Security: A top priority for Yodeck

Security is of paramount importance for digital signage. And we have plans to make Yodeck one of the most secure digital signage solutions out there.

When we initially designed Yodeck, we targeted customers with small installations. In our business plan, we have an estimated average of 5 screens and customers were SMEs. As business grew, it turned out that more and more big corporations are using Yodeck and they were deploying more screens than we originally envisioned. This started making security a much more important factor. And that is because, it is quite different to plan for security for an SME than for a Fortune 500 company.

Let’s examine some aspects of high-end security when it comes to digital signage, and what we are doing for each.

Access Control for Better Security

Bigger companies need fine-grained security policies for managing their digital signage network, something that smaller companies rarely need. You need to be able to provide users with access to specific screens or specific content. The most typical example I use is a multinational corporation. They have HQ, regional and local Content Managers, and each need specific access to content and screens. Same goes for IT personnel: local IT guys need configuration access to their local screens. Given that, many companies have policies, like how strong your password should be, while others have central user management which they connect to the different IT systems they buy.

We identified the need to also accommodate this type of customer back in 2017, so in early 2018 we released our “Enterprise” plan. The main feature was the “Workspaces” and shortly after we added support for SAML (for SSO), password policies, IP restrictions, and several other security features.

Security Means You Must Protect Customer Data

Some customers display confidential data on their screens. For large companies, putting any kind of device in your network always requires a security assessment. And when connected to a cloud service, you need also to take into consideration local and remote attacks. The same goes for physical security. What if someone steals your digital signage player? What information will he have access to? Can he affect the rest of the network?

Earlier this year, we saw the need to protect our customers as much as possible from issues like that, but without sacrificing flexibility. We are now in the process of developing a “Lock-Down” feature, which will irrevocably disable a) all remote access services including SSH from the LAN, and b) disable insertion of any customization code into a device. This essentially means that, even in the remote case that someone breaches into our cloud platform (a feat already too difficult), they will not have any kind of elevated access to your players. Within a few months, the “Lock-Down” feature will also include complete encryption of the Player storage. This will essentially protect any data leakage even from physical theft. And will make Yodeck one of the most secure digital signage platforms available in the world.

Confidentiality & Providing Support

Not all content on Digital Signage is public. Companies use Digital Signage software to display highly confidential data, like sales reports, internal news, critical KPIs and more. The previous paragraph talked about the physical security of data stored on Players. But what about accessing data on the cloud? Customers should stay in control of their accounts. And vendor personnel should not have uncontrolled access to sensitive data.

At Yodeck, we are building a new option available to all users which will allow customers to be notified of Yodeck Personnel accessing their account. We decided not to completely prevent access by default, as it would prevent our support team from providing hands-on assistance. Instead, users will be notified by email, to make sure that their access was invited and not unauthorized.

At the end, you just need to trust your vendor, as you trust any piece of software you have already installed in your computer.

Internal Vendor Security & Processes

The thing most difficult to research and evaluate is the internal security structure and processes used by the vendor. We need to prevent issues at the source rather than just strengthening the platform itself. The GDPR was a great leap at enforcing some security level across all software companies of any size or industry.

At Yodeck, we have been constantly strengthening our GDPR compliance with more and more security measures. Encrypted workstations, encryption at rest for all data, encryption in transport; everything that can be encrypted safely and without crippling the service, we have done it. But this is not a “set and forget” thing. That is why we have set up a semi-annual security review. In this 2 week long review, we crosscheck everything from the ground up. Access credentials, accounts, firewalls, processes, encryption, everything is reviewed, confirmed and recommendations for improvement are documented. The whole company participates in this security review process, since feedback across departments is always useful.

To ensure we provide the latest and greatest in security, we are also working closely with a firm that provides DevOps consulting. Their input is included in the review, and they also assist with implementation. Towards the end of the year, we will be engaging in a partnership with a security consultancy firm to do external penetration tests and consulting, while we also plan to embark on completing credible certifications around security.

What the future holds for Yodeck and Security

Everything we have planned in terms of strategy aims to offer you an unbeatable level of security. So that you know you can depend on Yodeck, no matter how big or small your business is. And make no mistake. Yodeck commits to continuously striving towards building the most secure digital signage solution in the industry.

What does this mean? For starters, we plan to intensify our compliance with the most stringent standards out there. Secondly, Yodeck will offer you, our customers, the product assurance you need by earning security certifications. And constantly renewing them when standards change. We’ll also go above and beyond by working closely with third parties to ensure the level of security we offer comes as close to ironclad as possible.

Security has become a key part of our company culture. Because it’s as important to us as it is to you. And we made it part of our way of thinking. Our planning. And our product development. Because it’s a top priority. And all our actions now reflect that.