Panopto maintains stringent safeguards that protect the security, confidentiality, integrity, and privacy of your data.
Secure Videos in Panopto
Panopto's Shared Security Model
Panopto utilizes a Software-as-a-Service (SaaS) model in which security is a shared responsibility among Amazon Web Services (AWS), Panopto, and the customers. Panopto leverages AWS as their cloud infrastructure provider to deliver solutions that are highly available, scalable, and secure. At a high level, AWS is responsible for physical, network, and virtualization platform security. Panopto is responsible for host, middleware, and application-level security, event monitoring, and disaster recovery. Customers are responsible for user identity management, access control, and data security.
Security and Privacy-Driven Culture
Panopto’s focus on security and privacy is rooted in Panopto’s organizational culture, beginning with the hiring process, continuing during employee onboarding, ongoing training and company-wide initiatives to raise awareness. Before someone joins the Panopto team, Panopto conduct criminal and credit background checks where local laws and regulations permit. All new team members are required to take information security and privacy awareness training. Developers are required to take secure coding training at the time of hire and periodically thereafter. Panopto’s security team conducts regular awareness and training activities, including security newsletters, email alerts, and phishing tests.
Panopto understands that strong governance is critical to an effective information security program. Panopto have implemented a cross-functional Information Security Council representing all departments and teams to provide oversight and strategic direction to Panopto’s security program. In addition, the Council promotes and provides business support necessary to integrate information security policies, standards, and best practices into the Company’s operations.
Application Security
From the point of capture to the point of playback, Panopto makes it easy to record, manage and stream your video content securely. As the leading video platform provider to the world’s largest organizations and most respected universities, Panopto have invested heavily in product security, from the way users sign in to how Panopto store and deliver video across the network.
Panopto’s video platform provides multi-layer security at the perimeter, within the repository, and during streaming. This ensures only authorized users can watch videos and data is safe at rest and in transit.
Panopto secures the video repository perimeter with support for multiple credential types, including OAuth, SAML 2.0, Active Directory, and a number of LMS ID providers. Panopto’s single sign-on (SSO) implementation supports rolling two-way synchronization of credentials, ensuring that user information is always up to date.
Within Panopto, users navigate and access videos, folders, and playlists through role-based permissions. These permissions can be configured for groups or individual users, providing granular control over video recording, live streaming, uploading, publishing, playback, and scheduling. Additional settings provide administrators with the ability to enforce strong passwords, password expiration, two-factor authentication via SSO, and session timeout.
Infrastructure Security
Panopto is hosted as a high-availability, redundant cluster across multiple AWS availability zones, eliminating single points of failure and providing additional platform reliability. Web, encoding, and database servers are mirrored across availability zones. In the event of an entire availability zone outage, the system seamlessly transitions to another zone, providing business continuity and protecting the integrity of your data.
AWS also provides significant protection against traditional network security vulnerabilities. For example, the threat of distributed denial of service (DDoS) attacks is mitigated through proprietary DDoS protection services and multi-homed AWS networks which provide internet access diversity. Man-in-the-middle (MITM) attacks are prevented through SSL-protected API endpoints. IP Spoofing is prevented through the AWS firewall infrastructure, which doesn’t permit instances to send traffic with a source IP or MAC address other than its own.
In addition, AWS maintains state-of-the-art, multi-perimeter physical security at their data centers. This includes prohibiting external access and not sharing the precise location of their data centers. Environmental safeguards include fire detection and suppression, fully redundant power systems, climate control, and real-time management of electrical and mechanical systems.
Operational Security
Panopto has adopted the NIST SP 800-53 control framework as the basis for operating a risk-based information security program. Panopto’s internal systems and processes are managed through security policies that cover the NIST control families, including access control, risk assessment, awareness and training, supply chain risk management, incident response, configuration management, and physical and environmental protection.
Panopto’s engineering team uses a secure software development lifecycle to ensure that security assurance activities such as code review and architecture analysis are inherent to the development effort.
Panopto also perform quarterly vulnerability scans and regular internal audits of their cloud security practices and access rights. Each year, Panopto partner with an internationally-known independent security firm to perform a comprehensive penetration test in order to identify exploitable vulnerabilities and minimize cyber-attack surface area.
In addition, Panopto values the assistance of outside researchers in helping to identify vulnerabilities in their products and services. Panopto’s Responsible Disclosure Program encourages researchers to report design and implementation issues that affect the confidentiality or integrity of user data or puts customer data at risk.
In the event of a security or business continuity incident, Panopto maintain a response plan that covers all aspects of incident response, from preparation to identification, containment, eradication, recovery, and root cause analysis. The plan is exercised on an annual basis to ensure that Panopto have a team of personnel trained to respond in order to minimize the impact of an incident and resume normal operations as quickly as possible.
Privacy
Panopto takes their responsibility to protect your personal information with care and respect seriously. Panopto’s approach to privacy begins with their commitment to give you transparency over the collection, use, and distribution of your data.
The EU General Data Protection Regulation (GDPR) brings consistency to data protection across Europe, built on the privacy principles of transparency, fairness, and accountability.
As a data processor, Panopto is committed to complying with the GDPR law.
This includes the use of encryption and anonymization to protect personal information, contracts with partners who play a role in Panopto’s data processing, third-party audits of their data sources for PII, and adherence to the rights to access, information, rectification, erasure, data portability, objection, and restriction of processing.
Ready to see Panopto in action?
The leading video platform for education and training. With Panopto you can do it all with one tool: Record, edit, host and publish your videos securely.
The easiest way to create advanced interactive videos. With hihaho, you can choose from more than 17 different interactions to make your video interactive.
A flexible and robust learning platform in the form of a Learning Management System. With Brightspace you learn at all stages of life.