Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent 2013


Published on

"Are your media assets secure? For media companies, security is paramount. Few things can more directly impact your company's bottom line. As the move to store, process, and distribute digital media via the cloud continues, it is imperative to examine the relevant security implications of a multitenant public cloud environment. This talk is intended to answer questions around securely storing, processing, distributing, and archiving digital media assets in the AWS environment. The talk also covers the security controls, features, and services that AWS provides its customers. Learn how AWS aligns with the MPAA security best practices and how media companies can leverage that for their media workloads.
This session also includes a representative from Sony Media Cloud Sevices discussing the path to MPAA alignment of their application Ci on AWS based on these best practices."

Published in: Technology
  • Be the first to comment

Securing Media Content and Applications in the Cloud (MED401) | AWS re:Invent 2013

  1. 1. Securing Media Content and Applications in the Cloud Usman Shakeel, Amazon Web Services Ben Masek. Sony Media Cloud Services November 14, 2013 © 2013, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of, Inc.
  2. 2. Does AWS meet customer’s security requirements?
  3. 3. Does AWS meet customer’s security requirements? Can my media content and applications on AWS be aligned to MPAA?
  4. 4. TOGETHER
  5. 5. Core Differentiators Constant Pressures Better customer experience Reach more customers Better quality content More cool features More analytics Better vendor relationships Shorten procurement cycle Audits and compliance Cut costs Cost of Business Infrastructure management Infrastructure security Infrastructure audit DR, HA
  6. 6. Your $$$$ Can Go Farther ! Cost of Business Core Differentiators • • • • • • • • Infrastructure management Infrastructure security Infrastructure audit DR and HA is complicated New product features Better customer experience More analytics More monetization opportunities Happy Customers !!
  7. 7. The Shared Responsibility Model Application OS firewalls Security groups Operating system Account management Network configuration Virtualization infrastructure Network infrastructure Physical infrastructure Physical security Facilities
  8. 8. Certifications and Compliances Certifications Facilities Physical security Physical infrastructure Network infrastructure Virtualization infrastructure • SOC 1, SOC 2 & SOC 3 (SSAE16/ISAE 3402 audit) • ISO 27001 certification • PCI level 1 service provider • FedRAMP (FISMA) • AWS GovCloud (US) • MPAA best practices alignment Customer are running Sarbanes-Oxley (SOX), HIPAA (healthcare), FISMA (US federal government), DIACAP MAC III sensitive ATO, International Traffic in Arms Regulations (ITAR)
  9. 9. Security Innovation – Customer Driven Improvements Everyone’s Applications Requirements Requirements Requirements AWS Security Infrastructure
  10. 10. AWS Services Stack in a Media Workflow Amazon EC2 AWS Storage Gateway Process Store Ingest AMI Amazon S3 AWS Direct Connect Amazon EBS Amazon EC2 Amazon RDS Amazon VPC Elasti Cache Amazon EMR Deliver Amazon Elastic Transcoder CloudFront Amazon CloudSearch Amazon SQS Route 53 Elastic Load Balancing AWS Import/ Export DynamoDB Amazon Glacier Amazon Redshift Amazon SNS Amazon SWF
  11. 11. MPAA Security Best Practices AWS alignment to MPAA security best practices reviewed October 2012 Based on AWS shared responsibility model
  12. 12. (MPAA Best Practices) – AWS Services in Scope – – – – – – – – – – – – – – – Amazon Elastic Compute Cloud (EC2) Amazon Virtual Private Cloud (VPC) Amazon Simple Storage Service (S3) Amazon Elastic Block Store (EBS) Amazon Relational Database Service (RDS) Amazon DynamoDB Elastic Load Balancing (ELB) AWS Identity and Access Management (IAM) Amazon CloudFront Amazon Glacier AWS Import/Export AWS Direct Connect Amazon Route 53 Amazon Elastic Transcoder and the supporting data centers Amazon EC2 Amazon VPC Amazon RDS CloudFront Elastic Transcoder Amazon S3 Amazon DynamoDB Amazon Glacier Route 53 Amazon EBS AWS Import/ Export AWS Direct Connect Elastic Load Balancing
  13. 13. (MPAA Best Practices) - Content Types in Scope Preproduction Storyboards Scripts Location Footage Screen Tests Production Production Wrap Call Sheets Raw Files Dailies Script Edits Editorial Audio Files Postproduction Media Files VFX Master Files Editorial Distribution Theatrical Prints
  14. 14. MPAA Content Security Best Practices
  15. 15. MPAA Content Security Best Practices on AWS Management Systems Physical Security Digital Security Organization & Management Facility Infrastructure Competency Asset Management Content Management Transport Content Transfer
  16. 16. MPAA Content Security Best Practices on AWS Facility Physical Security Asset Management Transport Management Systems Organization & Management Competency Management Systems Organization & Management Virtual Resources Competency Infrastructure Digital Security Content Management Digital Security Content Management Content Transfer
  17. 17. AWS Physical Infrastructure Security
  18. 18. What AWS controls do have in the shared responsibility model?
  19. 19. AWS Security Controls • Access points • • Amazon VPC allows VPN access as well • • HTTP or HTTPS using SSL access Redundant connection to more than one communication service at each Internet-facing edge API requests • SOAP – must be signed (using X.509 certs with an RSA public key) • Query – SHA1 and SHA-256 cryptographic hash signature • SSH to Amazon EC2 instances – Require a public/private key pair or RDP certificate • AWS multi-factor authentication (MFA) • Key management and rotation
  20. 20. AWS Identity and Access Management (IAM) Unique security credentials • Access keys, login/password, MFA device • Federated authentication (AWS Security Token Service STS) Policies control access to AWS APIs • API calls must be signed by either: X.509 certificate or secret key Deep integration with other AWS services • Amazon S3: policies on objects and buckets • Amazon SimpleDB: domains • Amazon EC2 resource permissions
  21. 21. Amazon EC2 Security Controls EC2 (guest) operating system • Controlled by YOU • YOU have admin/root • AWS has NO visibility • YOU generate the key pairs Instance Security Group Availability Zone A Security groups (stateful filters) • • • AWS Cloud YOU control the mandatory inbound firewall Default is deny all +Egress in the case of Amazon VPC Signed API calls Security Group Adobe_FMS Configuration Protocol Port range Source TCP 80 TCP 1111 TCP 1935 UDP 1935 SSH 22
  22. 22. Amazon Virtual Private Cloud (VPC) • • • • Isolated environment Ingress and egress filters Network ACLs Routing rules Internet Gateway Elastic IP VPN Gateway Instances Instances Security Group Security Group VPC Public Subnet VPC Private Subnet Virtual Private Cloud VPN Connection Corporate Data Center
  23. 23. Amazon S3 Security Controls • • • • • Bucket- and object-level permissions • Owner only access (by default) Signed URLs/query string authentication IAM policies Versioning (MFA delete) Detailed access logging ✔Access Logs
  24. 24. S3 Client Side Encryption with AWS SDK for Java Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client) Content Envelope Key Encrypted Content Encrypted Envelope Key Master Key AWS SDK for Java Corporate Data Center
  25. 25. S3 Server-Side Encryption (at Rest) • Encryption • Decryption • Key management Amazon S3 Master S3 Key (Encrypted by S3 master key) (Stored separately from your data) • 256-bit AES encryption Envelop Key Content to be Uploaded (encryption enabled in the HTTP header) Encrypted Stored Data Encrypted Stored Key
  26. 26. Example S3 Policies { "Statement":[ { "Effect":"Allow", "Action":["s3:ListAllMyBuckets”], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":["s3:ListBucket”,"s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::examplebucket" }, { "Effect":"Allow", "Action":["s3:PutObject”,"s3:GetObject”,"s3:DeleteObject" ], "Resource":"arn:aws:s3:::examplebucket/*" } ] }
  27. 27. Example S3 Policies "Statement":[ { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource":"arn:aws:s3:::examplebucket/${aws:username}/*" } ] }
  28. 28. Amazon CloudFront Security • CloudFront’s private content feature Only deliver content to securely signed requests • HTTPS ONLY requests/delivery • CloudFront origin access identity • Signed URL verification Amazon S3 (Logs Storage) Amazon CloudFront Signed Request HTTP End User Policy based on a timed URL or a CIDR block of the requestor • HTTPS ONLY origin fetches • Trusted signers • Access logs Delivery EC2 Instances Security Group Amazon S3 (Media Storage)
  29. 29. Cloudfront Origin Access Identity "Statement":[{ "Sid":" Grant a CloudFront Origin Identity access", "Effect":"Allow", "Principal":{ "CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8" }, "Action":"s3:GetObject", "Resource":"arn:aws:s3:::example-bucket/*" } ]
  30. 30. A Word on Content Location.. Region Availability Zone London (2) New York (3) South Bend Edge Locations Amsterdam (2) Stockholm Newark Tokyo (2) Seattle Dublin San Jose Palo Alto Hayward Paris (2) Frankfurt (2) Seoul Madrid Ashburn (3) Milan Osaka Los Angeles (2) Jacksonville Mumbai Dallas (2) Hong Kong (2) Chennai St.Louis Miami Singapore(2) Sao Paulo Sydney
  31. 31. Introducing AWS CloudTrail You are making API calls... On a growing set of services around the world.. CloudTrail is continuously recording API calls… And delivering log files to you…
  32. 32. AWS CloudTrail • Conduct audits for compliance • Review API call activity within your account • User activity logs to demonstrate compliance with government and industry regulatory standards • Monitor user activity for suspicious behavior • Monitor user activity for specific known undesired behavior(s) and raise alarms using their (SIEM) solutions • Conduct security analytics to identify potential security issues • Identify suspicious behavior and latent patterns that don’t trigger immediate alarms but that may represent a security issue
  33. 33. AWS CloudTrail Usage 1. Create an S3 bucket on the customer's account (default name generated or customer specified) • Permissions added to the bucket to allow AWS CloudTrail to write to it • User-specified bucket expiration policy applied 2. Optionally, create an Amazon SNS topic in the same manner as the bucket above 3. Call CreateTrail to provide the bucket, topic, and S3 object prefix 4. Call StartLogging to start event processing for the account Lines 1 and 2 are called directly as the user to Amazon S3/SNS Lines 3 and 4 are the only AWS CloudTrail calls.
  34. 34. Path to MPAA Best Practices Alignment Application Security groups Operating system Access management Third-Party Auditor Network configuration Virtualization infrastructure Network infrastructure Physical infrastructure Physical security Facilities SOC 1/2 ISO 27001
  35. 35. MPAA Alignment for Sony MCS (Powered by AWS)
  36. 36. Who? Sony Media Cloud Services On-demand cloud-based solutions designed to empower media professionals to create and securely manage high-value, highresolution content. Why? EXPONENTIAL GROWTH SECURELY ORGANIZE, MANAGE & ARCHIVE
  38. 38. Sony MCS Alignment to MPAA • • • • • • Ensure security becomes part of tech team DNA Leverage internal + MPAA best practices Leverage AWS security features (IAM, VPC…) ISO 27001 certification preparation Vulnerability assessments – penetration testing On-going security program • MCS alignment to MPAA Security Best Practices reviewed March 2013
  39. 39. MCS – MPAA Content Security Best Practices Alignment Infrastructure Security Logical Security AWS Accelerators Applications deployed on the AWS Cloud • • • • Facilities Physical security Network infrastructure Virtualization infrastructure Applications deployed on-premises • • • • • Operating system Applications Security goups/ VPCs Network config Account mgmnt • • • • • IAM VPCs S3 security features EC2 security features CloudFront security features
  41. 41. Sony MCS AWS Security Considerations Auth UI Auto scaling Group CloudFront File check Virus scan W-mark / https Signed url verification Content Processing • VPC isolation • Security groups • Transfe r Cluster Monitorin g API Auto scaling Group Encrypted transfer Not shown… Access control Auto scaling Group NoSQL ElastiCache RDS Logging SWF SQS Other Signed url/ SSE/ checksum STS S3 Glacier SES
  42. 42. Partner with AWS to Innovate on Security AWS Controls AWS solution architects AWS professional services AWS IAM AWS premium support Agile trust zones (Security groups + VPC) AWS Trusted Advisor Standardized environments AWS Partner Network
  43. 43. More Information – Where to Go Next .. • AWS Security Center ( • AWS security white paper • AWS security procedures • AWS Compliance website ( • • Third-party attestations, reports, and certifications • • AWS compliance white paper AWS assurance programs Contact us • Contact your sales team • AWS help and support center
  44. 44. Please give us your feedback on this presentation MED 401 As a thank you, we will select prize winners daily for completed surveys!