Yaniv Elmadawi is the Agora VP of Solutions and Technology Services, focused on helping customers bring their ideas to life. His team of Solution Architects are audio and video technology experts who are constantly pushing the boundaries of chat and streaming experiences.
If you’re integrating real-time engagement (RTE) into your app, security should be a top priority. Why? Building your user base requires trust from your users, and any security issues related to your tech stack can compromise that trust.
When I speak to developers and customers, questions about security and privacy practices are common. To address these questions, I thought it would be helpful to walk through Agora’s security standards and take a deeper dive on what Agora has done to provide a secure real-time engagement platform.
As with any cybersecurity, it’s essential to implement multiple layers of security to prevent a breach.
Here are the layers of security and privacy that Agora has implemented to keep the platform secure:
- Channel separation
- Token authentication
- Network geofencing
- 3rd party testing and validation
- Compliance with privacy and security standards
We’ll dive into the specifics of each below.
Channel separation and token authentication
In order to prevent users from accessing other customer’s channels, Agora creates an independent and isolated channel using application IDs (AppID) to separate between customers. This means that by default, only authenticated users with the correct AppID can join your channel.
Token authentication ensures that only authorized users can join a specific channel. The token is a short-lived access key, which is generated by the app backend and allows users to access the audio or video stream after the user is properly validated by the app. Agora requires users to authenticate using tokens. The tokens are issued by the application backend, after the application confirms the user can join the specific channel. The tokens are also protected by multiple expiration options like join privilege time and how long a use can stay in a channel.
Agora uses role-based token authentication as an additional layer of security to determine whether a user can send audio, video to the channel, or join as an audience member. This is very common in streaming use cases to ensure that the audience is not permitted to send any video/audio to the channel unless specifically enabled to do so.
Media encryption encrypts your app’s audio and video streams with a unique key controlled by the app developer. While not every use case requires media encryption, Agora provides the option to guarantee data confidentiality during transmission. Agora’s built-in encryption engine makes this much easier. Not all levels of encryption are the same. Agora’s platform supports up to AES-256-GCM, the best option for real-time media encryption, as well as DTLS-SRTP, with webRTC.
Protocol encryption ensures that other types of data, beyond media streams, remain confidential by preventing any data from being sent in clear text. Agora accomplishes this using a UDP/TCP Transport Layer Security based on TLS v1.3, securing all protocols for both client-to-server and server-to-server data transfer.
Another important consideration is where your RTE data gets routed. Agora provides geofencing, allowing customers to choose what specific regions you will or will not allow your traffic to pass through.
Network and SDK Testing and Validation
Backend and network testing
No matter how many layers of security a platform claims, testing for vulnerabilities is still essential to staying secure against the rising onslaught of threats. Agora’s network gets regular penetration tests from top security industry leaders and incentivizes independent security researchers to test with a bounty program.
Agora’s SDKs code is routinely reviewed and validated by external security experts. Additionally, Agora ensures that all security and privacy best practices are implemented in the creation of SDK code from the onset.
Security and privacy standards and regulations
Depending on your location and use case, it may be essential to comply with specific security standards and privacy regulations. Agora is certified to the ISO/IEC 27001, 27017, 27018 and SOC 2 security standards and meets privacy regulations like GDPR, CCAP, and HIPAA.
A Real-Time Engagement Platform with advanced security
Looking for secure real-time voice, video, and messaging technology? Agora’s advanced layered security meets top security and privacy standards and regulations. For more information on Agora’s security, check out our information security policy and our security best practices.