alert logic
TRANSCRIPT
Security of your digital content and
media applications on AWS
Usman Shakeel | Principal Solutions Architect | Amazon Web ServicesRyan Holland | Director of Cloud Platforms | Alert Logic
Who is attacking and why?
Cyber Criminal
Hacktivist Advanced
Persistent
Threat (APT)
Associated Press – Hacked Twitter Account
• 1% drop in S&P 500
• $136 Bn market drop
• US Treasury bond yield drop
• $ weakens against ¥
TV5Monde Outage
• 11 TV channels off air for 3 hours
• Website & Facebook page defaced
• Email server taken offline
Attack types against media vs other industries
• Higher than Average
• DDOS
• Brute Force
• Application Attacks
• Lower than Average
• Part of a botnet
• Scanning
• Recon
Shared Security Model
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
• Network threat detection
• Security monitoring
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
• Configuration best
practices
Getting to a Secure Baseline
Visibility of the AWS Environment
AWS Security Best Practices
Vulnerabilities on the Instances
Your content
Your Crown Jewels…
Storage | Access Control, Encryption at rest, Access monitoring …
Network or Physical Transfer | Encryption in transit, Network vulnerabilities, …
Value added Services | Encryption and Key Management, Access Controls, …
Shared Responsibility
• AWS responsible for all
backend infrastructure
security
• Customer is responsible for
AWS architecture in their
account and application
security
Security of the Cloud
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
MPAA best practices alignment
https://aws.amazon.com/compliance/mpaa/
Cloud Security
Organization & Management
Operations Data Security
ISO
MPAA
Security on the Cloud (application and content security)
Application Security
Development Lifecycle
Authentication & Access
Secure Coding & Vulnerability Management
Digital Security
Content Management
Content Transfer
Storage | S3, Glacier, EBS, Instance Store, EFS
Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF
Network | VPC, VPN, Direct Connect
Access | IAM, AWS Config, CloudTrail, CloudWatch
Content Security
Application Security
Development Lifecycle
Authentication & Access
Secure Coding & Vulnerability Management
Content Management
Storage | S3, Glacier, EBS, Instance Store, EFS
Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF
Network | VPC, VPN, Direct Connect
Access | IAM, AWS Config, CloudTrail, CloudWatch
Digital Security
Content Transfer
Security of Studio/Post House Workflows
• FAQs– Highly Valued Pre-Released Assets
– Secure Transfer (physical in many cases)
– Encryption & Key Management
– Access Control
– Deletion Protection
– Isolated from public access (internet)
– Logging and Monitoring
– Content location
Server-side encryption using KMS
Amazon S3 AWS KMSRequest
Policy
Keys managed centrally in Amazon KMS with permissions and auditing of usage
Security of the Studio/Post House Workflows (Content encryption and access)
corporate data centerAWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
role
Encrypted
Content
AWS Import/Export
Snowball
Availability Zone A
Private subnet Private subnet
AWS
region
Virtual Private Gateway
Content Value-addService
Content Value-addService
Availability Zone B
Locking down S3 access with virtual private endpoint (VPCE)
Amazon
S3
VPC
VPN connection
VPC Endpoints
• No IGW
• No NAT
• No public IPs
• Free
• Robust accesscontrol
Customer network
Private subnet Private subnet
AWS
region
AppsValue-add Service
VPC Endpoints in action
VPC
High Valued Assets Everything else
VPCE1 VPCE2
Private subnet
Apps
1. Subnet Route Table gives connectivity to the VPCE
2. VPCE IAM policy restricts what buckets the VPCE allows access to
3. Bucket Policy restricts access to specific VPCEs (or VPCs) ONLY
4. Security Groups on instances further restrict which resources can access S3
Security of the Studio/Post House Workflows (No Public network traversal)
corporate data centerAWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
Encrypted
Content
roleDirect Connect
S3 V
PC
En
dp
oin
t
12 Regions
32 Availability Zones
54 Edge locations
Where is my content?
Additional Storage Security Controls
Amazon S3
PermissionsAccess Logs
Amazon Glacier
AWS CloudTrail
Vault lock
Versioning Durability
VPC Flow Logs: Automation
Amazon SNS
CloudWatch
Logs
Private subnet
Value-add Service for High Valued assets
AWS Lambda
If SSH REJECT > 10, then…
ElasticNetwork Interface
Metric filter
Filter on all SSH REJECTFlow Log group
CloudWatch
alarm
Source IP
Additional Security Controls
(Elastic Transcoder Security)
• Encryption at restServer managed keysClient provided keys
• Integration with AWS Key Management ServiceAmazon Elastic Transcoder only accepts AWS KMS protected keys
Key is never written or stored in cleartext
• Encryption for HLS streamsBuilt on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
• Digital Rights ManagementPlayReady DRM packaging
• CloudTrail Integration
AWS CloudTrail
Elastic Transcoder
KMS
Amazon S3
role
Watermarking
Content Transfer
Content Security
Application Security
Development Lifecycle
Authentication & Access
Secure Coding & Vulnerability Management
Storage | S3, Glacier, EBS, Instance Store, EFS
Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF
Network | VPC, VPN, Direct Connect
Access | IAM, AWS Config, CloudTrail, CloudWatch
Digital Security
Content Management
Security of the Distribution (content transfer)
Workflow (B2B)
AWS cloud
Proxy Layer (Optional)Amazon S3
KMS/
HSM
IAM
role
S3 VPC Endpoint
Internal Users
Vendors/Partners
Affiliates/Distributors
Fine grained temporary access
Temporary Access
Temporary Access
Access LogsRemote Application
Streaming
A secure way to physically transfer content – at scale
Scale and Speed
• Up to 50TB Capacity per device
• 10Gbps and 1Gbps connectivity
• Parallel data transfer enables PBs transferred in a week
Secure
• Tamper-resistant enclosure
• 256-bit encryption with KMS
• Secure data erasure
Simple
• Manage entire process through AWS Console
• Lightweight data transfer client
• Notifications
Amazon Import/Export Snowball
Security of Content Distribution Applications
• FAQs
– Access Control, Rights Management & Content
Monetization
– DRM Packaging
– Encryption
– Logging and Monitoring
AWS mechanisms for securing media delivery
Token / signed URLs
AES encryption
DRM
Geoblocking
Watermarking
Amazon CloudFront – Private Content (Signed URLs, signed Cookies, OAIs)
Amazon Elastic Transcoder – HLS with AES-128 encryptionAWS Key Management Service – Key Management for Amazon Elastic Transcoder, Amazon EC2, and Amazon S3
Amazon Elastic Transcoder – PlayReady DRM packaging
Amazon CloudFront – Geo-restriction
Amazon Elastic Transcoder – Visual watermarks
Amazon S3
(Media Storage)
Amazon CloudFront
CDN Security (Amazon CloudFront Security)
End User
HTTP
• CloudFront’s private content featureOnly deliver content to securely signed requests
• HTTPS ONLY requests/delivery
• Signed URL verificationPolicy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• AWS WAF
• Trusted signers
• Access logs
• CloudFront origin access identity
• Signed Cookies for Private Content Include Signature in the cookie itself
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
Signed Cookie
Verification
AWS WAF
Application Development Security
Development Lifecycle
Authentication & Access
Secure Coding & Vulnerability Management
AWS ConfigConfig Rules
AWS IAMIAM Users
IAM Groups
IAM Roles
AWS CloudTrail AWS Inspector
(preview)
Application Security
Log, Monitor, Act Proactively
You are making API calls and accessing your content ...
On a growing set of services around the world accessing your content
Amazon CloudTrail is continuously recording API calls…
And delivering log files to you…
Elastic Load Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon Cloudwatch or monitor patterns on Logs
Act Fast or automate based on realtimenotifications and alerts
Amazon CloudTrail
Elastic Transcoder
Launch a CloudFormation stack
with all the infrastructure
resources for a specific project
Autoscale the stack as
appropriate
AMI
CloudFormation
TemplateCloudFormation
Terminate
Template
Recycle Infrastructure often
A few other topics
• FAQs
– Third Party Media Security Products
• Watermarking
• DRM
– Software Patching and Updates
– Real-time notifications on any security/access
breaches/anomalies
Media Security Software on AWS
SECURE
Monitoring Activity in your environment
Visibility of the AWS Environment
AWS Security Best Practices
Vulnerabilities on the Instances
Monitor Web Application Traffic
Implement Network Intrusion
Capture Log Data
Security Analyists
Bringing it together
Visibility of the AWS Environment
AWS Security Best Practices
Vulnerabilities on the Instances
Monitor Web Application Traffic
Implement Network Intrusion
Capture Log DataAnalytics
Security Events
& Log Data
Escalated Security
Incidents &
Recommendations
ON-PREMISES HOSTED
HYBRID
CLOUD
Shared Compliance Model
Compliance
AWS CloudTrail
Auditing events from your AWS infrastructure
Cloud Defender
Collection of CloudTrail logs and
analysis
Notification on Business Rules
Exceptions
Reporting
Customer
IT Operations and Security Team
consume output
Customer
Defines policies to meet compliance
Questions?