Security of your digital content and

media applications on AWS

Usman Shakeel | Principal Solutions ArchitectAmazon Web Services© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved©

*******

Why is security such a hot topic?

So where does AWS come in?

AWS makes security more agile

Lets you move fast whilestaying safe

Digital Media Workloads

Content ProductionContent

DistributionProcessing & Management

Content Storage

Modelling

Rendering

Video editing

Post production

Broadcast signal acquisition

Digital dailies/approvals

B2C streaming of live and VOD content

B2B distribution

Video advertising insertion

High speed ingest

Library storage and archiving

Tier management

Content/asset management

En/Transcode

Packaging

Encryption, watermarking

Digital Rights Management

Workflow, job scheduling, automation

Content Consumption

Analytics, reporting, log analysis

Real-time monitoring

Content discovery

Content recommendation engine

Studio

Post House + Other Service Providers

Affiliates + Broadcasters + Distributors

Shared Responsibility

• AWS responsible for all

backend infrastructure

security

• Customer is responsible for

AWS architecture in their

account and application

security

MPAA Common Guidelines – Security Model

MPAA Application/Cloud Guidelines

Security of your content on AWS

Security of the Cloud

Security on the Cloud

Security on the Cloud

Cloud Security

Organization & Management

Operations Data Security

Application Security

Development Lifecycle

Authentication & Access

Secure Coding & Vulnerability Management

Digital Security

Content Management

Content Transfer

Security of the Cloud

Facilities

Physical security

Physical infrastructure

Network infrastructure

Virtualization infrastructure

Certifications

MPAA best practices alignment

https://aws.amazon.com/compliance/mpaa/

Cloud Security

Organization & Management

Operations Data Security

Alignment to MPAA guidelines

MPAA Guidelines

ISO 27001

MPAA Alignment

PCI DSS Level1

SOC

What’s in scope for MPAA (guidelines) alignment

The entire AWS Services stack

Security on the Cloud (application and content security)

Application Security

Development Lifecycle

Authentication & Access

Secure Coding & Vulnerability Management

Digital Security

Content Management

Content Transfer

Storage | S3, Glacier, EBS, Instance Store, EFS

Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF

Network | VPC, VPN, Direct Connect

Access | IAM, AWS Config, CloudTrail, CloudWatch

Making life easier

Choosing security does not mean giving up on

convenience or introducing complexity

Application Development Security

Development Lifecycle

Authentication & Access

Secure Coding & Vulnerability Management

AWS Config AWS IAM AWS CloudTrail AWS Inspector

(preview)

Application Security

Continuous ChangeRecordingChanging

Resources

AWS Config

History

Stream

Snapshot (ex. 2014-11-05)

AWS Config

Log, Monitor, Act Proactively

You are making API calls and accessing your content ...

On a growing set of services around the world accessing your content

Amazon CloudTrail is continuously recording API calls…

And delivering log files to you…

Elastic Load Balancing

Amazon S3 Amazon

Glacier

Amazon

CloudFront

Amazon S3/Amazon

CloudFront/App Logs

Access Logs

Feed Logs in Amazon Cloudwatch or monitor patterns on Logs

Act Fast or automate based on realtimenotifications and alerts

Amazon CloudTrail

Elastic Transcoder

Launch a CloudFormation stack

with all the infrastructure

resources for a specific project

Autoscale the stack as

appropriate

AMI

CloudFormation

TemplateCloudFormation

Terminate

Template

Recycle Infrastructure often

Digital Security

Content Management

Content Transfer

Content Security

Security of Studio/Post House Applications

Content ProductionProcessing & Management

Content Storage

Modelling

Rendering

Video editing

Post production

Broadcast signal acquisition

Digital dailies/approvals

High speed ingest

Library storage and archiving

Tier management

Content/asset management

En/Transcode

Packaging

Encryption, watermarking

Digital Rights Management

Workflow, job scheduling, automation

Security of Studio/Post House Workflows

• FAQs– Highly Valued Pre-Released Assets

– Secure Transfer (physical in many cases)

– Encryption & Key Management

– Access Control

– Deletion Protection

– Isolated from public access (internet)

– Logging and Monitoring

– Content location

Security of the Studio/Post House Workflows

corporate data centerAWS cloud

users

Content

Servers

disk

tape storageAmazon S3 Amazon Glacier

ContentEncrypted at Rest

Encrypted in TransitUsing my Keys

Over Private ConnectionAccess Policies

Protection

Processing

LayerAmazon EBS

Server-side encryption using KMS

Amazon S3 AWS KMSRequest

Policy

Keys managed centrally in Amazon KMS with permissions and auditing of usage

Security of the Studio/Post House Workflows (Content encryption and access)

corporate data centerAWS cloud

users

Content

Servers

disk

tape storage

Processing

Layer

Amazon S3

Amazon EBS

Amazon Glacier

KMS/

HSMClient side

encryption

role

IAM

role

Encrypted

Content

AWS Import/Export

Snowball

Prior to S3 VPCE

Locking down S3 access with virtual private

endpoint (VPCE)

Using S3 VPCE

Public IP on EC2 Instances and IGW

Private IP on EC2 Instances and NAT

Access S3 using S3 Private Endpoint (VPE) without using NAT instances or Gateways

Increased security

Amazon S3S3

Security of the Studio/Post House Workflows (No Public network traversal)

corporate data centerAWS cloud

users

Content

Servers

disk

tape storage

Processing

Layer

Amazon S3

Amazon EBS

Amazon Glacier

KMS/

HSMClient side

encryption

role

IAM

Encrypted

Content

roleDirect Connect

S3 V

PC

En

dp

oin

t

Secure Media Supply Chains – A Reference Architecture

Key Management Service

Provide CPK for S3

encryption at rest

EC2, ETS can request

the data-key on behalf

of customer Store and deliver object

specific keys in Dynamo

S3 Ingest For Source, Renditions, Metadata Sidecar Files

Ingest

AWS Elastic

Beanstalk

Content Consumption

CloudFront

Distribution

Amazon

DynamoDB

Individual Key Storage

Other Media

processing on EC2Elastic

Transcoder

Processing

Authentication/

Authorization

Content owner provides

the master key

11 Regions

30 Availability Zones

52 Edge locations

Where is my content?

Source

(Virginia)

Destination

(Oregon)

• Only replicates new PUTs. Once S3 is configured, all new uploads into a source bucket will be replicated

• Entire bucket or prefix based

• 1:1 replication between any 2 regions

Use cases

Compliance - store data hundreds of miles apart

Lower latency - distribute data to regional customers)

Security - create remote replicas managed by separate AWS accounts

S3 cross-region replicationAutomated, fast, and reliable asynchronous replication of data across AWS regions

Additional Storage Security Controls

Amazon S3

PermissionsAccess Logs

Amazon Glacier

AWS CloudTrail

Vault lock

Versioning Durability

Additional Security Controls

(Elastic Transcoder Security)

• Encryption at restServer managed keysClient provided keys

• Integration with AWS Key Management ServiceAmazon Elastic Transcoder only accepts AWS KMS protected keys

Key is never written or stored in cleartext

• Encryption for HLS streamsBuilt on top of “client provided keys” API

Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key

• Digital Rights ManagementPlayReady DRM packaging

• CloudTrail Integration

AWS CloudTrail

Elastic Transcoder

KMS

Amazon S3

role

Watermarking

Security of Distribution (B2B) applications

Content Distribution

B2B distribution

Security of Content Distribution Applications

• FAQs

– Secure Transfer (physical in many cases)

– Encryption & Key Management

– Access Control

– Logging and Monitoring

Security of the Distribution (content transfer)

Workflow (B2B)

AWS cloud

Proxy Layer (Optional)Amazon S3

KMS/

HSM

IAM

role

S3 VPC Endpoint

Internal Users

Vendors/Partners

Affiliates/Distributors

Fine grained temporary access

Temporary Access

Temporary Access

Access LogsRemote Application

Streaming

Security of Distribution (B2C) applications

Content Distribution

B2C streaming of live and VOD content

Video advertising insertion

Content Consumption

Analytics, reporting, log analysis

Real-time monitoring

Content discovery

Content recommendation engine

Security of Content Distribution Applications

• FAQs

– Access Control, Rights Management & Content

Monetization

– DRM Packaging

– Encryption

– Logging and Monitoring

Different use cases call for different security measures

Use CaseExample Media

DistributorContent Security Solution

Commonly in PracticeDelivery Solution

Free/Public UGC Vimeo, WeVideo Open Progressive downloads, streaming

Free/Secure UGC WeVideo, YouTube Signed URLs Progressive downloads, streaming

Ad Supported Sony Crackle, TMZ AES encryption, signed URLs Mostly HTTP or RTMP streaming

Premium Content (Live Linear or VOD)

Netflix, Amazon Instant Video

AES Encryption, signed URLs, DRM

HTTP or RTMP streaming

Prereleased Content StudiosEncryption, watermarking,DRM

Mezzanine file transfer (mostly B2B), proxy streaming

AWS mechanisms for securing media delivery

Token / signed URLs

AES encryption

DRM

Geoblocking

Watermarking

Amazon CloudFront – Private Content (Signed URLs, signed Cookies, OAIs)

Amazon Elastic Transcoder – HLS with AES-128 encryptionAWS Key Management Service – Key Management for Amazon Elastic Transcoder, Amazon EC2, and Amazon S3

Amazon Elastic Transcoder – PlayReady DRM packaging

Amazon CloudFront – Geo-restriction

Amazon Elastic Transcoder – Visual watermarks

Amazon S3

(Media Storage)

Amazon CloudFront

CDN Security (Amazon CloudFront Security)

End User

HTTP

• CloudFront’s private content featureOnly deliver content to securely signed requests

• HTTPS ONLY requests/delivery

• Signed URL verificationPolicy based on a timed URL or a CIDR block of the requestor

• HTTPS ONLY origin fetches

• Trusted signers

• Access logs

• CloudFront origin access identity

• Signed Cookies for Private Content Include Signature in the cookie itself

Delivery EC2 Instances

Security Group

Signed Request

Amazon S3

(Logs Storage)

Signed Cookie

Verification

Amazon S3 bucket

Amazon

CloudFront

distribution

Availability Zone a

Elastic Load

Balancing

Amazon EC2 instance

web app

server

Availability Zone b

Amazon Elastic

Transcoder

Media owner

AWS Key Management Service

Amazon S3 bucket

Amazon EC2 instance

Amazon DynamoDB

Key Name Base64 Encoded Key

Big Buck Bunny EuoK6SNJcoZ7V8gRqSszdA6yp8MZTbrBY…

Elephants Dream T4iu3N8ZAyzk1JMesuyEQ46tCW5BA43sad…

Security of the Distribution Workflow (B2C) –

A reference streaming workflow

Amazon WAF

A few other topics

• FAQs

– Third Party Media Security Products

• Watermarking

• DRM

– Software Patching and Updates

– Real-time notifications on any security/access

breaches/anomalies

INGEST STORE MANAGE SECUREPROCESS

CREATEMONETIZE

INTEGRATEDELIVER

Media Security Software on AWS

SECURE

Media Security Software on AWS

SECURE

Questions?