Content Security for Media & Entertainment

Generally, the reasons video providers struggle with content security are twofold:

Content security problem no. 1: Lack of visibility

Without expensive and complex tooling to provide an accurate, real-time asset inventory, information security teams struggle to identify where things are moving, and who is utilizing or accessing them.

Many media organizations simply don’t have the level of visibility that they would like. And, without visibility, it is challenging for organizations to adequately secure their infrastructure and their data to meet their content security and compliance requirements.

Content security problem no. 2: Low degree of automation

Another common content security challenge is trying to get rid of the manual processes employed to remediate issues—such as copying and pasting information from one tool to another, or manually applying patches. It’s also difficult to automate key security tasks due to interoperability issues between third-party tools with those designed in-house.

Manual processes tend to lead to inconsistent execution, longer wait times to address all systems, and disruptions to the customer experience. The whole goal of automation is to programmatically handle content security tasks that would otherwise be done manually by IT, IS, or operations staff.

This combination of limited visibility into the environment coupled with a low degree of automation forces organizations into a content security trade-off: They can either choose to be fast and agile, or they can choose to be secure.

Content security is paramount for media storage, processing, and creation workloads, and can particularly impact a studio's bottom line if done poorly. AWS content security solutions are designed to remove the trade-off between speed, agility, and security—no either/or choice required.

Specific to media and entertainment content security needs, The Motion Picture Association of America (MPAA) established content security best practices for storage and processing workloads in the cloud. These best practices are made up of selective requirements from a set of industry security standards based on ISO, OWASP, CSA, PCI, NIST800-53, and others. Alignment with MPAA guidelines requires a self-assessment or inspection without a formal audit process. Read more to learn how AWS content security works with the MPAA Content Security Model and MPAA Content Security Best Practices.

AWS also works with third-party auditors (such as Independent Security Evaluators ISE) to assess AWS content security controls and build reference templates of AWS security controls for content production workloads including rendering workloads for content creation and media asset management and archive in the cloud. These templates, based on the security standards of major studios for tier-1 assets across these workloads, can be downloaded for free from the AWS artifact compliance reports page.

By providing highly integrated logging and monitoring as well as integrated tools to automate core security functions, you can use AWS to innovate quickly and maintain your content security posture. The AWS shared security responsibility model outlines how it works:

AWS is responsible for securing the underlying infrastructure that supports the cloud, and customers are responsible for anything they put on or connect to the cloud. The amount of security configuration work you do varies depending on which services you select and how sensitive your data is. (See the Overview of Security Processes for details.)

The shared security responsibility model can reduce your operational burden in many ways, and in some cases may even improve your default security posture without additional action on your part.

AWS provides a wide variety of best practices documents, encryption tools, and guidance you can leverage to deliver application-level security measures. Examining the AWS Cloud, you see the same security isolations employed as would be found in a traditional data center. These include physical data center security, separation of the network, isolation of the server hardware, and isolation of storage.

In addition, the AWS Partner Network (APN) offers hundreds of tools and features to help customers meet content security objectives, including network security, configuration management, access control, and data encryption.

AWS customers inherit all the best practices of AWS policies, architecture, and operational processes built and tested against the strictest of third-party assurance frameworks to satisfy the requirements of the most security-sensitive organizations.

AWS stands out in terms of content security capabilities with more than 200 significant compliance, governance, and security certifications including compliance and standards support for PCI-DSS, HIPAA/HITECH, FedRAMP, SEC Rule 17-a-4, EU Data Protection Directive, and FISMA, helping satisfy compliance requirements for virtually every regulatory agency around the globe.

AWS regularly achieves third-party validation for thousands of global compliance requirements that are continually monitored to help you meet security and compliance standards. Regardless of industry, organizational size, or investment, you receive the latest security controls operated by AWS, strengthening your own compliance and certification programs, while also receiving access to tools you can use to reduce the cost and time of running your own specific security assurance requirements.

Use AWS Media Services to transport, prepare, process, deliver, and scale live and on-demand content in the cloud. Connect with other AWS services and third-party applications for media storage, machine learning, content protection, monetization campaigns, and more. Examples of content security components within media services include:

AWS Elemental MediaConnect: Combining reliable video transport, highly secure stream sharing, and real-time network traffic and video monitoring, MediaConnect lets you secure your live video using industry-standard encryption, and only share content with authorized customers. This gives you control over the distribution of your content.

AWS Elemental MediaConvert: Supporting ultra-high definition resolutions, high dynamic range video, graphic overlays, advanced audio features, content protection, and closed captioning, MediaConvert offers file-based video transcoding with broadcast-grade capabilities and features.

AWS Elemental MediaLive: In addition to advanced capabilities such as statistical multiplexing, ad marker support, audio features including audio normalization and Dolby audio, and multiple caption standards, MediaLive also works natively with MediaConnect, providing secure and reliable transport of video to use as inputs to live channels.

AWS Elemental MediaPackage: MediaPackage prepares and protects your video for delivery over the Internet, and lets you configure a DVR-like experience for viewers of your live stream. It offers support for a range of digital rights management (DRM) providers, supports advanced audio features, and multi-language subtitle tracks.

AWS Elemental MediaStore: MediaStore integrates with AWS features for access control, using AWS Identity and Access Management (IAM) policies and roles, with support for resource policies, allowing you to specify granular access controls.

AWS Elemental MediaTailor: As with all AWS Media services, MediaTailor is protected by the AWS global network security procedures that are described in the Amazon Web Services: Overview of Security Processes white paper.

Amazon Kinesis Video Streams: Kinesis Video Streams allows you to control access to your streams using AWS Identity and Access Management (IAM). It helps you protect your data by automatically encrypting the data at rest using AWS Key Management Service (KMS) and in transit using the industry-standard Transport Layer Security (TLS) protocol.

The Secure Packager and Encoder Key Exchange (SPEKE) defines the standard for communication between encryptors and packagers of media content and digital rights management (DRM) key providers.

SPEKE simplifies complex “handshake” challenges by providing a single common interface for integrating any video transcoder or any origin server with any key server, whether running on-premises in a data center or as cloud services. SPEKE is designed for both Video-on-Demand (VOD) and live streaming workflows using either a static (best for VOD) or rotating key.

SPEKE utilizes the Content Protection Information Exchange Format (CPIX) to standardize the method for carrying key and DRM information for encrypting and protecting video content, and adds specifications for authentication and other important behaviors on top of CPIX. Driven by the DASH Industry Forum, CPIX is designed to create operational efficiencies while reducing costs and time-to-market for OTT video services. AWS Elemental MediaPackage uses a CPIX document to communicate with SPEKE about content keys that are used to encrypt your content.

Additionally, SPEKE incorporates AWS Identity and Access Management (IAM) roles to allocate flexible yet secure permission policies which may be delegated to users, applications, or services to securely enable key exchange between a multi-DRM vendor and a video transcoding or packaging vendor. Video operators may use IAM roles whether the key server and encryptor are running on AWS, on hardware in the operator’s headend or data center, a combination of the two, and even where the key server and encryptor are running on different cloud infrastructure.

With AWS, you control where your data is stored, who can access it, and what resources your organization is consuming at any given moment.

Fine-grain Identity and Access Management controls combined with continuous monitoring for near real-time security information help ensure that the right resources have the right access at all times, wherever your information is stored.

Reduce risk as you scale by using security automation and activity monitoring and logging services to detect suspicious security events, like configuration changes, across your ecosystem. AWS and Amazon solutions designed for content security analysis include:

• Amazon CloudWatch for monitoring and observability.

• AWS CloudTrail for governance, compliance, operational auditing, and risk auditing.

• Amazon GuardDuty for threat detection and monitoring for malicious activity and unauthorized behavior

• Amazon Detective for analyzing, investigating, and quickly identifying the root cause of potential security issues or suspicious activities.

• AWS Security Hub for aggregating, organizing, and prioritizing your security alerts or findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions.

What makes cloud-based video content security work? A big contributor is the ability to automate the tedious and arduous.

Automating security tasks on AWS enables you to be more secure by reducing human configuration errors and giving your team more time to focus on other work critical to your business. Select from a wide variety of deeply integrated solutions that can be combined to automate tasks in novel ways, making it easier for your security team to work closely with developer and operations teams to create and deploy code faster and more securely.

For example, by employing machine learning, you can automatically and continuously discover, classify, and protect sensitive data in AWS with just a few clicks in the management console. Two of the most powerful machine-learning solutions for content security you can use include:

• Amazon GuardDuty for threat detection that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.

• Amazon Macie for data security and data privacy that uses machine learning and pattern matching to discover and protect your sensitive data in AWS, such as personally identifiable information (PII).

You can also automate infrastructure and application security checks to continually enforce your security and compliance controls and help ensure confidentiality, integrity, and availability at all times, thus enhancing overall content security.

Automate in a hybrid environment with information management and security tools to easily integrate AWS as a seamless and secure extension of your on-premises and legacy environments.

Automation helps reduce the amount of noise and manual work your security engineers have to pay attention to so they can focus their expertise where it really matters for your business.

AWS is vigilant about customer privacy and data security. With AWS you can build on the most secure global infrastructure, knowing you always own your data, including the ability to encrypt it, move it, and manage retention.

AWS provides tools that allow you to easily encrypt your data in transit and at rest to help ensure that only authorized users can access it, using keys managed by AWS Key Management Service (KMS) or managing your own encryption keys with CloudHSM using FIPS 140-2 Level 3 validated HSMs.

You have the control and visibility needed to demonstrate compliance with regional and local data privacy laws and regulations, and you to retain complete control over the regions in which your data is physically located, helping you meet data residency requirements.