AWS for M&E Blog

Securing media content using watermarking at the edge

Guest post by Soonam Jose (Senior Solutions Architect, AWS) and Vladimir Zivkovic (Principal System Architect, Irdeto)

A recent study revealed that pirate subscription services are now a billion-dollar US industry. Piracy of high-value content can be hurtful to all stakeholders and poses major risk to the extended media business model.

Edge computing brings data processing, storage, and analysis closer to the location where they are needed and helps improve response times for users, save bandwidth, and reduce overall costs. Amazon Web Services (AWS) brings security and performance together at the edge with a fully integrated content delivery and security services suite.

AWS for the Edge—which delivers data processing, analysis, and storage close to your endpoints—can be applied to diverse use cases across a wide range of industries. Edge technology in the form of content delivery networks (CDNs) is critical for media and entertainment (M&E) companies, especially as the industry shifts to streaming services.

In this blog, we review an edge-based watermarking solution developed by AWS Technology Partner Irdeto. We also discuss how Amazon CloudFront, a CDN service built for high performance, security, and developer convenience, and Lambda@Edge, a feature of Amazon CloudFront that lets you run code closer to users of your application, can help you to protect M&E workloads at the edge.

Using Amazon CloudFront, you can customize the code you run at the AWS content delivery network edge using serverless compute features to balance cost, performance, and security. And using Lambda@Edge, you can enrich your web applications by making them globally distributed and improving their performance, all with zero server administration.

Edge-based watermarking on AWS

Using forensic watermarking techniques, you can quickly identify and prevent media piracy. Since the edge is where all consumer streaming sessions are delivered from, it is the most logical place to run piracy mitigation functions supported by forensic watermarking. Watermarking can be applied to individual video streams at the edge close to the viewer, minimizing latency while maximizing the ability to protect content at scale.

AB watermarking

AB watermarking represents a method to perform forensics and to support the termination of (video) content piracy by producing per-receiving-device unique sequences of imperceptible watermark symbols, where the symbols have been previously embedded in media segments.

When a stream is pulled from a CDN edge, each user’s device (or player) receives a unique sequence of watermark symbols in a covert manner. Consequently, if the content becomes pirated, it is these exact sequences that will point to the piracy origin—for example, to a user’s device. The following diagram shows the process of creating a unique watermark identifier using AB watermarking.

Overview of AB watermarking

Overview of AB watermarking

There are three entities in the process of AB watermarking:

  1. Watermark symbol embedding (or just embedding)
  2. Watermarked segment switching (or just switching)
  3. Watermark identity provision (or just provision)

Embedding takes place upstream from the CDN edge, and its primary task is to produce A and B stream copies and relevant watermark synchronization metadata. Switching happens exactly at the CDN edge and matches upstream embedded symbols in segments with the device’s token bits. Finally, provision assumes that a user’s device can get a token with an identity so that each request from the device to the CDN edge is accompanied with that token.

Each segment (depicted as a small square with a number inside) is watermarked, meaning that frames inside a segment contain a particular embedded symbol. Thus, the switcher selects a proper segment variant (either A or B) to serve to the requester that corresponds to the bit of the identifier (earlier provisioned to that requester).

Solution overview

In this section, we discuss TraceMark, an edge-based watermarking solution from Irdeto. Using this solution, switching is mapped to the edge. Each user’s device receives a TraceMark Identifier (TMID) hidden in the content. TMIDs are designed so that losing some TMID bits due to reprocessing of content or overlapping of content with ads does not undermine the watermark detection process. The TMID is derived from opaque data in the user’s token, which means that the TMID doesn’t need to be carried in tokens, leading to shorter tokens. The TMID’s derivation doesn’t exceed the performance budget required to decrypt the token, which means that the same cost can be associated with the token processing as the token becomes shorter.

Technical architecture

The TraceMark solution uses Amazon CloudFront and Lambda@Edge to provide watermark switching capabilities. Using Lambda@Edge to run JavaScript at the point of the viewer request, you can perform the following:

  1. Verify the token.
  2. Rewrite the URL to point to the correct A or B segment upstream.
  3. Accommodate a need to prefetch metadata related to watermarking synchronization between watermark embedding and watermark switching.
  4. Decline segments to the rogue requesters.
  5. Support detection and identification of the rogue requesters.

Furthermore, the solution can generate all TMIDs required for switching using Lambda@Edge in near real time, which (1) shortens a token because TMID is not explicitly encoded in the token and (2) removes the need for tokens to be encrypted—they only need to be signed.

Watermark switching solution architecture

Watermark switching solution architecture

The capabilities for provisioning tokens and embedding the watermark in the content are abstracted out in the previous diagram because the primary focus here is switching. Data links are labeled with WM Path and NON WM Path to distinguish between watermarked and nonwatermarked content channels. Finally, different AWS accounts apply for each partition in the content-delivery flow. The Amazon CloudFront edge can be part of one account and the origin with nonwatermarked content can be part of another account. The watermark embedding itself can be abstracted by placing it in another account (labeled “Origin with WM-ed Content”), and the dynamic piracy termination based on WM detection can be part of yet another account.

The shaded AWS accounts correspond to the WM-based additions, and the nonshaded ones are mandated irrespective of watermarking. Depending on how the upstream flow is managed, there can be two options: (1) the non-WM origin can be physically separated from the WM origin, meaning that the upstream compression and packaging systems are also separated, or (2) the non-WM origin can precede the WM origin, meaning that the upstream compression and packaging systems may be shared.

TraceMark switching involves processing a user’s token for each request for watermarked content. Hence, in the diagram, the WM Path between Amazon CloudFront and Lambda@Edge relates to the viewer request and not the origin response or viewer response. As a mechanism for implementing switching, the Lambda@Edge viewer-request plugin provides connectivity to lateral services from the perspective of the over-the-top (OTT) content flow. That is, you can pull the results from a watermark detection service into Lambda@Edge to support discrimination against identified rogue devices. You can also use Lambda@Edge to push small but frequent amounts of data to an identity service, which in turn accumulates this data as the actual identities which consume the stream during the event period. All this lateral communication can be done in a nonintrusive manner (for example, without blocking or delaying Lambda@Edge as it processes a viewer request).


In this blog, we reviewed an edge-based watermarking solution on AWS, built by AWS Partner Irdeto. The solution overlays a unique and virtually invisible mark to identify the source of any content leak.

Edge computing presents new risks and requires new strategies to deliver complete security, and it is never too late to strengthen the security of your network, applications, and data. Surging demand for video-on-demand and over-the-top content has furthered the need for enhanced protection for online video content against leaks and illegal usage. Security services from AWS alongside digital watermarking solutions such as TraceMark provide an additional layer of protection for your media content.

About Irdeto

Irdeto is the world leader in digital platform security, offering solutions and services that enable customers to protect their revenue, create new offerings and fight cybercrime effectively. Building on over 50 years of expertise in security, Irdeto is the leading solutions and services provider for content, video broadcast and streaming services, partnering with movie studios, sports rights holders, and OTT and broadcast operators across the content value chain. With a unique pay-TV operator heritage, Irdeto is the preferred partner to empower a secure world where people can connect with confidence.