A Word On Security From Frame.io
A Word On Security
In just under 3 years, Frame.io has grown from a company of 2 people with 0 customers to a company of 55 with half a million users. Along that journey, we’ve had the opportunity to speak to and work with some amazing filmmakers, movie studios, brands, and all types of businesses who are producing world-class video. Among those conversations, one theme has become abundantly clear. Security matters. But it doesn’t just matter. It’s everything.
As part of our recent fundraising announcement, I shared that Frame.io would allocate a good portion of those funds to securing your content. As we look around at our peers, we see an opportunity to not just meet the security best practices, but far exceed them.
Our efforts have started by hiring the right security leadership. This past September, we welcomed Abhinav Srivastava who joined us from the AT&T Research Lab where he was leading a number of security research efforts. Abhinav holds a Ph.D in Computer Science from Georgia Institute of Technology and has published over 29 security research papers, widely recognized by the cyber security community. Since Abhinav joined, he has led the formation of a new security team which reports directly to me. But what have we actually achieved and what will we be executing through the remainder of the year?
First and foremost, we are going to meet all the security compliance requirements including MPAA and SOC2 Type 1 and Type 2. We have enlisted the help of Independent Security Evaluators who work with all the major movie studios to assess Frame.io‘s MPAA readiness. But compliance is just a start. You can be fully compliant and still not be secure. Security is not a checkbox, it is a mindset, an operating model, and a never-ending part of the product development process. We have recognized that security must become a core pillar of the Frame.io product offering.
One of the first major projects we’ve taken on is building an in-house intrusion detection system. This intrusion detection system monitors all activity in Frame.io, uses machine learning to detect malicious behavior and automatically takes preventive measures such as blocking the IP or range of IP’s, where the threat originates. In practice, this means the moment we detect a bad actor trying to perform an unauthorized web request to Frame.io, that bad actor is immediately blocked. In combination with our new enterprise audit logs, we now have a very granular view of all activity happening in Frame.io. Importantly, none of our monitoring systems allow anyone (including Frame.io employees) access to your content, myself included. There’s no backdoor or special “god mode” available to employees. We can’t log into your account or see your content. Your content belongs to you and will always remain that way.
When you think security, you probably think content security. We’ve been working hard to deliver the most advanced content security system on the market. Better than anything that currently exists. The gold standard is session-based watermarking and DRM (Digital Rights Management). This new content protection system will have a visible watermark with personally identifiable information to deter would-be leakers from ever thinking about distributing unlicensed content. In the unforeseen circumstance that the wrong party gets hold of your content, the DRM will render the file useless and unwatchable. Advanced content protection will be available later this year, but we will rolling out a basic watermarking feature in a near-term product update.
The Frame.io application is hosted by Amazon Web Services (AWS), so we’re building on a foundation of security from the start. We have a fundamental belief that more of post production will move to the cloud. Rather than spending engineering cycles building on-premise solutions, we’re putting all that effort into securing the cloud. The benefits are just too hard to ignore.
While AWS does a great job meeting the most stringent compliance requirements we are still responsible for the configuration of our infrastructure and associated security risks. Over the past 3 months, we’ve bolstered our cloud and infrastructure security by following all AWS best practices and implementing services such as Identify and Access Management, Stateful & Stateless Firewalls, Application-level Firewall, and Intrusion Detection Systems. We also treat the security of your media assets and personal data with utmost importance and protect them both in transit as well as at rest by using industry-standard AES-256 bit encryption.
As always, please feel free to share your love, hate, or anything in between. These efforts have been specifically driven by listening to your needs. We won’t stop until Frame.io is widely known to be the most secure platform for video collaboration on the market.