"Are your media assets secure? For media companies, security is paramount. Few things can more directly impact your company's bottom line. As the move to store, process, and distribute digital media via the cloud continues, it is imperative to examine the relevant security implications of a multitenant public cloud environment. This talk is intended to answer questions around securely storing, processing, distributing, and archiving digital media assets in the AWS environment. The talk also covers the security controls, features, and services that AWS provides its customers. Learn how AWS aligns with the MPAA security best practices and how media companies can leverage that for their media workloads. This session also includes a representative from Sony Media Cloud Sevices discussing the path to MPAA alignment of their application Ci on AWS based on these best practices."

1. Securing Media Content and Applications in
the Cloud
Usman Shakeel, Amazon Web Services
Ben Masek. Sony Media Cloud Services
November 14, 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

2. Does AWS meet customer’s
security requirements?

3. Does AWS meet customer’s
security requirements?
Can my media content and
applications on AWS be
aligned to MPAA?

4. TOGETHER

6. Core Differentiators
Constant Pressures
Better customer experience
Reach more customers
Better quality content
More cool features
More analytics
Better vendor relationships
Shorten procurement cycle
Audits and compliance
Cut costs
Cost of Business
Infrastructure management
Infrastructure security
Infrastructure audit
DR, HA

7. Your $$$$ Can Go Farther !
Cost of Business
Core Differentiators
•
•
•
•
•
•
•
•
Infrastructure management
Infrastructure security
Infrastructure audit
DR and HA is complicated
New product features
Better customer experience
More analytics
More monetization opportunities
Happy Customers !!

8. The Shared Responsibility Model
Application
OS firewalls
Security groups
Operating system
Account management
Network configuration
Virtualization infrastructure
Network infrastructure
Physical infrastructure
Physical security
Facilities

9. Certifications and Compliances
Certifications
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
• SOC 1, SOC 2 & SOC 3
(SSAE16/ISAE 3402 audit)
• ISO 27001 certification
•
PCI level 1 service provider
•
FedRAMP (FISMA)
•
AWS GovCloud (US)
• MPAA best practices alignment
Customer are running Sarbanes-Oxley (SOX), HIPAA
(healthcare), FISMA (US federal government), DIACAP
MAC III sensitive ATO, International Traffic in Arms
Regulations (ITAR)

10. Security Innovation – Customer Driven Improvements
Everyone’s Applications
Requirements
Requirements
Requirements
AWS Security Infrastructure

11. AWS Services Stack in a Media Workflow
Amazon
EC2
AWS Storage
Gateway
Process
Store
Ingest
AMI
Amazon
S3
AWS Direct Connect
Amazon
EBS
Amazon
EC2
Amazon
RDS
Amazon
VPC
Elasti
Cache
Amazon
EMR
Deliver
Amazon
Elastic
Transcoder
CloudFront
Amazon
CloudSearch Amazon SQS
Route 53
Elastic Load
Balancing
AWS Import/
Export
DynamoDB
Amazon
Glacier
Amazon
Redshift
Amazon
SNS
Amazon
SWF

12. MPAA Security Best Practices
AWS alignment to MPAA security best practices reviewed October 2012
Based on AWS shared responsibility model

13. (MPAA Best Practices) – AWS Services in Scope
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
Amazon Elastic Compute Cloud (EC2)
Amazon Virtual Private Cloud (VPC)
Amazon Simple Storage Service (S3)
Amazon Elastic Block Store (EBS)
Amazon Relational Database Service (RDS)
Amazon DynamoDB
Elastic Load Balancing (ELB)
AWS Identity and Access Management (IAM)
Amazon CloudFront
Amazon Glacier
AWS Import/Export
AWS Direct Connect
Amazon Route 53
Amazon Elastic Transcoder
and the supporting data centers
Amazon
EC2
Amazon
VPC
Amazon
RDS
CloudFront
Elastic
Transcoder
Amazon
S3
Amazon
DynamoDB
Amazon
Glacier
Route 53
Amazon
EBS
AWS Import/
Export
AWS Direct Connect
Elastic Load
Balancing

14. (MPAA Best Practices) - Content Types in Scope
Preproduction
Storyboards
Scripts
Location
Footage
Screen
Tests
Production
Production Wrap
Call Sheets
Raw Files
Dailies
Script Edits
Editorial
Audio Files
Postproduction
Media Files
VFX
Master Files
Editorial
Distribution
Theatrical
Prints

15. MPAA Content Security Best Practices

16. MPAA Content Security Best Practices on AWS
Management Systems
Physical Security
Digital Security
Organization &
Management
Facility
Infrastructure
Competency
Asset Management
Content Management
Transport
Content Transfer

17. MPAA Content Security Best Practices on AWS
Facility
Physical
Security
Asset Management
Transport
Management
Systems
Organization & Management
Competency
Management
Systems
Organization & Management
Virtual Resources
Competency
Infrastructure
Digital
Security
Content Management
Digital
Security
Content Management
Content Transfer

18. AWS Physical Infrastructure Security

19. What AWS controls do
have in the
shared responsibility model?

20. AWS Security Controls
• Access points
•
•
Amazon VPC allows VPN access as well
•
•
HTTP or HTTPS using SSL access
Redundant connection to more than one communication service at each
Internet-facing edge
API requests
•
SOAP – must be signed (using X.509 certs with an RSA public key)
•
Query – SHA1 and SHA-256 cryptographic hash signature
•
SSH to Amazon EC2 instances – Require a public/private key pair or RDP certificate
•
AWS multi-factor authentication (MFA)
•
Key management and rotation

21. AWS Identity and Access Management (IAM)
Unique security credentials
•
Access keys, login/password, MFA device
•
Federated authentication (AWS Security Token Service STS)
Policies control access to AWS APIs
•
API calls must be signed by either: X.509 certificate or secret key
Deep integration with other AWS services
•
Amazon S3: policies on objects and buckets
•
Amazon SimpleDB: domains
•
Amazon EC2 resource permissions

22. Amazon EC2 Security Controls
EC2 (guest) operating system
•
Controlled by YOU
•
YOU have admin/root
•
AWS has NO visibility
•
YOU generate the key pairs
Instance
Security Group
Availability Zone A
Security groups (stateful filters)
•
•
•
AWS Cloud
YOU control the mandatory inbound firewall
Default is deny all
+Egress in the case of Amazon VPC
Signed API calls
Security Group Adobe_FMS Configuration
Protocol
Port range
Source
TCP
80
0.0.0.0/0
TCP
1111
0.0.0.0/0
TCP
1935
0.0.0.0/0
UDP
1935
0.0.0.0/0
SSH
22
192.168.0.41/10

23. Amazon Virtual Private Cloud (VPC)
•
•
•
•
Isolated environment
Ingress and egress filters
Network ACLs
Routing rules
Internet Gateway
Elastic IP
VPN Gateway
Instances
Instances
Security
Group
Security
Group
VPC Public Subnet
VPC Private Subnet
Virtual Private Cloud
VPN Connection
Corporate
Data Center

24. Amazon S3 Security Controls
•
•
•
•
•
Bucket- and object-level permissions
• Owner only access (by default)
Signed URLs/query string authentication
IAM policies
Versioning (MFA delete)
Detailed access logging
✔Access Logs

25. S3 Client Side Encryption with AWS SDK for Java
Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client)
Content
Envelope Key
Encrypted Content
Encrypted Envelope Key
Master Key
AWS SDK for Java
Corporate Data Center

26. S3 Server-Side Encryption (at Rest)
• Encryption
• Decryption
• Key management
Amazon S3
Master S3 Key
(Encrypted by S3 master key)
(Stored separately from your data)
• 256-bit AES encryption
Envelop Key
Content to be Uploaded
(encryption enabled in the
HTTP header)
Encrypted Stored Data
Encrypted Stored Key

27. Example S3 Policies
{
"Statement":[
{
"Effect":"Allow",
"Action":["s3:ListAllMyBuckets”],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":["s3:ListBucket”,"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::examplebucket"
},
{
"Effect":"Allow",
"Action":["s3:PutObject”,"s3:GetObject”,"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::examplebucket/*"
}
]
}

28. Example S3 Policies
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectVersion",
"s3:DeleteObject",
"s3:DeleteObjectVersion"
],
"Resource":"arn:aws:s3:::examplebucket/${aws:username}/*"
}
]
}

29. Amazon CloudFront Security
• CloudFront’s private content feature
Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery
• CloudFront origin access identity
• Signed URL verification
Amazon S3
(Logs Storage)
Amazon CloudFront
Signed Request
HTTP
End User
Policy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• Trusted signers
• Access logs
Delivery EC2 Instances
Security Group
Amazon S3
(Media Storage)

30. Cloudfront Origin Access Identity
"Statement":[{
"Sid":" Grant a CloudFront Origin Identity access",
"Effect":"Allow",
"Principal":{
"CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8"
},
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::example-bucket/*"
}
]

31. A Word on Content Location..
Region
Availability Zone
London (2)
New York (3)
South Bend
Edge Locations
Amsterdam (2)
Stockholm
Newark
Tokyo (2)
Seattle
Dublin
San Jose
Palo Alto
Hayward
Paris (2)
Frankfurt (2)
Seoul
Madrid
Ashburn (3)
Milan
Osaka
Los Angeles (2)
Jacksonville
Mumbai
Dallas (2)
Hong Kong (2)
Chennai
St.Louis
Miami
Singapore(2)
Sao Paulo
Sydney

32. Introducing AWS CloudTrail
You are making API
calls...
On a growing set of
services around the
world..
CloudTrail is
continuously
recording API calls…
And delivering log
files to you…

33. AWS CloudTrail
• Conduct audits for compliance
• Review API call activity within your account
• User activity logs to demonstrate compliance with government and
industry regulatory standards
• Monitor user activity for suspicious behavior
• Monitor user activity for specific known undesired behavior(s) and
raise alarms using their (SIEM) solutions
• Conduct security analytics to identify potential security issues
• Identify suspicious behavior and latent patterns that don’t trigger
immediate alarms but that may represent a security issue

34. AWS CloudTrail Usage
1. Create an S3 bucket on the customer's account (default name generated
or customer specified)
• Permissions added to the bucket to allow AWS CloudTrail to write to it
• User-specified bucket expiration policy applied
2. Optionally, create an Amazon SNS topic in the same manner as the bucket
above
3. Call CreateTrail to provide the bucket, topic, and S3 object prefix
4. Call StartLogging to start event processing for the account
Lines 1 and 2 are called directly as the user to Amazon S3/SNS
Lines 3 and 4 are the only AWS CloudTrail calls.

35. Path to MPAA Best Practices Alignment
Application
Security groups
Operating system
Access management
Third-Party
Auditor
Network configuration
Virtualization infrastructure
Network infrastructure
Physical infrastructure
Physical security
Facilities
SOC 1/2
ISO 27001

36. MPAA Alignment for Sony MCS
(Powered by AWS)

37. Who?
Sony Media Cloud Services
On-demand cloud-based solutions designed
to empower media professionals to create
and securely manage high-value, highresolution content.
Why?
EXPONENTIAL
GROWTH
SECURELY ORGANIZE,
MANAGE & ARCHIVE

38. MAJOR MOTION
PICTURE DAILIES
PREVIEWING
MARKETING &
STOCK FOOTAGE
OPERATIONS
PUTTING
THE CLOUD TO
WORK.
EMERGENCY
CONTENT
BACKUP
TELEVISION
EDITORIAL &
LEGAL REVIEW
SMALL BUDGET
PRODUCTIONS &
ORIGINAL CONTENT
ARCHIVED
CONTENT

39. Sony MCS Alignment to MPAA
•
•
•
•
•
•
Ensure security becomes part of tech team DNA
Leverage internal + MPAA best practices
Leverage AWS security features (IAM, VPC…)
ISO 27001 certification preparation
Vulnerability assessments – penetration testing
On-going security program
• MCS alignment to MPAA Security Best Practices
reviewed March 2013

40. MCS – MPAA Content Security Best Practices Alignment
Infrastructure Security
Logical Security
AWS Accelerators
Applications deployed
on the AWS Cloud
•
•
•
•
Facilities
Physical security
Network infrastructure
Virtualization infrastructure
Applications deployed
on-premises
•
•
•
•
•
Operating system
Applications
Security goups/ VPCs
Network config
Account mgmnt
•
•
•
•
•
IAM
VPCs
S3 security features
EC2 security features
CloudFront security
features

41. WORKFLOWS AND CLOUD CHALLENGES
Access
Control
Store/
Process
UPLOAD/
INGEST
SHARE/
DOWNLOAD
VFX
SEARCH/
MANAGE
CREATIVE
DIRECTO
R
LOG/
REVIEW
ROUGH CUT
Integrity
Availability
EDITOR
PREVIEW
Stream/
W-Mark
STREAM/
INTERACT
ARCHIVE
MARKETING
PRODUCER
LEGAL

42. Sony MCS AWS Security Considerations
Auth
UI
Auto scaling
Group
CloudFront
File check
Virus scan
W-mark / https
Signed url
verification
Content
Processing
•
VPC isolation
•
Security groups
•
Transfe
r
Cluster
Monitorin
g
API
Auto scaling
Group
Encrypted
transfer
Not shown…
Access
control
Auto scaling
Group
NoSQL ElastiCache RDS
Logging
SWF
SQS
Other
Signed url/
SSE/
checksum
STS
S3
Glacier
SES

43. Partner with AWS to Innovate on Security
AWS Controls
AWS solution architects
AWS professional services
AWS IAM
AWS premium support
Agile trust zones
(Security groups + VPC)
AWS Trusted Advisor
Standardized environments
AWS Partner Network

44. More Information – Where to Go Next ..
• AWS Security Center (aws.amazon.com/security)
•
AWS security white paper
•
AWS security procedures
• AWS Compliance website (aws.amazon.com/compliance)
•
•
Third-party attestations, reports, and certifications
•
•
AWS compliance white paper
AWS assurance programs
Contact us
•
Contact your sales team
•
AWS help and support center

45. Please give us your feedback on this
presentation
MED 401
As a thank you, we will select prize
winners daily for completed surveys!