100 Day Plan Update

Verkada Customers and Partners,

In the past few months following the March security incident, you — our customers and the Verkada community — have asked tough questions, provided helpful suggestions, and shown us patience and support. For that, we are extremely grateful. Today, we are sharing additional details regarding the projects we pursued over the 100 days after the incident as we redoubled our efforts to strengthen our systems and your trust in us.

Enhancing Risk Management with the Chertoff Group

On top of the enhancements already detailed on our security blog and listed below, we also are pleased to announce that we have partnered with the Chertoff Group, one of the premiere, internationally recognized consultancies in security and risk management advisory services. The Chertoff Group will work with us to further strengthen our security after the incident to help us to continue to build products that help our customers protect their people, assets, and privacy.

SOC 2 - Coalfire Assessment

We have engaged Coalfire to conduct a SOC 2 Type 1 assessment (which is already underway) to be followed by a SOC 2 - Type 2 examination.

Bug Bounty Program with Bugcrowd

We have launched our bug bounty program as a private bounty program, and have already paid out multiple rewards. We look forward to expanding this program in the coming months.

Additional Penetration Testing with NCC Group

We have engaged the NCC group to add to the breadth and frequency of our penetration testing.

CISO Council

We have assembled a council of Chief Information Security Officers from leading enterprises to engage in information-sharing on best practices and emerging threats. As the CISO of Verkada, I will be leading these CISO Council meetings.

Support Permission System (SPS)

On March 31st, we introduced SPS, a feature which requires customers to provide prior approval before the Verkada support team can access the customer’s on-prem Verkada equipment through a technical feature (a toggle) that provides explicit, just-in-time authorization. When SPS is enabled, its default setting limits customer-approved access to six hours, and even during that window, Verkada has no access to customer video, audio and images, unless that access is explicitly granted. In addition, we launched SPS notifications, alerting all customer admins when a SPS token is used by Verkada support staff to access a customer system.

Enhanced Audit Logs

We launched enhanced audit logging to provide our customers with greater transparency into the use and status of devices and accounts in their organizations. With a new consolidated interface to view all events across an organization, these enhanced logs will provide more visibility into all events happening within your organization.

Enhanced Multifactor Authentication

Access to Verkada’s production cloud service provider, AWS, already requires multi-factor authentication, and now it requires a hardware key as one of the factors.

Configuration and Change Management

Verkada has adopted Terraform for its configuration and change management, and we will be using Terraform Cloud Sentinel to reduce the risk of security vulnerabilities in AWS security configurations.

Customer Managed Encryption Keys (CMEK)

For customers with large security engineering teams that are accustomed to managing keys across the Enterprise, we are developing customer managed encryption keys (CMEK). CMEK is designed to give customers more visibility and control over how their data is being accessed and allow them to manage their encryption consistently across all their cloud-based applications. Verkada is developing this with key customer input and is reviewing the security design with 3rd party experts.