alert logic

Security of your digital content and

media applications on AWS

Usman Shakeel | Principal Solutions Architect | Amazon Web ServicesRyan Holland | Director of Cloud Platforms | Alert Logic

Who is attacking and why?

Cyber Criminal

Hacktivist Advanced

Persistent

Threat (APT)

Associated Press – Hacked Twitter Account

• 1% drop in S&P 500

• $136 Bn market drop

• US Treasury bond yield drop

• $ weakens against ¥

TV5Monde Outage

• 11 TV channels off air for 3 hours

• Website & Facebook page defaced

• Email server taken offline

Attack types against media vs other industries

• Higher than Average

• DDOS

• Brute Force

• Application Attacks

• Lower than Average

• Part of a botnet

• Scanning

• Recon

Shared Security Model

• Secure coding and best practices

• Software and virtual patching

• Configuration management

• Access management

• Application level attack monitoring

• Access management

• Patch management

• Configuration hardening

• Security monitoring

• Log analysis

• Network threat detection

• Security monitoring

• Logical network segmentation

• Perimeter security services

• External DDoS, spoofing, and scanning prevented

• Hardened hypervisor

• System image library

• Root access for customer

• Configuration best

practices

Getting to a Secure Baseline

Visibility of the AWS Environment

AWS Security Best Practices

Vulnerabilities on the Instances

Your content

Your Crown Jewels…

Storage | Access Control, Encryption at rest, Access monitoring …

Network or Physical Transfer | Encryption in transit, Network vulnerabilities, …

Value added Services | Encryption and Key Management, Access Controls, …

Shared Responsibility

• AWS responsible for all

backend infrastructure

security

• Customer is responsible for

AWS architecture in their

account and application

security

Security of the Cloud

Facilities

Physical security

Physical infrastructure

Network infrastructure

Virtualization infrastructure

Certifications

MPAA best practices alignment

https://aws.amazon.com/compliance/mpaa/

Cloud Security

Organization & Management

Operations Data Security

ISO

MPAA

https://aws.amazon.com/compliance/mpaa/

Security on the Cloud (application and content security)

Application Security

Development Lifecycle

Authentication & Access

Secure Coding & Vulnerability Management

Digital Security

Content Management

Content Transfer

Storage | S3, Glacier, EBS, Instance Store, EFS

Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF

Network | VPC, VPN, Direct Connect

Access | IAM, AWS Config, CloudTrail, CloudWatch

Content Security





Content Management





Digital Security

Content Transfer

Security of Studio/Post House Workflows

• FAQs– Highly Valued Pre-Released Assets

– Secure Transfer (physical in many cases)

– Encryption & Key Management

– Access Control

– Deletion Protection

– Isolated from public access (internet)

– Logging and Monitoring

– Content location

Server-side encryption using KMS

Amazon S3 AWS KMSRequest

Policy

Keys managed centrally in Amazon KMS with permissions and auditing of usage

Security of the Studio/Post House Workflows (Content encryption and access)

corporate data centerAWS cloud

users

Content

Servers

disk

tape storage

Processing

Layer

Amazon S3

Amazon EBS

Amazon Glacier

KMS/

HSMClient side

encryption

role

IAM

role

Encrypted

Content

AWS Import/Export

Snowball

Availability Zone A

Private subnet Private subnet

AWS

region

Virtual Private Gateway

Content Value-addService

Content Value-addService

Availability Zone B

Locking down S3 access with virtual private endpoint (VPCE)

Amazon

S3

VPC

VPN connection

VPC Endpoints

• No IGW

• No NAT

• No public IPs

• Free

• Robust accesscontrol

Customer network

Private subnet Private subnet

AWS

region

AppsValue-add Service

VPC Endpoints in action

VPC

High Valued Assets Everything else

VPCE1 VPCE2

Private subnet

Apps

1. Subnet Route Table gives connectivity to the VPCE

2. VPCE IAM policy restricts what buckets the VPCE allows access to

3. Bucket Policy restricts access to specific VPCEs (or VPCs) ONLY

4. Security Groups on instances further restrict which resources can access S3

Security of the Studio/Post House Workflows (No Public network traversal)

corporate data centerAWS cloud

users

Content

Servers

disk

tape storage

Processing

Layer

Amazon S3

Amazon EBS

Amazon Glacier

KMS/

HSMClient side

encryption

role

IAM

Encrypted

Content

roleDirect Connect

S3 V

PC

En

dp

oin

t

12 Regions

32 Availability Zones

54 Edge locations

Where is my content?

Additional Storage Security Controls

Amazon S3

PermissionsAccess Logs

Amazon Glacier

AWS CloudTrail

Vault lock

Versioning Durability

VPC Flow Logs: Automation

Amazon SNS

CloudWatch

Logs

Private subnet

Value-add Service for High Valued assets

AWS Lambda

If SSH REJECT > 10, then…

ElasticNetwork Interface

Metric filter

Filter on all SSH REJECTFlow Log group

CloudWatch

alarm

Source IP

Additional Security Controls

(Elastic Transcoder Security)

• Encryption at restServer managed keysClient provided keys

• Integration with AWS Key Management ServiceAmazon Elastic Transcoder only accepts AWS KMS protected keys

Key is never written or stored in cleartext

• Encryption for HLS streamsBuilt on top of “client provided keys” API

Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key

• Digital Rights ManagementPlayReady DRM packaging

• CloudTrail Integration

AWS CloudTrail

Elastic Transcoder

KMS

Amazon S3

role

Watermarking

Content Transfer

Content Security









Digital Security

Content Management

Security of the Distribution (content transfer)

Workflow (B2B)

AWS cloud

Proxy Layer (Optional)Amazon S3

KMS/

HSM

IAM

role

S3 VPC Endpoint

Internal Users

Vendors/Partners

Affiliates/Distributors

Fine grained temporary access

Temporary Access

Temporary Access

Access LogsRemote Application

Streaming

A secure way to physically transfer content – at scale

Scale and Speed

• Up to 50TB Capacity per device

• 10Gbps and 1Gbps connectivity

• Parallel data transfer enables PBs transferred in a week

Secure

• Tamper-resistant enclosure

• 256-bit encryption with KMS

• Secure data erasure

Simple

• Manage entire process through AWS Console

• Lightweight data transfer client

• Notifications

Amazon Import/Export Snowball

Security of Content Distribution Applications

• FAQs

– Access Control, Rights Management & Content

Monetization

– DRM Packaging

– Encryption

– Logging and Monitoring

AWS mechanisms for securing media delivery

Token / signed URLs

AES encryption

DRM

Geoblocking

Watermarking

Amazon CloudFront – Private Content (Signed URLs, signed Cookies, OAIs)

Amazon Elastic Transcoder – HLS with AES-128 encryptionAWS Key Management Service – Key Management for Amazon Elastic Transcoder, Amazon EC2, and Amazon S3

Amazon Elastic Transcoder – PlayReady DRM packaging

Amazon CloudFront – Geo-restriction

Amazon Elastic Transcoder – Visual watermarks

Amazon S3

(Media Storage)

Amazon CloudFront

CDN Security (Amazon CloudFront Security)

End User

HTTP

• CloudFront’s private content featureOnly deliver content to securely signed requests

• HTTPS ONLY requests/delivery

• Signed URL verificationPolicy based on a timed URL or a CIDR block of the requestor

• HTTPS ONLY origin fetches

• AWS WAF

• Trusted signers

• Access logs

• CloudFront origin access identity

• Signed Cookies for Private Content Include Signature in the cookie itself

Delivery EC2 Instances

Security Group

Signed Request

Amazon S3

(Logs Storage)

Signed Cookie

Verification

AWS WAF

Application Development Security




AWS ConfigConfig Rules

AWS IAMIAM Users

IAM Groups

IAM Roles

AWS CloudTrail AWS Inspector

(preview)


Log, Monitor, Act Proactively

You are making API calls and accessing your content ...

On a growing set of services around the world accessing your content

Amazon CloudTrail is continuously recording API calls…

And delivering log files to you…

Elastic Load Balancing

Amazon S3 Amazon

Glacier

Amazon

CloudFront

Amazon S3/Amazon

CloudFront/App Logs

Access Logs

Feed Logs in Amazon Cloudwatch or monitor patterns on Logs

Act Fast or automate based on realtimenotifications and alerts

Amazon CloudTrail

Elastic Transcoder

Launch a CloudFormation stack

with all the infrastructure

resources for a specific project

Autoscale the stack as

appropriate

AMI

CloudFormation

TemplateCloudFormation

Terminate

Template

Recycle Infrastructure often

A few other topics

• FAQs

– Third Party Media Security Products

• Watermarking

• DRM

– Software Patching and Updates

– Real-time notifications on any security/access

breaches/anomalies

Media Security Software on AWS

SECURE

Monitoring Activity in your environment




Monitor Web Application Traffic

Implement Network Intrusion

Capture Log Data

Security Analyists

Bringing it together




Monitor Web Application Traffic

Implement Network Intrusion

Capture Log DataAnalytics

Security Events

& Log Data

Escalated Security

Incidents &

Recommendations

ON-PREMISES HOSTED

HYBRID

CLOUD

Shared Compliance Model

Compliance

AWS CloudTrail

Auditing events from your AWS infrastructure

Cloud Defender

Collection of CloudTrail logs and

analysis

Notification on Business Rules

Exceptions

Reporting

Customer

IT Operations and Security Team

consume output

Customer

Defines policies to meet compliance

Questions?