By Larry Jordan
A press release from Frame.io caught my eye this morning. Emery Wells, CEO of Frame.io, announced that Frame.io is “now SOC 2 Type 2 compliant.” This means that Frame.io successfully completed a rigorous, ongoing security audit that demonstrates Frame.io not only met, but exceeded industry security standards.
This security audit, according to Frame.io, “is the gold standard for security compliance for [Software as a Service] companies.”
Type 1 compliance defines security at a specific point in time. Meaning that Frame.io demonstrated to external third party auditors their ability to successfully design and implement security controls, policies, and procedures to secure and encrypt your media on Frame.io.
Type 2 compliance is much more rigorous. This requires that Frame.io demonstrate their ability to maintain those same security controls, policies, procedures, and standards successfully throughout the examination period — from July until today — without any exception. These are standards that cover the training of employees to the distribution of company software and hardware, and even to the protocols for guests that visit their NY headquarters.
This audit included examination of their policies and procedures regarding network connectivity, firewall configurations, systems development life cycle, computer operations, logical access, data transmission, backup and disaster recovery, and other critical operational areas of business.
The reason I mention this is that, many times when I talk to tech companies, they make a big deal of how the security of your data is important to them. But almost none have gone to the lengths that Frame.io has to PROVE that your data is secure.
Talk is cheap and, as we’ve seen over and over in social media, it is easy to promise security, while not actually delivering anything of substance.
Frame.io has put their money – LOTS of their money – into living up to their promises to keep our data secure. This is a major accomplishment and they deserve congratulations.
Frame.io has set a high bar for other service companies to meet. Here’s a link to their press release to learn more.
As you think about moving business-critical assets to The Cloud, here are some questions you should ask:
- Is our data encrypted while it’s being transferred (“in transit”), while it is stored on your servers (“at rest”) or both?
- Do system administrators have access to either our data or the encryption keys and, if so, how do you secure our data?
- What happens to my data if your company goes out of business?
- What organizational processes have you put in place to make sure unauthorized users don’t have access to my data?
- How are you auditing and verifying that your security procedures are sufficient, and sufficiently followed by members of your staff?