This presentation explains security concepts in the AWS Cloud, and how they apply to digital media. We analyze some events that were widely publicized, look at the spectrum of digital media workloads from a Security Architect point of view - and explain how to securely implement these workloads on the AWS Cloud.
This presentation was delivered in Toronto as part of the Media and Entertainment Roadshow.
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Security: cloud controls to secure digital media workloads
1. Securely storing your digital content and running media workloads
Konstantin Wilms – Specialist Solutions Architect
Amazon Web Services
AWS Cloud Controls
2. Who is attacking and why?
Cyber Criminal
Hacktivist
Advanced
Persistent
Threat (APT)
Deface & Destroy
Manipulate
Highly Targeted
3. Associated Press – Hacked Twitter Account
• Internal password phishing
• 1% drop in S&P 500
• $136 Bn market drop
• US Treasury bond yield drop
• $ weakens against ¥
4. TV5Monde Outage
• State sponsored phishing attack
• 11 TV channels off air for 3 hours
• Website & Facebook page defaced
• Email server taken offline
5. Attack types against media vs other industries
Higher than Average
• DDOS
• Brute Force
• Application Attacks
Lower than Average
• Part of a botnet
• Scanning
• Recon
6. Content
Production
Content
Distribution
Processing &
Management
Content
Storage
Modelling
Rendering
Video editing
Post production
Broadcast signal
acquisition
Digital
dailies/approvals
B2C streaming of
live and VOD
content
B2B distribution
Video advertising
insertion
High speed ingest
Library storage and
archiving
Tier management
Content/asset
management
En/Transcode
Packaging
Encryption,
watermarking
Digital Rights
Management
Workflow, job
scheduling,
automation
Content
Consumption
Analytics,
reporting, log
analysis
Real-time
monitoring
Content discovery
Content
recommendation
engine
Studio
Post House + Other Service Providers
Affiliates + Broadcasters + Distributors
Digital Media Workloads
8. A Layered Security Approach
Security of the Cloud
Security on the Cloud
Cloud Security
Organization
&
Management
Operations Data Security
Application Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management
Content Transfer
12. Media Workflow Security
Content
Production
Processing &
Management
Content
Storage
Modelling
Rendering
Video editing
Post production
Broadcast signal
acquisition
Digital
dailies/approvals
High speed ingest
Library storage and
archiving
Tier management
Content/asset
management
En/Transcode
Packaging
Encryption,
watermarking
Digital Rights
Management
Workflow, job
scheduling,
automation
13. Security of Media Workflows in the Cloud
• Highly Valued Pre-Released Assets
• Secure Transfer (physical in many cases)
• Encryption & Key Management
• Access Control
• Deletion Protection
• Isolated from public access (internet)
• Logging and Monitoring
• Content location
• Patriot Act/PRISM
15. Media Workflow Migration to AWS
corporate data center
AWS cloud
users
Content
Servers
disk
tape storage
Amazon S3 Amazon Glacier
Content
Encrypted at Rest
Encrypted in Transit
Using my Keys
Over Private Connection
Access Policies
Protection
Processing
Layer
Amazon EBS
19. Encryption & Security Options
corporate data center
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
role
AWS Import/Export
Snowball
AWS cloud
Encrypted
Content
20. Private Hybrid Model - Non Internet Facing
corporate data center
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
Encrypted
Content
role
Direct Connect
S3VPCEndpoint
AWS cloud
21. Key Management Service
Provide CPK for S3
encryption at rest
EC2, ETS can request
the data-key on behalf
of customer
Store and deliver object
specific keys in Dynamo
S3 Ingest
For Source, Renditions, Metadata Sidecar Files
Ingest
AWS Elastic
Beanstalk
Content
Consumption
CloudFront
Distribution
Amazon
DynamoDB
Individual Key Storage
Other Media
processing on EC2
Elastic
Transcoder
Processing
Authentication/
Authorization
Content owner provides
the master key
Sample End to End Media Security Workflow
23. Launch a CloudFormation stack
with all the infrastructure
resources for a specific project
Autoscale the stack as
appropriate
AMI
CloudFormation
Launch
Template
CloudFormation
Terminate
Template
Infrastructure Recycling
24. VPC Flow Logs
Amazon
SNS
CloudWatch
Logs
Private subnet
Value-add Service for
High Valued assets
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network
Interface
Metric filter
Filter on all
SSH REJECTFlow Log group
CloudWatch
alarm
Source IP
25. You are making API
calls and accessing
your content ...
On a growing set of
services around the
world accessing your
content
Amazon CloudTrail is
continuously
recording API calls…
And delivering log
files to you…
Elastic Load
Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon
Cloudwatch or monitor
patterns on Logs
Act Fast or automate
based on realtime
notifications and alerts
Amazon
Redshift
Amazon
EC2
AWS IAM
Amazon
RDS
Amazon
Elastic
Transcoder
Log, Monitor, Act - Proactively