[aws la media & entertainment event 2015]: security of digital media content & applications...
TRANSCRIPT
Security of your digital content and
media applications on AWS
Usman Shakeel | Principal Solutions ArchitectAmazon Web Services© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved©
Digital Media Workloads
Content ProductionContent
DistributionProcessing & Management
Content Storage
Modelling
Rendering
Video editing
Post production
Broadcast signal acquisition
Digital dailies/approvals
B2C streaming of live and VOD content
B2B distribution
Video advertising insertion
High speed ingest
Library storage and archiving
Tier management
Content/asset management
En/Transcode
Packaging
Encryption, watermarking
Digital Rights Management
Workflow, job scheduling, automation
Content Consumption
Analytics, reporting, log analysis
Real-time monitoring
Content discovery
Content recommendation engine
Studio
Post House + Other Service Providers
Affiliates + Broadcasters + Distributors
Shared Responsibility
• AWS responsible for all
backend infrastructure
security
• Customer is responsible for
AWS architecture in their
account and application
security
Security of your content on AWS
Security of the Cloud
Security on the Cloud
Security on the Cloud
Cloud Security
Organization & Management
Operations Data Security
Application Security
Development Lifecycle
Authentication & Access
Secure Coding & Vulnerability Management
Digital Security
Content Management
Content Transfer
Security of the Cloud
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
MPAA best practices alignment
https://aws.amazon.com/compliance/mpaa/
Cloud Security
Organization & Management
Operations Data Security
Security on the Cloud (application and content security)
Application Security
Development Lifecycle
Authentication & Access
Secure Coding & Vulnerability Management
Digital Security
Content Management
Content Transfer
Storage | S3, Glacier, EBS, Instance Store, EFS
Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF
Network | VPC, VPN, Direct Connect
Access | IAM, AWS Config, CloudTrail, CloudWatch
Making life easier
Choosing security does not mean giving up on
convenience or introducing complexity
Application Development Security
Development Lifecycle
Authentication & Access
Secure Coding & Vulnerability Management
AWS Config AWS IAM AWS CloudTrail AWS Inspector
(preview)
Application Security
Continuous ChangeRecordingChanging
Resources
AWS Config
History
Stream
Snapshot (ex. 2014-11-05)
AWS Config
Log, Monitor, Act Proactively
You are making API calls and accessing your content ...
On a growing set of services around the world accessing your content
Amazon CloudTrail is continuously recording API calls…
And delivering log files to you…
Elastic Load Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon Cloudwatch or monitor patterns on Logs
Act Fast or automate based on realtimenotifications and alerts
Amazon CloudTrail
Elastic Transcoder
Launch a CloudFormation stack
with all the infrastructure
resources for a specific project
Autoscale the stack as
appropriate
AMI
CloudFormation
TemplateCloudFormation
Terminate
Template
Recycle Infrastructure often
Security of Studio/Post House Applications
Content ProductionProcessing & Management
Content Storage
Modelling
Rendering
Video editing
Post production
Broadcast signal acquisition
Digital dailies/approvals
High speed ingest
Library storage and archiving
Tier management
Content/asset management
En/Transcode
Packaging
Encryption, watermarking
Digital Rights Management
Workflow, job scheduling, automation
Security of Studio/Post House Workflows
• FAQs– Highly Valued Pre-Released Assets
– Secure Transfer (physical in many cases)
– Encryption & Key Management
– Access Control
– Deletion Protection
– Isolated from public access (internet)
– Logging and Monitoring
– Content location
Security of the Studio/Post House Workflows
corporate data centerAWS cloud
users
Content
Servers
disk
tape storageAmazon S3 Amazon Glacier
ContentEncrypted at Rest
Encrypted in TransitUsing my Keys
Over Private ConnectionAccess Policies
Protection
Processing
LayerAmazon EBS
Server-side encryption using KMS
Amazon S3 AWS KMSRequest
Policy
Keys managed centrally in Amazon KMS with permissions and auditing of usage
Security of the Studio/Post House Workflows (Content encryption and access)
corporate data centerAWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
role
Encrypted
Content
AWS Import/Export
Snowball
Prior to S3 VPCE
Locking down S3 access with virtual private
endpoint (VPCE)
Using S3 VPCE
Public IP on EC2 Instances and IGW
Private IP on EC2 Instances and NAT
Access S3 using S3 Private Endpoint (VPE) without using NAT instances or Gateways
Increased security
Amazon S3S3
Security of the Studio/Post House Workflows (No Public network traversal)
corporate data centerAWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
Encrypted
Content
roleDirect Connect
S3 V
PC
En
dp
oin
t
Secure Media Supply Chains – A Reference Architecture
Key Management Service
Provide CPK for S3
encryption at rest
EC2, ETS can request
the data-key on behalf
of customer Store and deliver object
specific keys in Dynamo
S3 Ingest For Source, Renditions, Metadata Sidecar Files
Ingest
AWS Elastic
Beanstalk
Content Consumption
CloudFront
Distribution
Amazon
DynamoDB
Individual Key Storage
Other Media
processing on EC2Elastic
Transcoder
Processing
Authentication/
Authorization
Content owner provides
the master key
Source
(Virginia)
Destination
(Oregon)
• Only replicates new PUTs. Once S3 is configured, all new uploads into a source bucket will be replicated
• Entire bucket or prefix based
• 1:1 replication between any 2 regions
Use cases
Compliance - store data hundreds of miles apart
Lower latency - distribute data to regional customers)
Security - create remote replicas managed by separate AWS accounts
S3 cross-region replicationAutomated, fast, and reliable asynchronous replication of data across AWS regions
Additional Storage Security Controls
Amazon S3
PermissionsAccess Logs
Amazon Glacier
AWS CloudTrail
Vault lock
Versioning Durability
Additional Security Controls
(Elastic Transcoder Security)
• Encryption at restServer managed keysClient provided keys
• Integration with AWS Key Management ServiceAmazon Elastic Transcoder only accepts AWS KMS protected keys
Key is never written or stored in cleartext
• Encryption for HLS streamsBuilt on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
• Digital Rights ManagementPlayReady DRM packaging
• CloudTrail Integration
AWS CloudTrail
Elastic Transcoder
KMS
Amazon S3
role
Watermarking
Security of Content Distribution Applications
• FAQs
– Secure Transfer (physical in many cases)
– Encryption & Key Management
– Access Control
– Logging and Monitoring
Security of the Distribution (content transfer)
Workflow (B2B)
AWS cloud
Proxy Layer (Optional)Amazon S3
KMS/
HSM
IAM
role
S3 VPC Endpoint
Internal Users
Vendors/Partners
Affiliates/Distributors
Fine grained temporary access
Temporary Access
Temporary Access
Access LogsRemote Application
Streaming
Security of Distribution (B2C) applications
Content Distribution
B2C streaming of live and VOD content
Video advertising insertion
Content Consumption
Analytics, reporting, log analysis
Real-time monitoring
Content discovery
Content recommendation engine
Security of Content Distribution Applications
• FAQs
– Access Control, Rights Management & Content
Monetization
– DRM Packaging
– Encryption
– Logging and Monitoring
Different use cases call for different security measures
Use CaseExample Media
DistributorContent Security Solution
Commonly in PracticeDelivery Solution
Free/Public UGC Vimeo, WeVideo Open Progressive downloads, streaming
Free/Secure UGC WeVideo, YouTube Signed URLs Progressive downloads, streaming
Ad Supported Sony Crackle, TMZ AES encryption, signed URLs Mostly HTTP or RTMP streaming
Premium Content (Live Linear or VOD)
Netflix, Amazon Instant Video
AES Encryption, signed URLs, DRM
HTTP or RTMP streaming
Prereleased Content StudiosEncryption, watermarking,DRM
Mezzanine file transfer (mostly B2B), proxy streaming
AWS mechanisms for securing media delivery
Token / signed URLs
AES encryption
DRM
Geoblocking
Watermarking
Amazon CloudFront – Private Content (Signed URLs, signed Cookies, OAIs)
Amazon Elastic Transcoder – HLS with AES-128 encryptionAWS Key Management Service – Key Management for Amazon Elastic Transcoder, Amazon EC2, and Amazon S3
Amazon Elastic Transcoder – PlayReady DRM packaging
Amazon CloudFront – Geo-restriction
Amazon Elastic Transcoder – Visual watermarks
Amazon S3
(Media Storage)
Amazon CloudFront
CDN Security (Amazon CloudFront Security)
End User
HTTP
• CloudFront’s private content featureOnly deliver content to securely signed requests
• HTTPS ONLY requests/delivery
• Signed URL verificationPolicy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• Trusted signers
• Access logs
• CloudFront origin access identity
• Signed Cookies for Private Content Include Signature in the cookie itself
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
Signed Cookie
Verification
Amazon S3 bucket
Amazon
CloudFront
distribution
Availability Zone a
Elastic Load
Balancing
Amazon EC2 instance
web app
server
Availability Zone b
Amazon Elastic
Transcoder
Media owner
AWS Key Management Service
Amazon S3 bucket
Amazon EC2 instance
Amazon DynamoDB
Key Name Base64 Encoded Key
Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…
Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…
Security of the Distribution Workflow (B2C) –
A reference streaming workflow
Amazon WAF
A few other topics
• FAQs
– Third Party Media Security Products
• Watermarking
• DRM
– Software Patching and Updates
– Real-time notifications on any security/access
breaches/anomalies
INGEST STORE MANAGE SECUREPROCESS
CREATEMONETIZE
INTEGRATEDELIVER
Media Security Software on AWS
SECURE