MED303 Addressing Security in Media Workflows - AWS re: Invent 2012

4,567 views

Published on

Are your media assets secure? For media companies, security is paramount. Few things can more directly impact your company’s bottom line. As the move to store, process and distribute digital media via the cloud continues, it is imperative to examine the relevant security implications of a multi-tenant public cloud environment. This talk is intended to answer questions around securely storing, processing, distributing and archiving digital media assets on the AWS environment. AWS also enables customers to achieve compliance with the MPAA security best practices with minimal effort. Learn how AWS complies with the MPAA security best practices and how media companies can leverage that for their media workloads.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,567
On SlideShare
0
From Embeds
0
Number of Embeds
2,985
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

MED303 Addressing Security in Media Workflows - AWS re: Invent 2012

  1. 1. tweet #reinvent
  2. 2. Does AWS meet customer’s security requirements?
  3. 3. Does AWS meet customer’s security requirements? TOGETHER
  4. 4. YOU Account Management Network Configuration OS Firewalls Security Groups Application Operating SystemVirtualization InfrastructureNetwork InfrastructurePhysical InfrastructurePhysical SecurityFacilities
  5. 5. Certifications • SOC 1 • ISO 27001 CertificationFacilities • PCI Level 1 Service Provider • FedRAMP (FISMA moderate & low)Physical Security • GovCloudPhysical Infrastructure • MPAA Best Practices ComplianceNetwork InfrastructureVirtualization Infrastructure Customer are running Sarbanes-Oxley (SOX), HIPAA (healthcare), FISMA (US Federal Government), DIACAP MAC III Sensitive ATO, International Traffic in Arms Regulations (ITAR)
  6. 6. Check out AWS Security Center • Security whitepaperFacilities • Risk and compliance whitepaperPhysical SecurityPhysical InfrastructureNetwork InfrastructureVirtualization Infrastructure Security Track at re:Invent Security OF the AWS Cloud Security IN The AWS Cloud AWS Identity & Access Management
  7. 7. Amazon CloudFront Amazon End UserDelivery EC2 Instances Route 53 Amazon S3 (Media Storage) Content Amazon Simple Ingest EC2 Instances Processing EC2 Instances Queue Service (SQS) AWS Cloud Corporate Data Center
  8. 8. OK!
  9. 9. Facilities✔ Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure Operating System A few nifty AWS features Application Security Groups IAM (Identity & Access Management) OS Firewalls EC2 Security features Network Configuration VPC (Virtual Private Cloud) Account Management S3 Security features CloudFront Security features
  10. 10. Unique security credentials • Access keys, Login/Password, MFA device • Federated Authentication (Secure Token Service STS)Policies control access to AWS APIs • API calls must be signed by either: X.509 certificate or secret keyDeep integration into some services • S3: policies on objects and buckets • Simple DB: domainsNot for Operating Systems or Applications(use LDAP, Active Directory/ADFS, etc..)
  11. 11. Amazon S3 (Media Storage) Content Ingest EC2 Instances Amazon SimpleQueue Service (SQS) AWS Cloud Corporate Data Center
  12. 12. S3 Client Side Encryption with AWS SDK for JavaLook for AmazonS3EncryptionClient class (subclass of AmazonS3Client) Content Envelope Key Encrypted Content Encrypted Envelope Key Master Key AWS SDK for Java Corporate Data Center
  13. 13. AWS Direct ConnectSSL endpoints• All AWS APIs provide SSL endpoints AWS Import/Export Service for very large datasets AWS Import/Export Amazon S3 AWS Direct (Media Storage) Connect Co-Lo Content Ingest EC2 Instances Amazon Simple Queue Service (SQS) AWS Cloud Corporate Data Center
  14. 14. • Bucket and Object level permissions • Owner only access (by default)• Signed URLs/Query String Authentication• IAM Policies• Versioning (MFA Delete)• Detailed Access Logging ✔Access Logs
  15. 15. • Encryption Amazon S3 Master S3 Key• Decryption• Key Management (Encrypted by S3 Master key) (Stored Separately from your data)• 256-bit AES encryption Envelop Key Encrypted Stored Data Encrypted Stored Key Content to be Uploaded (encryption enabled in the HTTP Header)
  16. 16. Internet Corporate data center 10.0.0.0/16 S3 Glacier Internet Gateway VPN Gateway SQS Router 10.0.0.0/24 10.0.1.0/24EC2 API endpoint Instances Instances NAT Instance VPC Public Subnet VPC Private Subnet
  17. 17. EC2 (Guest) operating System• Controlled by YOU• YOU have admin/root• Instance AWS has NO visibility Security Group• YOU generate the key-pairs Availability Zone ASecurity Groups (Stateful Filters) AWS Cloud• YOU control the mandatory inbound firewall Security Group Adobe_FMS • Default Deny All Configuration• +Egress in the case of VPC Protocol Port Range Source TCP 80 0.0.0.0/0 TCP 1111 0.0.0.0/0Signed API calls TCP 1935 0.0.0.0/0 UDP 1935 0.0.0.0/0 SSH 22 192.168.0.41/10
  18. 18. EC2 Security Controls • Security Groups (default deny all) Internet Gateway Virtual Private Cloud (VPC) • Isolated environment • Ingress and Egress filters S3 (Media Storage) • Network ACLs Instances NAT Instance • Routing rules Security Group EC2VPC Private Subnet VPC Public Amazon Simple OS Level Firewalls Subnet Queue Service (SQS) • IP Tables Virtual Private Cloud Patch Management AWS Cloud
  19. 19. • Windows • Windows Encrypting File System (EFS) • TruCrypt – Works well with NTFS• Linux • EncFS • Loop-AES • Dm-Crypt • TruCrypt
  20. 20. Amazon CloudFrontDelivery EC2 Instances Amazon End User Route 53 Amazon S3 (Media Storage) AWS Cloud
  21. 21. CloudFront’s Private Content Feature Amazon S3 (Logs Storage) Amazon CloudFrontOnly deliver content to securely signed requests Signed Request• HTTPS ONLY requests/delivery HTTP• CloudFront Origin Access Identity End User• Signed URL Verification Policy based on a timed URL or a CIDR block of the requestor• HTTPS ONLY origin fetches• Trusted Signers• Access Logs Delivery EC2 Instances Amazon S3 (Media Storage) Security Group
  22. 22. CloudFront supports:RTMP – Adobes Real-Time Message ProtocolRTMPT – Adobe streaming tunneled over HTTPRTMPE – Adobe encryptedRTMPTE – Adobe encrypted tunneled over HTTP
  23. 23. Live Streaming:• Secure the instance • Security Groups (source and port)• Streaming server in a VPC• Securing the content chunks and manifest • Use Signed URLs provided by CloudFrontOn-Demand Streaming:• S3 content bucket security• CloudFront private content features
  24. 24. Amazon CloudFrontSetup CloudFront for private contentA web application that:• Send the IP address of the requestor to a geo-location service (Digital Element, Max Mind)• Evaluate the IP address Geo-Location Service• Generate a URL for CloudFront or return a EC2 WebServer Instances not-allowed page
  25. 25. Amazon CloudFront HTTPS HTTPS Amazon Route 53 End UserDelivery EC2 Instances Security Group S3 (Media Storage) AWS Direct Connect Content Amazon Simple Queue Service (SQS) Processing EC2 Instances Security Group Ingest EC2 Instances Virtual Private Cloud AWS Cloud Security Group Corporate Data Center
  26. 26. Set up application level logging on the EC2 instancesSeveral third-party products for logging along with EMR (Elastic Map Reduce)If you are investigating a security event and need logs and forensics:TALK TO US !
  27. 27. Facilities✔ Physical Security Physical Infrastructure Network Infrastructure Virtualization Infrastructure Operating System Application A few nifty AWS features Security Groups IAM (Identity & Access Management) OS Firewalls EC2 Security features Network Configuration VPC (Virtual Private Cloud) Account Management S3 Security features CloudFront Security features
  28. 28. Content Security Experts
  29. 29. Pre-Production Production Production Wrap Post-Production Distribution Digital Services Digital Services Visual Effects Effects Visual Post Production Post Production Creative Advertising Creative Advertising Distribution Distribution KODE Compliance Inc. | Accelerating Compliance
  30. 30. Pre-Production Production Production Wrap Post-Production Distribution KODE Compliance Inc. | Accelerating Compliance
  31. 31. Amazon CloudFront HTTPS HTTPS End User AmazonDelivery EC2 Instances Route 53 Security Group S3 (Media Storage) AWS Direct Connect Content Amazon Simple Queue Service (SQS) Processing EC2 Instances Security Group Ingest EC2 Instances Virtual Private Cloud AWS Cloud Security Group Corporate Data Center
  32. 32. KODE Compliance Inc. | Accelerating Compliance
  33. 33. • Experts in the MPAA standard• Eliminate the guessing game• Committed to getting you compliant KODE Compliance Inc. | Accelerating Compliance
  34. 34. Heavy lifting for infrastructure securityOS and application level security
  35. 35. We are sincerely eager to tweet #reinvent hear your feedback on thispresentation and on re:Invent. Please fill out an evaluation form when you have a chance.

×