AWS for M&E Blog

Securing premium live content with NAGRA NexGuard forensic watermarking on AWS

Authored by Pascal Marie, Director of Product Line Management @ NexGuard – NAGRA. The content and opinions in this post are those of the third-party author and AWS is not responsible for the content or accuracy of this post.

NAGRA NexGuard Streaming is a forensic watermarking solution built on top of Amazon Web Services (AWS). The NAGRA solution uses AWS Media Services for live signal transport, encoding, and packaging and Amazon CloudFront Functions – a serverless platform that runs lightweight JavaScript code at CloudFront edge locations. JavaScript code is used to verify requests and create individual watermarking sequences. Streaming content is distributed using the Amazon CloudFront content delivery network (CDN).

The processing of the video signal begins with contribution. An AWS Elemental Live appliance or another encoder captures the source video and transmits it to AWS using AWS Elemental MediaConnect.

MediaConnect creates two RTP/FEC streams to two AWS Elemental Media Live encoders. The first encoder will create Variant A of the stream by adding an invisible image overlay without introducing any latency. In the same way, the second MediaLive encoder will create Variant B with its own invisible overlay. For this, we use the image overlay feature of MediaLive with overlay images stored as Amazon Simple Storage Service (Amazon S3) objects. The MediaLive channels can be used in single pipeline or standard pipeline mode, and configured consistently for the targeted adaptive bitrate (ABR) ladder with the H.264 or HEVC codec.

Variants A and B are packaged just in time by AWS Elemental MediaPackage into HLS and DASH streams. Variants A and B are connected to primary and backup inputs of MediaPackage. NexGuard Streaming uses a proprietary configuration of MediaLive and ABR profiles to allow the composition of A/B sequences. The solution can be adapted to use other just-in-time packagers if this is required by the customer.

At the beginning of the streaming session, the user device receives a JSON Web Token (JWT) from the back-end of the online video platform. The backend creates the token following NAGRA guidelines. The token is included in the request for the video.

First, the token is validated for authenticity by CloudFront Functions running at the CDN edge. If the token is invalid, the request is rejected. Next, the function extracts from the token the information required to select the appropriate variant A/B and ensures that a unique sequence of A and B segments is created. This mechanism works to individually identify millions of streaming sessions.

The processing is done in less than 1msec and does not need to access the requested segment data or any other metadata. This fits well with CloudFront Functions, with its  high scalability and low cost per user, allowing for scaling to millions of users common for prime sport matches.

Applying forensic watermarking per streaming session has no impact on the user experience as the video watermark is imperceptible. All users receive the same manifest file and there is no additional processing of video segments. This allows for protection of live streams with a Digital Rights Management (DRM) solution. Any DRM provider supporting the SPEKE protocol can easily be integrated with this watermarking architecture.

The deployment of the solution on AWS is done through a CloudFormation template that deploys and configures all AWS services needed to operate NexGuard Streaming.

The solution architecture is presented in the following diagram:


Anti-piracy services
The detection of watermarks to identify the source of a content leak is a service offered by NAGRA. It uses an automated watermark extraction and identification of the A/B sequence from unauthorized video samples. Requests can be made by monitoring teams, including an excerpt of leaked video, which is typically 5 minutes in duration.

Automatic detections run concurrently. This allows for the processing of many different unauthorized videos at the same time. The detection process does not require information about how the video was initially prepared for distribution and encoded for OTT delivery. The process also works when re-distributed streams have changed framerate, resolution, bitrate, or other parameters.

A forensic watermarking solution plays a vital role in an overall security strategy. It is a key tool for video service providers in the fight against illicit content redistribution. The power of video watermarking is in its ability to precisely identify the source of leaked content. Watermarking can also work in conjunction with NAGRA anti-piracy services, allowing the rapid identification of the leak’s source before remedial actions.

NAGRA NexGuard Streaming running on AWS allows fast scaling to many millions of users for prime sport events. Use of serverless CloudFront Functions reduces the cost of operation and makes for economically sustainable forensic watermarking. Deployment and configuration is automatic, using CloudFormation.Last but not least, the solution can be deployed in any of 26 AWS Regions worldwide.


NAGRA is the digital TV division of the Kudelski Group (SIX: KUD.S). Our engineering excellence, pioneering technology, and end-user focus has allowed us to work with the world’s leading service providers and content owners for over 25 years.

Stacy Lizzo

Stacy Lizzo

Stacy is the Global Partner Marketing Manager for M&E Partners at AWS.

Zavisa Bjelogrlic

Zavisa Bjelogrlic

Zavisa is a Partner Solution Architect Lead | Media and Entertainment | EMEA at Amazon Web Services