Digital Samba English Blog

Ensuring Video API Security: Best Practices and Tips

Written by Robert Strobl | April 6, 2022

From saving costs to significantly reducing development efforts, APIs are currently one of the best ways to incentivize digital innovation and transformation.

In fact, 56% of developers report APIs helped them develop better products by creating business value (36%), integrating systems (40%), and accelerating innovation (52%).

With video conferencing tools becoming widely popular during the pandemic, video APIs (Application Programming Interfaces) have been critical in developing communication platforms during one of the biggest remote work shifts.

Video APIs in fact...

  • are easy to scale thanks to pre-build features 
  • remove the need to purchase and sustain complex server architectures
  • allow rapid service launches by cutting months of initial development

However, it’s also important to keep in mind that API’s ability to access data and critical components can be a double-edged sword.

According to Big Compass, around 50% of organizations experience between 10 up to 50 API attacks a month, while at least 91% of businesses experienced at least one security incident last year. 

Protection concerns have arisen, especially for video APIs, as they are widely used in the telemedicine, finance, and education sector where sensitive information and classified data needs to meet the highest security standards.

According to the security company Strikeforce Co-Founder George Waller: “You cannot just throw a cyber security band-aid at a poorly designed video conferencing platform and expect it to work.”

That’s why, when integrating real-time communication into an app or service, you need to make sure you are taking the right security precautions. 

The most common Video APIs threats are:

  • encryption protocols
  • authorization and authentication workflows
  • vulnerable devices including laptops, phones, tablets
  • incorrect API usage
  • no API behaviour data analysis (ex. discovering anomalies that could lead to a breach)

Encryption

Security starts with the HTTP connection itself. RESTful, or simply REST, is the most common type of API. This kind of application programming interface allows clients and servers to interact with a variety of web resources.

Secure REST APIs should only expose HTTPS endpoints, which ensures that all API communication is encrypted using SSL/TLS. This allows clients to authenticate the service and protect their credentials. 

WebRTC

When it comes to video APIs, using webRTC guarantees an extra layer of security and protection for sensitive data transmission. IETF enforces mandatory encryption and security standards on all WebRTC communications. In fact, creating an unencrypted network is prohibited.

WebRTC uses two standardized encrypting protocols. Data channels are encrypted using Datagram Transport Layer Security (DTLS), while media utilize Secure Real-time Transport Protocol (SRTP). WebRTC is a peer to peer protocol, however in case the connection needs to be established through a TURN server, based on the webRTC standard, there is no processing or storage of media (video, voice or file sharing).

Authentication

Security on an API level requires only permitted clients to access privileges and execute granted operations. When it comes to cyberattacks, authentication and authorization are one of the first lines of defence. Even if the terms are frequently used interchangeably, they actually refer to two separate protection processes:

  • Authentication is the act of validating that users are who they claim to be.
  • Authorization is the process of giving the user permission to access a specific function or resource (application, file, and data). This set of privileges should be set to a minimum. 

While most API developers will add a global authentication scheme, authorization can be an area developers sometimes overlook. In order to prevent abuse and protect sensitive data, both authentication and authorization security mechanisms need to be implemented. It’s important to keep in mind that the API keys and additional credentials need to be stored and kept private.

Implementing additional security best practices

Even if less convenient, utilizing unique session IDs can lead to an increased security level for video communication. The same goes for unique passwords. Prior to the start of the meeting, hosts should let in only individuals they can identify.

It’s essential for moderators to possess the power to limit the number of participants and force disconnect attendees. Limiting the ability to screen share is also additional step moderators can take to protect confidential documents.

Conclusion

In an increasingly virtual world, enterprises need to know their services are built with security in mind. Strong encryption, authentication & authorization, combined with privacy controls should be core functionality in every video engine such as Digital Samba. Talk to our product specialists to find out how Digital Samba can support you in reaching your business goals while ensuring top-grade security.