be used with composed archives, not individual stream archives.
Regional Media Zones
Encrypted Recording
Pricing
This service can be purchased a-la-carte, or is included in our feature bundles. See tokbox.com/pricing/plans.
Pricing
This service can be purchased a-la-carte, with pricing according to region, or is included in our feature bundles. See tokbox.com/pricing/plans.
Customers can restrict media to the US, EU, Germany or Canada.
Datasheet: Security & Compliance
By default, the media streams passing through the OpenTok platform are encrypted using AES 128-bit encryption. For enhanced security, the OpenTok platform also supports the AES-256 level of encryption on media streams.
When a client is connecting to an OpenTok media server or another client, the cipher to use will be negotiated. If the client supports AES-256 then this will be the cipher negotiated for the media traffic. If the client does not support it, then AES-128 will be used. In the case of Relayed sessions, both clients must support AES-256, otherwise they will fall back to AES-128.
Benefits
• Have confidence data is secure with the highest-level of bit encryption
• Useful for customers who work with highly-confidential data and restrictive networks
Technical Specifications
AES-256 is supported (in addition to AES-128) in apps that use the following OpenTok client SDKs:
• iOS 2.13+, Android 2.13+, JS 2.13+ on Chrome 62+ and Firefox 56+.
• Firefox has this built-in, but Chrome requires “Negotiation with GCM cipher suites for SRTP in WebRTC” be enabled in chrome://flags.
• We expect to add Edge/Chromium support in the future.
Only AES-128 is supported in apps that use the following OpenTok client SDKs:
• Windows, JS on Safari, OpenTok plugin for Internet Explorer, and any older SDK that is earlier than 2.13.
AES-256 Encryption
Pricing
This service can be purchased a-la-carte, or is included in our feature bundles. See tokbox.com/pricing/plans.
Datasheet: Security & Compliance
Nexmo maintains a list of IP address blocks for media and API traffic. These details can be shared with Enterprise customers so that they can limit exposure of their network to trusted endpoints only.
Benefits
• Gives IT departments peace of mind as they can now open up their networks to a select set of IP addresses and not wildcard domain names.
• Useful for Telehealth and Finance customers who work with restricted networks, and open up their firewalls to trusted endpoints only.
IP Whitelisting
Pricing
Available to Enterprise customers, either a-la-carte or included in the Enterprise Feature Bundle. See tokbox.com/pricing/plans.
Technical Specifications
• Nexmo will provide a 90-day advance notice to customers using the published IP address blocks
• Customers using this service are expected to stay up to date with the published IP address blocks, otherwise there may be disruption of service if new addresses cannot be reached.
• The list of IP address blocks is made available on the OpenTok Account Portal for enrolled customers. This includes:
• Media servers• TURN servers
• API servers• Logging servers
www.nexmo.com©2019 Nexmo, The Vonage API Platform | DS-N-VIDEO_SEC_COMP_0819
Configurable TURN (flexible media relay)
Benefits
• Provides client flexibility and control in how connectivity is provided to the OpenTok platform from restrictive networks.
• Allows customer control on both sizes of firewalls by employing trusted TURN servers in network DMZs.
• Increases connectivity redundancy from restrictive networks.
Pricing
This service can be purchased a-la-carte, or is included in our feature bundles. See tokbox.com/pricing/plans.
Technical Specifications
A client-side API is available in OpenTok SDK 2.13+ for JavaScript, iOS & Android.
The API allows configuration of alternative TURN servers for video/voice media traffic, either:
• Custom TURN servers to override OpenTok TURN servers
• Custom TURN servers as fallback to OpenTok TURN servers or direct Media server access
The Configurable TURN API changes connectivity for media traffic only. We are planning future services to proxy API and other non-media traffic.