This presentation explains security concepts in the AWS Cloud, and how they apply to digital media. We analyze some events that were widely publicized, look at the spectrum of digital media workloads from a Security Architect point of view - and explain how to securely implement these workloads on the AWS Cloud. This presentation was delivered in Toronto as part of the Media and Entertainment Roadshow.

1. Securely storing your digital content and running media workloads
Konstantin Wilms – Specialist Solutions Architect
Amazon Web Services
AWS Cloud Controls

2. Who is attacking and why?
Cyber Criminal
Hacktivist
Advanced
Persistent
Threat (APT)
Deface & Destroy
Manipulate
Highly Targeted

3. Associated Press – Hacked Twitter Account
• Internal password phishing
• 1% drop in S&P 500
• $136 Bn market drop
• US Treasury bond yield drop
• $ weakens against ¥

4. TV5Monde Outage
• State sponsored phishing attack
• 11 TV channels off air for 3 hours
• Website & Facebook page defaced
• Email server taken offline

5. Attack types against media vs other industries
Higher than Average
• DDOS
• Brute Force
• Application Attacks
Lower than Average
• Part of a botnet
• Scanning
• Recon

6. Content
Production
Content
Distribution
Processing &
Management
Content
Storage
 Modelling
 Rendering
 Video editing
 Post production
 Broadcast signal
acquisition
 Digital
dailies/approvals
 B2C streaming of
live and VOD
content
 B2B distribution
 Video advertising
insertion
 High speed ingest
 Library storage and
archiving
 Tier management
 Content/asset
management
 En/Transcode
 Packaging
 Encryption,
watermarking
 Digital Rights
Management
 Workflow, job
scheduling,
automation
Content
Consumption
 Analytics,
reporting, log
analysis
 Real-time
monitoring
 Content discovery
 Content
recommendation
engine
Studio
Post House + Other Service Providers
Affiliates + Broadcasters + Distributors
Digital Media Workloads

7. Content
Production
Content
Distribution
Processing &
Management
Content
Storage
Content
Consumption
Shared IT Services
NetworkSecurity OperationsInfrastructure
Partner Solutions
Storage | S3, Glacier, EBS, Instance Store, EFS
Processing | EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF
Network | VPC, VPN, Direct Connect
Access | IAM, AWS Config, CloudTrail, CloudWatch
…from the Lens of a Security Architect

8. A Layered Security Approach
Security of the Cloud
Security on the Cloud
Cloud Security
Organization
&
Management
Operations Data Security
Application Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management
Content Transfer

9. Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
 Certifications
 MPAA best practices alignment
https://aws.amazon.com/compliance/mpaa/
Security of the Cloud

10. What’s in scope for MPAA (BP) Alignment?
…the entire AWS Services stack

11. MPAA
Guidelines
MPAA
Alignment
MPAA Best Practice Alignment
SOCISO
27001
PCI DSS
Level1
FEDRAMP
}

12. Media Workflow Security
Content
Production
Processing &
Management
Content
Storage
 Modelling
 Rendering
 Video editing
 Post production
 Broadcast signal
acquisition
 Digital
dailies/approvals
 High speed ingest
 Library storage and
archiving
 Tier management
 Content/asset
management
 En/Transcode
 Packaging
 Encryption,
watermarking
 Digital Rights
Management
 Workflow, job
scheduling,
automation

13. Security of Media Workflows in the Cloud
• Highly Valued Pre-Released Assets
• Secure Transfer (physical in many cases)
• Encryption & Key Management
• Access Control
• Deletion Protection
• Isolated from public access (internet)
• Logging and Monitoring
• Content location
• Patriot Act/PRISM

14. 12 Regions
30 Availability Zones
54 Edge locations
Where is my Content?

15. Media Workflow Migration to AWS
corporate data center
AWS cloud
users
Content
Servers
disk
tape storage
Amazon S3 Amazon Glacier
Content
Encrypted at Rest
Encrypted in Transit
Using my Keys
Over Private Connection
Access Policies
Protection
Processing
Layer
Amazon EBS

16. MFA,
Users,
Groups,
Roles
Linked
Accounts,
Alerts
Resource
Separation
Log &
Audit
CloudFormation
Infrastructure

17. Key & Secret Storage
Amazon S3 AWS KMSRequest
Managed
Policy
Keys managed centrally in Amazon KMS with permissions and auditing of usage
Additional Options such as AWS CloudHSM, Hashicorp Vault & others

18. Application Level Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
AWS Config AWS IAM AWS CloudTrail AWS Inspector
Application Security

19. Encryption & Security Options
corporate data center
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
role
AWS Import/Export
Snowball
AWS cloud
Encrypted
Content

20. Private Hybrid Model - Non Internet Facing
corporate data center
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
Encrypted
Content
role
Direct Connect
S3VPCEndpoint
AWS cloud

21. Key Management Service
Provide CPK for S3
encryption at rest
EC2, ETS can request
the data-key on behalf
of customer
Store and deliver object
specific keys in Dynamo
S3 Ingest
For Source, Renditions, Metadata Sidecar Files
Ingest
AWS Elastic
Beanstalk
Content
Consumption
CloudFront
Distribution
Amazon
DynamoDB
Individual Key Storage
Other Media
processing on EC2
Elastic
Transcoder
Processing
Authentication/
Authorization
Content owner provides
the master key
Sample End to End Media Security Workflow

22. Storage Security Controls
Amazon Glacier Vault lock
PermissionsAccess Logs AWS CloudTrail
Versioning Durability
Amazon S3

23. Launch a CloudFormation stack
with all the infrastructure
resources for a specific project
Autoscale the stack as
appropriate
AMI
CloudFormation
Launch
Template
CloudFormation
Terminate
Template
Infrastructure Recycling

24. VPC Flow Logs
Amazon
SNS
CloudWatch
Logs
Private subnet
Value-add Service for
High Valued assets
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network
Interface
Metric filter
Filter on all
SSH REJECTFlow Log group
CloudWatch
alarm
Source IP

25. You are making API
calls and accessing
your content ...
On a growing set of
services around the
world accessing your
content
Amazon CloudTrail is
continuously
recording API calls…
And delivering log
files to you…
Elastic Load
Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon
Cloudwatch or monitor
patterns on Logs
Act Fast or automate
based on realtime
notifications and alerts
Amazon
Redshift
Amazon
EC2
AWS IAM
Amazon
RDS
Amazon
Elastic
Transcoder
Log, Monitor, Act - Proactively

26. Content
Distribution
 B2B distribution
Distribution (B2B) Workflow Security
Content
Delivery

27. Security of Distribution Workflows
• Secure Transfer (physical in many cases)
• Encryption & Key Management
• Access Control (bucket policies, …)
• Logging and Monitoring (source, destination)
• Multiple Accounts (destination consumable media)
• Consumption Models (Requester Pays)
• Centralized Logging (security account)

28. Security of the Distribution (content transfer)
Workflow (B2B)
AWS cloud
Proxy Layer (Optional)Amazon S3
KMS/
HSM IAM
role
S3 VPC Endpoint
Vendors / Partners
Internal Users
Affiliates/Distributors
Fine grained temporary access
Temporary Access
Access Logs
Distribution account

29. INGEST STORE MANAGE SECUREPROCESS
CREATE
MONETIZE
INTEGRATEDELIVER
SECURE
Media Security Software on AWS

30. Comprehensive Cloud Controls for Media
 AWS CloudTrail, Config & S3 Logs
 Log-based Alerting (Splunk, AWS Elasticsearch, …)
 HIDS Solutions (MP, Partners, …)
 NIMS Solutions (MP, Partners, …)
 OS Controls (SELinux, …)
 AWS Inspector (CVE, …)
 Pre-Authorized Pentesting (Qualys, …)
 AWS Well Architected Program
 AWS Security Playbooks
 Disposable & Burnable Infrastructure
 Pre-Baked AMIs (Packer)
 AWS ECS (Docker / Containers)
 Patch Management (AWS, MP, BYO)

31. Thank You!