Are your media assets secure? For media companies, security is paramount. Few things can more directly impact your company’s bottom line. As the move to store, process and distribute digital media via the cloud continues, it is imperative to examine the relevant security implications of a multi-tenant public cloud environment. This talk is intended to answer questions around securely storing, processing, distributing and archiving digital media assets on the AWS environment. AWS also enables customers to achieve compliance with the MPAA security best practices with minimal effort. Learn how AWS complies with the MPAA security best practices and how media companies can leverage that for their media workloads.
11. Facilities
✔
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Infrastructure
Operating System A few nifty AWS features
Application
Security Groups IAM (Identity & Access Management)
OS Firewalls EC2 Security features
Network Configuration VPC (Virtual Private Cloud)
Account Management S3 Security features
CloudFront Security features
12. Unique security credentials
• Access keys, Login/Password, MFA device
• Federated Authentication (Secure Token Service STS)
Policies control access to AWS APIs
• API calls must be signed by either: X.509 certificate or secret key
Deep integration into some services
• S3: policies on objects and buckets
• Simple DB: domains
Not for Operating Systems or Applications
(use LDAP, Active Directory/ADFS, etc..)
13.
14. Amazon S3
(Media Storage) Content
Ingest EC2 Instances
Amazon Simple
Queue Service (SQS)
AWS Cloud Corporate Data Center
15. S3 Client Side Encryption with AWS SDK for Java
Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client)
Content
Envelope Key
Encrypted Content
Encrypted Envelope Key
Master Key
AWS SDK for Java
Corporate Data Center
16.
17. AWS Direct Connect
SSL endpoints
• All AWS APIs provide SSL endpoints AWS Import/Export Service for very large datasets
AWS Import/Export
Amazon S3
AWS Direct
(Media Storage)
Connect
Co-Lo Content
Ingest EC2 Instances
Amazon Simple
Queue Service (SQS)
AWS Cloud
Corporate Data Center
18.
19. • Bucket and Object level permissions
• Owner only access (by default)
• Signed URLs/Query String Authentication
• IAM Policies
• Versioning (MFA Delete)
• Detailed Access Logging
✔Access Logs
20. • Encryption Amazon S3
Master S3 Key
• Decryption
• Key Management
(Encrypted by S3 Master key)
(Stored Separately from your data)
• 256-bit AES encryption
Envelop Key
Encrypted Stored Data Encrypted Stored Key
Content to be Uploaded
(encryption enabled in the
HTTP Header)
21.
22. Internet
Corporate
data center
10.0.0.0/16
S3
Glacier Internet Gateway VPN Gateway
SQS
Router
10.0.0.0/24 10.0.1.0/24
EC2 API endpoint
Instances Instances
NAT Instance
VPC Public Subnet VPC Private Subnet
23. EC2 (Guest) operating System
• Controlled by YOU
• YOU have admin/root
•
Instance
AWS has NO visibility Security Group
• YOU generate the key-pairs
Availability Zone A
Security Groups (Stateful Filters) AWS Cloud
• YOU control the mandatory inbound firewall
Security Group Adobe_FMS
• Default Deny All Configuration
• +Egress in the case of VPC Protocol Port Range Source
TCP 80 0.0.0.0/0
TCP 1111 0.0.0.0/0
Signed API calls TCP 1935 0.0.0.0/0
UDP 1935 0.0.0.0/0
SSH 22 192.168.0.41/10
24. EC2 Security Controls
• Security Groups (default deny all)
Internet Gateway Virtual Private Cloud (VPC)
• Isolated environment
• Ingress and Egress filters
S3 (Media Storage)
• Network ACLs
Instances
NAT Instance
• Routing rules
Security Group
EC2
VPC Private Subnet
VPC Public Amazon Simple OS Level Firewalls
Subnet Queue Service (SQS)
• IP Tables
Virtual Private Cloud
Patch Management
AWS Cloud
25. • Windows
• Windows Encrypting File System (EFS)
• TruCrypt – Works well with NTFS
• Linux
• EncFS
• Loop-AES
• Dm-Crypt
• TruCrypt
28. CloudFront’s Private Content Feature Amazon S3
(Logs Storage)
Amazon CloudFront
Only deliver content to securely signed requests
Signed Request
• HTTPS ONLY requests/delivery HTTP
• CloudFront Origin Access Identity End User
• Signed URL Verification
Policy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• Trusted Signers
• Access Logs
Delivery EC2 Instances
Amazon S3
(Media Storage)
Security Group
30. Live Streaming:
• Secure the instance
• Security Groups (source and port)
• Streaming server in a VPC
• Securing the content chunks and manifest
• Use Signed URLs provided by CloudFront
On-Demand Streaming:
• S3 content bucket security
• CloudFront private content features
31. Amazon CloudFront
Setup CloudFront for private content
A web application that:
• Send the IP address of the requestor to a
geo-location service (Digital Element, Max Mind)
• Evaluate the IP address
Geo-Location Service
• Generate a URL for CloudFront or return a EC2 WebServer Instances
not-allowed page
32. Amazon CloudFront
HTTPS
HTTPS
Amazon
Route 53 End User
Delivery EC2 Instances
Security Group
S3 (Media Storage)
AWS Direct
Connect
Content
Amazon Simple
Queue Service (SQS)
Processing EC2 Instances
Security Group Ingest EC2 Instances
Virtual Private Cloud AWS Cloud Security Group
Corporate Data Center
33.
34. Set up application level logging on the EC2 instances
Several third-party products for logging along with EMR (Elastic Map Reduce)
If you are investigating a security event and need logs and forensics:
TALK TO US !
35. Facilities
✔
Physical Security
Physical Infrastructure
Network Infrastructure
Virtualization Infrastructure
Operating System
Application A few nifty AWS features
Security Groups
IAM (Identity & Access Management)
OS Firewalls
EC2 Security features
Network Configuration
VPC (Virtual Private Cloud)
Account Management
S3 Security features
CloudFront Security features
37. Pre-Production Production Production Wrap Post-Production Distribution
Digital Services Digital Services
Visual Effects Effects
Visual
Post Production Post Production
Creative Advertising
Creative Advertising
Distribution
Distribution
KODE Compliance Inc. | Accelerating Compliance
38. Pre-Production Production Production Wrap Post-Production Distribution
KODE Compliance Inc. | Accelerating Compliance
39. Amazon CloudFront
HTTPS
HTTPS
End User
Amazon
Delivery EC2 Instances Route 53
Security Group
S3 (Media Storage)
AWS Direct
Connect
Content
Amazon Simple
Queue Service (SQS)
Processing EC2 Instances
Security Group Ingest EC2 Instances
Virtual Private Cloud AWS Cloud Security Group
Corporate Data Center
41. • Experts in the MPAA standard
• Eliminate the guessing game
• Committed to getting you compliant
KODE Compliance Inc. | Accelerating Compliance
42. Heavy lifting for infrastructure security
OS and application level security
43.
44. We are sincerely eager to tweet #reinvent
hear your feedback on this
presentation and on re:Invent.
Please fill out an evaluation
form when you have a
chance.