New Security Whitepaper From Twilio

March 09, 2016
Written by
Peter Tan
Twilion

Twilio Bug Logo

Communications technology is deeply embedded in our daily lives. Sending a text, making a call, or reaching out to a customer is so instantaneous it feels like second nature. Proper security measures preserve that sense of second nature, and that sense of trust, so there’s no pause before you fire off that text.

At Twilio, security is always on our mind. To keep you in the loop of what we do to keep your workflows secure, here’s a rundown of the security measures we’ve shipped in the past year, and what’s coming next.

We understand that many of you have internal security frameworks, and we have structured the whitepaper to match up some of the ones that are common amongst our users. This will make it easier for you to find what you are looking for. We recommend that you check the Security Whitepaper out.

Additionally, let us walk you through some improvements and updates we made before the year closed out, what you might have missed, and to give you a glimpse of what is coming in the year ahead here at Twilio.

Before the year closed out, we updated our SSL Certificate to a SHA-2 signed certificate as detailed here. While 2015 did not have the same level of security scares as 2014, it never hurts to err on the side of caution.

Speaking of caution, we introduced the Secondary Auth Token, which helps you switch to new credentials with zero downtime in the event that your primary Twilio credentials have been compromised. This also allows you to seamlessly cycle your credentials, keeping up with any security policies that you might have.

We more recently released API keys as covered in this blog post. API keys will be the new way forward of managing credentials inside your Twilio implementations. With API keys, each developer can be given their own set of credentials, allowing better user management and access control. They also make life easier by having disposable credentials, preventing the primary AccountSID and Auth Token from floating around too much.

Many companies want a way to trace and audit lifecycle events in their accounts. To address this, we introduced a new platform feature – Monitor, which has many uses, like keeping track of your phone numbers and who updated their configuration when. You can learn how more about how it works in this blog post.

Your use cases grow over time, generally due to the success of your business. What was once a small experiment could now be core to your business communications. It is never a bad time to re-evaluate your security implementations and check what kind of measures you have in place. This could mean checking that Request Validation is enabled in your workflow to verify that HTTP Requests to your servers are truly coming from Twilio.

If you are using Twilio SIP, you could check our list of IPs to ensure the right ones are in your system. Twilio has data centers in seven distinct regions to best serve you, and each of them has their own set of IP addresses that need whitelisting. To find out more about Twilio SIP in general, you can see the webinar we had on this topic, talking about how you can secure your SIP trunks with Twilio and begin the migration off expensive PRIs to more cost-effective SIP trunks. On the horizon, we have MPLS in early access for SIP trunking, and we will have more news on this feature in the months to come.

Lastly, as our platform and our product lines grow, Twilio is committed to the security of your communications and ensuring the ease of verifying that. We will keep you updated as we make further developments in this space to maintain the highest level of security possible. We encourage you to look at our revised whitepaper and to conduct a security audit of your use cases with us. We can’t wait to see what you secure.