securing media content and applications in the cloud (med401) | aws re:invent 2013
DESCRIPTION
"Are your media assets secure? For media companies, security is paramount. Few things can more directly impact your company's bottom line. As the move to store, process, and distribute digital media via the cloud continues, it is imperative to examine the relevant security implications of a multitenant public cloud environment. This talk is intended to answer questions around securely storing, processing, distributing, and archiving digital media assets in the AWS environment. The talk also covers the security controls, features, and services that AWS provides its customers. Learn how AWS aligns with the MPAA security best practices and how media companies can leverage that for their media workloads. This session also includes a representative from Sony Media Cloud Sevices discussing the path to MPAA alignment of their application Ci on AWS based on these best practices."TRANSCRIPT
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
Securing Media Content and Applications in
the Cloud
Usman Shakeel, Amazon Web Services
Ben Masek. Sony Media Cloud Services
November 14, 2013
Does AWS meet customer’s
security requirements?
Does AWS meet customer’s
security requirements?
Can my media content and
applications on AWS be
aligned to MPAA?
TOGETHER
Cost of Business Infrastructure management
Infrastructure security
Infrastructure audit
DR, HA
Core Differentiators Better customer experience
Reach more customers
Better quality content
More cool features
More analytics
Constant Pressures Better vendor relationships
Shorten procurement cycle
Audits and compliance
Cut costs
Your $$$$ Can Go Farther !
Cost of Business • Infrastructure management
• Infrastructure security
• Infrastructure audit
• DR and HA is complicated
Core Differentiators • New product features
• Better customer experience
• More analytics
• More monetization opportunities
Happy Customers !!
The Shared Responsibility Model
Virtualization infrastructure
Network infrastructure
Physical infrastructure
Physical security
Facilities
Application
OS firewalls
Security groups
Operating system
Account management
Network configuration
Certifications and Compliances
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
• SOC 1, SOC 2 & SOC 3 (SSAE16/ISAE 3402 audit)
• ISO 27001 certification
• PCI level 1 service provider
• FedRAMP (FISMA)
• AWS GovCloud (US)
• MPAA best practices alignment
Customer are running Sarbanes-Oxley (SOX), HIPAA
(healthcare), FISMA (US federal government), DIACAP
MAC III sensitive ATO, International Traffic in Arms
Regulations (ITAR)
Security Innovation – Customer Driven Improvements
Everyone’s Applications
AWS Security Infrastructure
Requirements Requirements Requirements
AWS Services Stack in a Media Workflow
AWS Direct Connect
Elastic Load
Balancing
AWS Import/
Export
Amazon
S3
AWS Storage
Gateway
Amazon
Glacier
Amazon
EBS
CloudFront
Amazon
CloudSearch
Amazon
SNS
Amazon SQS
Amazon
SWF
Amazon
Elastic
Transcoder
Amazon
EC2
Amazon
EMR
DynamoDB
Amazon
VPC
Amazon
RDS
Amazon
Redshift
Elasti
Cache
AMI
Route 53
Ingest Store Deliver Process
Amazon
EC2
MPAA Security Best Practices
AWS alignment to MPAA security best practices reviewed October 2012
Based on AWS shared responsibility model
(MPAA Best Practices) – AWS Services in Scope
– Amazon Elastic Compute Cloud (EC2)
– Amazon Virtual Private Cloud (VPC)
– Amazon Simple Storage Service (S3)
– Amazon Elastic Block Store (EBS)
– Amazon Relational Database Service (RDS)
– Amazon DynamoDB
– Elastic Load Balancing (ELB)
– AWS Identity and Access Management (IAM)
– Amazon CloudFront
– Amazon Glacier
– AWS Import/Export
– AWS Direct Connect
– Amazon Route 53
– Amazon Elastic Transcoder
– and the supporting data centers
AWS Direct Connect
Elastic Load
Balancing
AWS Import/
Export
Amazon
S3
Amazon
Glacier
Amazon
EBS
CloudFront
Elastic
Transcoder
Amazon
EC2
Amazon
DynamoDB
Amazon
VPC
Amazon
RDS
Route 53
(MPAA Best Practices) - Content Types in Scope
Preproduction Production Production Wrap Postproduction Distribution
Storyboards
Scripts
Location
Footage
Screen
Tests
Call Sheets
Raw Files
Dailies
Script Edits
Editorial
Audio Files
Media Files
VFX
Master Files
Editorial
Theatrical
Prints
MPAA Content Security Best Practices
MPAA Content Security Best Practices on AWS
Management Systems
Physical Security Digital Security
Organization &
Management
Competency
Facility
Asset Management
Transport
Infrastructure
Content Management
Content Transfer
Management Systems
MPAA Content Security Best Practices on AWS
Organization & Management
Competency
Facility
Asset Management
Transport
Infrastructure
Content Management
Content Transfer
Physical
Security
Management
Systems
Digital
Security
Organization & Management
Competency
Content Management
Management
Systems
Virtual Resources
Digital
Security
AWS Physical Infrastructure Security
What AWS controls do have in the
shared responsibility model?
AWS Security Controls • Access points
• HTTP or HTTPS using SSL access
• Amazon VPC allows VPN access as well
• Redundant connection to more than one communication service at each
Internet-facing edge
• API requests
• SOAP – must be signed (using X.509 certs with an RSA public key)
• Query – SHA1 and SHA-256 cryptographic hash signature
• SSH to Amazon EC2 instances – Require a public/private key pair or RDP certificate
• AWS multi-factor authentication (MFA)
• Key management and rotation
AWS Identity and Access Management (IAM)
Unique security credentials
• Access keys, login/password, MFA device
• Federated authentication (AWS Security Token Service STS)
Policies control access to AWS APIs
• API calls must be signed by either: X.509 certificate or secret key
Deep integration with other AWS services
• Amazon S3: policies on objects and buckets
• Amazon SimpleDB: domains
• Amazon EC2 resource permissions
Amazon EC2 Security Controls
EC2 (guest) operating system
• Controlled by YOU
• YOU have admin/root
• AWS has NO visibility
• YOU generate the key pairs
Security Group
Availability Zone A
Instance
AWS Cloud
Security groups (stateful filters)
• YOU control the mandatory inbound firewall
• Default is deny all
• +Egress in the case of Amazon VPC
Signed API calls
Security Group Adobe_FMS Configuration
Protocol Port range Source
TCP 80 0.0.0.0/0
TCP 1111 0.0.0.0/0
TCP 1935 0.0.0.0/0
UDP 1935 0.0.0.0/0
SSH 22 192.168.0.41/10
Amazon Virtual Private Cloud (VPC)
Virtual Private Cloud
VPC Public Subnet
Instances
Security
Group
• Isolated environment
• Ingress and egress filters
• Network ACLs
• Routing rules
VPC Private Subnet
Instances
Security
Group
VPN Gateway
Internet Gateway
VPN Connection
Corporate
Data Center
Elastic IP
Amazon S3 Security Controls
• Bucket- and object-level permissions
• Owner only access (by default)
• Signed URLs/query string authentication
• IAM policies
• Versioning (MFA delete)
• Detailed access logging
✔Access Logs
Corporate Data Center
Content
S3 Client Side Encryption with AWS SDK for Java
Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client)
Master Key
AWS SDK for Java
Envelope Key
Encrypted Content
Encrypted Envelope Key
S3 Server-Side Encryption (at Rest)
Content to be Uploaded
(encryption enabled in the
HTTP header)
Envelop Key
Encrypted Stored Key Encrypted Stored Data
Master S3 Key
• Encryption
• Decryption
• Key management (Encrypted by S3 master key)
(Stored separately from your data)
• 256-bit AES encryption
Amazon S3
Example S3 Policies { "Statement":[ { "Effect":"Allow", "Action":["s3:ListAllMyBuckets”], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":["s3:ListBucket”,"s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::examplebucket" }, { "Effect":"Allow", "Action":["s3:PutObject”,"s3:GetObject”,"s3:DeleteObject" ], "Resource":"arn:aws:s3:::examplebucket/*" } ] }
Example S3 Policies "Statement":[
{ "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource":"arn:aws:s3:::examplebucket/${aws:username}/*" } ] }
Amazon S3
(Media Storage)
Amazon CloudFront
Amazon CloudFront Security
End User
HTTP
• CloudFront’s private content feature Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery
• CloudFront origin access identity
• Signed URL verification Policy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• Trusted signers
• Access logs
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
Cloudfront Origin Access Identity
"Statement":[{ "Sid":" Grant a CloudFront Origin Identity access", "Effect":"Allow", "Principal":{ "CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8" }, "Action":"s3:GetObject", "Resource":"arn:aws:s3:::example-bucket/*" } ]
Edge Locations
Availability Zone
Region
Dallas (2)
St.Louis
Miami
Jacksonville Los Angeles (2)
Seattle
Ashburn (3)
Newark
New York (3)
Dublin
London (2)
Amsterdam (2)
Stockholm
Frankfurt (2) Paris (2)
Singapore(2)
Hong Kong (2)
Tokyo (2)
Sao Paulo
South Bend
San Jose Palo Alto Hayward
Osaka Milan
Sydney
Madrid Seoul
Mumbai
Chennai
A Word on Content Location..
You are making API calls...
On a growing set of services around the
world..
CloudTrail is continuously
recording API calls…
And delivering log files to you…
Introducing AWS CloudTrail
AWS CloudTrail
• Conduct audits for compliance
• Review API call activity within your account
• User activity logs to demonstrate compliance with government and
industry regulatory standards
• Monitor user activity for suspicious behavior
• Monitor user activity for specific known undesired behavior(s) and
raise alarms using their (SIEM) solutions
• Conduct security analytics to identify potential security issues
• Identify suspicious behavior and latent patterns that don’t trigger
immediate alarms but that may represent a security issue
AWS CloudTrail Usage
1. Create an S3 bucket on the customer's account (default name generated
or customer specified)
• Permissions added to the bucket to allow AWS CloudTrail to write to it
• User-specified bucket expiration policy applied
2. Optionally, create an Amazon SNS topic in the same manner as the bucket
above
3. Call CreateTrail to provide the bucket, topic, and S3 object prefix
4. Call StartLogging to start event processing for the account
Lines 1 and 2 are called directly as the user to Amazon S3/SNS
Lines 3 and 4 are the only AWS CloudTrail calls.
Path to MPAA Best Practices Alignment
Virtualization infrastructure
Network infrastructure
Physical infrastructure
Physical security
Facilities
SOC 1/2
ISO 27001
Application
Security groups
Operating system
Access management
Network configuration
Third-Party
Auditor
MPAA Alignment for Sony MCS
(Powered by AWS)
Sony Media Cloud Services On-demand cloud-based solutions designed
to empower media professionals to create
and securely manage high-value, high-
resolution content.
Who?
EXPONENTIAL
GROWTH
SECURELY ORGANIZE,
MANAGE & ARCHIVE
Why?
PUTTING THE CLOUD TO
WORK.
TELEVISION EDITORIAL & LEGAL REVIEW
MAJOR MOTION PICTURE DAILIES PREVIEWING
SMALL BUDGET PRODUCTIONS & ORIGINAL CONTENT
EMERGENCY CONTENT BACKUP
ARCHIVED CONTENT
MARKETING & STOCK FOOTAGE OPERATIONS
Sony MCS Alignment to MPAA
• Ensure security becomes part of tech team DNA
• Leverage internal + MPAA best practices
• Leverage AWS security features (IAM, VPC…)
• ISO 27001 certification preparation
• Vulnerability assessments – penetration testing
• On-going security program
• MCS alignment to MPAA Security Best Practices reviewed March 2013
MCS – MPAA Content Security Best Practices Alignment
Infrastructure Security
• Facilities
• Physical security
• Network infrastructure
• Virtualization infrastructure
Logical Security
• Operating system
• Applications
• Security goups/ VPCs
• Network config
• Account mgmnt
AWS Accelerators
• IAM
• VPCs
• S3 security features
• EC2 security features
• CloudFront security
features
Applications deployed
on the AWS Cloud
Applications deployed
on-premises
LOG/
REVIEW
ROUGH CUT
PREVIEW
CREATIVE
DIRECTO
R
VFX
UPLOAD/
INGEST
EDITOR
WORKFLOWS AND CLOUD CHALLENGES
ARCHIVE
STREAM/
INTERACT
PRODUCER
LEGAL
MARKETING
SEARCH/
MANAGE
Store/
Process
Access
Control
Stream/
W-Mark
SHARE/
DOWNLOAD
Integrity
Availability
Sony MCS AWS Security Considerations
RDS NoSQL
API
Auto scaling
Group
UI
Content
Processing
Auto scaling
Group
S3
ElastiCache SWF
Logging
Glacier
SES
Transfe
r
Cluster
Auto scaling
Group
• VPC isolation
• Security groups
• Other
CloudFront
Not shown… SQS
Signed url/
SSE/
checksum
Access
control Monitorin
g
Auth
File check
Virus scan
Encrypted
transfer
W-mark / https
Signed url
verification
STS
Partner with AWS to Innovate on Security
AWS Controls
AWS IAM
Agile trust zones
(Security groups + VPC)
Standardized environments
AWS solution architects
AWS professional services
AWS premium support
AWS Trusted Advisor
AWS Partner Network
More Information – Where to Go Next ..
• AWS Security Center (aws.amazon.com/security)
• AWS security white paper
• AWS security procedures
• AWS Compliance website (aws.amazon.com/compliance)
• AWS compliance white paper
• Third-party attestations, reports, and certifications
• AWS assurance programs
• Contact us
• Contact your sales team
• AWS help and support center
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
MED 401