Security First — Compliance as a Feature
How & Why Powtoon Built a Secure Enterprise Cloud
Another day, another headline about data hacks, misuse of confidential information, or strident new regulations meant to keep private information safe. And every day, another large organization takes steps to ensure the protection of their data — up to, and including, requiring compliance from software vendors like Powtoon.
There are as many responses to this growing trend as there are companies. Here is the story of how and why Powtoon put security at the center of our new Enterprise Cloud.
Powtoon’s Customers Are Part of Our Product Team
Powtoon is a platform that lets anybody create their own professional-looking videos. From the beginning, we built Powtoon in a very, very agile way — primarily driven by customer requests. We said, “Ok, what’s important to our customers now, let’s give them that, yeah?”
That meant the first version of Powtoon was very limited. You could animate some characters on screen. We had only one style. We had only one character in all kinds of poses. And that was pretty much it: no video, no image backgrounds, no nothing. You could make stickman animations with some text.
But it also meant that, as we gained users, their requests guided how we developed Powtoon. People asked for more of this, and more of that, until the platform evolved into what it is now, with live-action video capabilities, thousands of animated assets, a raft of integrations, and more.
Customer Requests Evolve
The thing is, Powtoon began as a tool that was used mostly by individuals for their small businesses or for their freelance activity. Compliance is not exactly something you think about in that situation. You care that your Powtoons are your Powtoons, and nobody’s accessing them without your permission, or without you sharing the Powtoon on a page.
Individual users don’t think much of, “How is Powtoon managing their infrastructure?” “How does their organization deal with backend access?” “How does their customer support team access, or not access data?” These aren’t the kind of things SMBs or a typical user making an invitation for their kid’s graduation tend to be concerned with.
But when it came to corporations, to bigger companies, to people who seek out Powtoon because they’re looking for something to spice up their internal communications, their presentations, their HR announcements, or whatever it may be — suddenly we began to get many questions about security and compliance.
A Hurtful Surprise
We started to receive questionnaires from IT departments and from security officers, and from all kinds of functions within corporations. They were asking, “How do you backup your data? Where is your data stored? Who has access to it? Where is it hosted, in the U.S.? U.K.? Europe?” And we found ourselves investing more and more time into reviewing these questions. Answering them, first to ourselves, and then to our clients.
It was actually heartbreaking to discover that I would have to answer many of these questions in the negative. Finding out that many standard practices (that were just fine six years ago) didn’t answer our customers’ growing needs — that was a hurtful surprise. I knew that we could do better, and deliver a higher standard.
“Compliance, in its widest sense, is a feature.”
Compliance as a Feature
There’s a demand for a new set of features today. These features are not meant to please the actual end-user, but they’re meant to satisfy the requirements of the organization employing the user. Compliance, in its widest sense, is a feature that we have to deliver to these customers and their employers in order to do business with them.
No compliance? No business!
That’s really the situation out of which the idea for the Enterprise Cloud was born. Enterprise customers care even more about the security of their data. They may in fact care more about their confidentiality than they do about features in the library. And they needed a solution that was built from the ground up with security first in mind. Which is exactly what we did.
So the software is deployed differently, and managed differently. A much smaller team has access to the Enterprise Cloud — something of a team within a team. We have very strict regulations with regards to who can access the back office of the Enterprise Cloud. Customer support is not allowed to view any customer data without the prior consent of the customer. This wouldn’t be workable for our Public Cloud, but with Enterprise clients who demand and can sustain this level of support and security, we defined policy, and implemented systems that actually enforce these practices.
The 4 Data Security Concerns that Matter Most to Companies
There are four main areas of concern for large organizations when it comes to their data:
Integrity
Companies want to ensure that their data’s integrity is not compromised. They are concerned that their data is what it is actually supposed to be, that only people they want to access that data may access it. They want to know that something that “belongs to us,” as an organization, stays “with us, and us only.”
Confidentiality
Imagine you create a Powtoon with sensitive information that your competition might like to know. You would want to be sure that your competition cannot get access to that information from the outside. Large companies want to rest assured that all measures have been taken so their sensitive data is accessible only to whomever they have defined authorized to do so.
Accessibility
Companies need to know they can access their data whenever they need to. They have employees working, putting in their time and expertise to create compelling video content, and saving it on Powtoon’s cloud. Companies need to know that their data will not be lost due to some technical hiccup. This touches on questions around how we replicate data, how we back up the data, what measures we take to ensure our service is constantly available, and what kind of service-level do we agree to.
Organizational Controls
Finally, not only do companies want to ensure their data’s integrity, confidentiality, and accessibility, but they also need to know that their partners and software vendors (like Powtoon), can make the same commitment from inside their own organization. Ultimately, strong organizational controls bolster the other three pillars of information security.
Compliance in Action — What Makes Powtoon’s Enterprise Cloud Different
As I mentioned earlier, we have a very small “team within a team” that has direct access to the Enterprise Cloud. This helps us manage our organizational controls and limit access to any data related to Enterprise users. In fact, we built the Enterprise Cloud to be hermetically sealed, and access to it is granted only on a need-to-have basis. But that isn’t the only measure we take. We still need to ensure the integrity, security, and accessibility of the data. That means that even viewing a Powtoon goes through a different process.
For example, in the Enterprise Cloud, we have an additional layer of security that checks every request going into the application against a continuously updated database of attack patterns. So we make sure on a request-by-request basis — every time somebody sends any request for a webpage or command for an API call to the Enterprise Cloud — we secure the account from any known malicious activity.
Additionally, we ensure that only the people you want to see your content can see it. Normally, when you share a Powtoon with somebody, it is private if you keep the link private. Much like sharing a link to a Google doc, you can send a link to someone who is not signed into Google to review a document, and they’ll be able to see it. As long as they don’t post this link on Twitter, it’s private. Nobody can find it, you won’t find it on Google or anything. But if you have the link, you can access it. That’s how it worked for Powtoon for the last six years.Your link is private as long as you don’t announce it. But if somebody hacks into your email and sees the link, he can see your content.
In the Enterprise Cloud, that’s not possible. Nobody can view a Powtoon if they’re not part of your organization. We put a virtual perimeter around your organization, and we say, “Hey. If you don’t prove to me that you belong to Accenture, let’s say, you won’t be able to see anything that belongs to Accenture — even if you’ve got the url of the player page.
Why Compliance Matters
Video is growing faster than ever, and the power to communicate with deep impact is available for almost anyone today. Powtoon is a big part of that revolution, and I couldn’t be prouder to have had a hand in building it. But let’s face it, it doesn’t matter how fancy or effective a software product is, if a company can’t work with it for lack of security compliance — that company might as well not exist in the first place.
Powtoon is committed to seeing everyone, including people working for large organizations, add a touch of awesomeness to their work and their life with video. Companies that care about pushing the boundaries of working communication, but can’t afford to sacrifice compliance finally have a solution that puts security at the center, and treats compliance like a feature.
