ClassView Security Overview

ClassView Security Overview

This document relates only to architectural and application security. For information on our data protection security & privacy policy – please refer to these policies within 'Legal Documents'.

Cloud Architecture Security

The ClassView service is housed within a Tier 3, government approved data centre in Scotland – Pulsant South Gyle & Newbridge –  www.pulsant.com/compliance/

These data centres are ISO27001 certified with dedicated cages and racks for the ClassView service. The DC is protected by 24x7x365 security with multiple levels of biometric access controls. Access to the cages is restricted to I-Immersive management personnel. Our application servers require SSH keys for access at all levels. Our database and management servers are on a separate private subnet accessed over SFTP.

All devices and infrastructure are protected behind dual redundant Juniper SRX 345 firewalls with dual fiber links directly into the JANET network. This allows us to protect from unauthorised access to the administrative interfaces. Access is protected by Secure VPN via the I-Immersive office network.

Media Handling & Encryption

ClassView supports standards-based encryption (AES-256) that is available on most video endpoints today. ClassView connections using ClassView desktop or mobile client applications or web browsers for video are encrypted by default in ClassView scheduled meetings or VMR meetings. A padlock icon is displayed on-screen for both web clients and hardware systems when their leg of the call is encrypted.

ClassView does not record or capture any video or desktop-sharing streams without interaction and consent from customers. It is recommended that an organisation employ the proper steps to ensure that software-based video clients are secured on the desktop, and that no malware may intercept media at the hardware level.

If using room-based video conferencing endpoints, such as Cisco, Polycom, Lifesize, etc. to connect to the ClassView service, they will encrypt upon connection to ClassView provided they have this feature enabled and the proper security licenses from those vendors. Most video room systems encrypt by default so long as both sides of the call support it. However, it is recommended that you check your system to force encryption for all calls.

The ClassView platform supports complete end to end encryption using the following methods:

  • HTTPS, TLS, SRTP, H.235 AES 128 Encryption and LDAPS (LDAP over SSL
  • AES-128-bit media encryption
  • FIPS 140-2 cryptographic libraries
  • SAML 2.0 SSO (Shibboleth)
  • Secure HTTPS login utilising industry standard PKI
  • TLS 1.0 & 1.2 using strong encryption ciphers for signalling
  • Password hashing in database
  • Component blocking for spoof prevention
  • Hardened Linux-based appliances for component access control
  • Encrypted token technology for session security
  • No login information kept at the desktop
  • Graphic indication for encrypted calls on the call screen
  • 460.18/.19 secure call signalling and media transmission across secure traversal tunnels.
  • Assent secure call signalling and media transmission across NAT and firewall.
  • National GDS Call Policy for authentication of H.323/SIP call sources and destinations.

 

Recording and Video Content Storage

ClassView supports uploading and sharing content within video conferences, as well as the ability to record and stream your meetings. The recording and streaming feature is turned on or off by the organisation administrator. These videos are stored in secure containers on secure ClassView servers and are encrypted at rest (AES-256bit).

These stored videos are only accessible by the meeting organiser from within that organisation. All recordings within ClassView will be stored in the media library for 90 days post-recording.  At 90 days, recordings will be deleted. Deleted recordings are stored by I-Immersive for an additional 30 days and can be retrieved during this time. On expiry of the 30-day period, all recordings are deleted and cannot be retrieved.  It is the responsibility of the organisation to ensure recordings with retention requirements are saved to another location.

Organisational Security Management

I-Immersive adhere to working practices of IS0 27001, 9001, 14001, 18001 & 23001. We are active members of many online security forums and are party to many discussions on general information security risks. We meet internally once every month to discuss any potential security threats to our own infrastructure and that of our clients. We work rapidly to notify all parties of possible risk and any associated work required. Where we need to take action on client’s systems we work out of hours 24/7/365. This work is undertaken outside of any standard SLAs.

Our Product Management team considers security related implications for every proposed product modification. I-Immersive uses resources such as NIST National Security Database, MITRE, OWASP, etc. to monitor third party software provider vulnerabilities and updates prior to their inclusion in ClassView products. The Software Development team also performs regular code reviews to identify potential security vulnerabilities.

Our Quality Assurance team utilises industry-leading security scanning tools such as Tenable’s Nessus, Rapid 7’s Nexpose, and a host of open-source OWASP tools. I-Immersive also uses the third party Qualys’ SSL Labs utility to help qualify that its server-based solutions meet the highest level of security.

The highest levels of security and compliance already have been confirmed through extensive penetration testing and reviews by independent 3rd parties and repeated by end-customers notably from the financial and healthcare sectors. The ClassView platform is a highly secured platform designed for implementations of video services that require high level of security such as Government, Education, Research and Healthcare.

Key Contacts

t: 0330 053 1700

e: compliance@i-immersive.co.uk