The use of cloud services by media companies has seen significant growth in recent years, and this trend is expected to continue apace. However, that exponential growth can create risk, especially where security is concerned, reports John Maxwell Hobbs.
The main drivers of this growth can be attributed to several factors, including the increasing demand for online media content, the move from Capex to Opex budgeting, the need for more scalable and cost-effective infrastructure, and the growing adoption of cloud-based technologies for functions that were previously done onsite such as file exchange and media transcoding.
Other major drivers of cloud adoption are the rise of subscription streaming services and FAST channels, which enable media companies to deliver content directly to consumers over the internet, and the need for more collaborative and efficient content creation and distribution workflows.
Arguably the main benefit of cloud computing is the ability to scale up and scale down services on an as-needed basis allowing broadcasters to support high-demand events like major sporting events and music festivals without having to pay for equipment that remains idle for most of the year.
Watch more Security in the Modern Media Supply Chain
While cloud computing provides many benefits, as with any technology, there are also security threats that must be considered.
Cloud Security for Media Services: Threats
Some of the common security threats to cloud computing include:
1. Unauthorised access: This is one of the most significant security risks faced by media companies using cloud services. Cybercriminals may try to gain access to media files stored in the cloud by stealing login credentials or exploiting vulnerabilities in the cloud service provider’s security infrastructure.
2. Data breaches: These occur when sensitive data, such as personal information or intellectual property, is stolen, leaked, or accessed by unauthorised parties. This can occur due to vulnerabilities in cloud service provider’s security infrastructure, or by careless handling of data by employees.
3. Malware and viruses: Cybercriminals may use malware and viruses to gain access to media files stored in the cloud, steal login credentials, or use the cloud infrastructure to launch attacks on other organisations.
4. Distributed Denial of Service (DDoS) attacks: These attacks can be launched against companies using cloud based CDNs, causing disruption to their services and potentially affecting revenue. DDoS attacks can overload CDNs with traffic, causing them to become unavailable, or slow down the delivery of media content to end-users.
Cloud Security for Media Services: Best Practice
Media companies can take several steps to mitigate the security risks associated with using cloud services. The Motion Picture Association have developed guidelines for cloud security as part of their overall guidelines for content security best practices made up of selective requirements from a set of industry security standards. The MPA have recently expanded the scope of their Trusted Partner Network (TPN) to provide accreditation for cloud service providers.
Amazon’s AWS cloud hosting service, Adobe’s Frame.io video editing collaboration platform, and DropBox’s file sharing service are three of the most common cloud platforms used by media companies. Their approaches to the four most important security practices are described below:
Strong access controls: These include two-factor authentication and role-based access control to limit access to cloud storage and processing services. Employees should only have access to the data they need to do their jobs, and their access should be revoked promptly when they leave the organisation.
Amazon: AWS offers various access control mechanisms to ensure that only authorised personnel can access their customers’ data. These include identity and access management (IAM) to manage user access, multi-factor authentication (MFA) to add an additional layer of security, and security groups to control network access.
Frame.io: Frame.io uses the principle of least privilege access and role-based permissions to achieve stringent access control. Administrators use the Frame.io Admin UI to grant granular role-based permissions to users.
DropBox: Employee access to the Dropbox environment is maintained by a central directory and authenticated using a combination of strong passwords, passphrase-protected SSH keys, and two-factor authentication.
Encrypt data in transit and at rest: Encryption ensures that data is unreadable to unauthorised parties, even if it is intercepted during transmission or storage. Strong encryption keys should be used, and companies should implement key management practices to protect their data.
Amazon: AWS offers various encryption options for data at rest and in transit. Customers can use server-side encryption to automatically encrypt data as it’s stored in AWS, or client-side encryption to encrypt data before it’s uploaded to AWS. AWS also provides key management services that allow customers to manage and protect their encryption keys.
Frame.io: All data in transit is encrypted using AES 128 GCM over TLS 1.2 and at rest using AES 256-bit key encryption. Encryption keys are managed by a separate key management system that is fully audited and monitored.
DropBox: To protect data in transit between Dropbox apps and servers, Dropbox uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. File data in transit between a Dropbox client (currently desktop, mobile, API, or web) and the hosted service is encrypted via SSL/TLS. Additionally, on the web they flag all authentication cookies as secure and enable HTTP Strict Transport Security (HSTS).
Regular security assessments: These are used to identify vulnerabilities and ensure that security controls are working as intended. Security assessments should include penetration testing, vulnerability scans, and security audits of the cloud service provider’s security controls.
Amazon: Because they don’t necessarily have end-to-end control of the applications running on the AWS environment, Amazon takes a “shared responsibility approach” and offers a number of tools to support customers to run their own security assessments including the AWS Config tool that allows customers to continually assess, monitor audit and evaluate their configurations. Additionally, they engage with third-party security experts to regularly perform penetration testing to identify potential security issues.
Frame.io: Adobe conducts regular security reviews looking at threat modelling and code reviews. Additionally, they conduct regular internal and external penetration testing targeting areas of weakness identified during security reviews.
DropBox: The Dropbox Trust Program policy establishes a risk assessment process, which is designed to address environmental, physical, user, third party, applicable laws and regulations, contractual requirements, and various other risks that may affect system security, confidentiality, integrity, availability, or privacy. Performance reviews occur at least annually.
Monitor cloud infrastructure for suspicious activity: Such activity includes unauthorised access attempts or unusual data transfers. Cloud service providers typically offer security monitoring tools that can be used to detect and respond to security incidents.
Amazon: Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Frame.io: Frame.io uses Adobe’s Application and Operational security stacks - a consolidated set of tools that help product developers and engineers improve their security posture and reduce risk to both Adobe and their customers.
Dropbox: Dropbox offers Security information and event management (SIEM) and analytics tools to monitor and evaluate user sharing, sign-in attempts, admin actions, and more.
Cloud Security for Media Services: The human factor
Training employees on security best practices can be the most difficult practice to implement because there are no technological solutions – it’s all about managing people. The most airtight security infrastructure is no match for an employee giving out their password, clicking the wrong link or leaving their laptop unlocked in a coffee shop, so developing a security training programme for all employees who work with cloud services is imperative.
An effective programme will do the following:
- Cover the fundamentals of cloud security, including the shared responsibility model, access control, data encryption, and compliance requirements.
- Train employees on the latest threat vectors and attack methods used by cybercriminals to compromise cloud environments.
- Educate employees on the security policies and procedures that govern their use of cloud services, such as password policies, data handling procedures, and incident response protocols.
- Tailor training based on employees’ roles within the organisation. For example, developers should be trained on secure coding practices, while administrators should be trained on network security and system hardening.
- Provide ongoing training and awareness programs to keep employees up to date with the latest threats and best practices.
- Conduct simulation exercises to help employees identify vulnerabilities, understand the impact of security incidents, and learn how to respond effectively.
By following these best practices, organisations can ensure that their employees are equipped with the knowledge and skills needed to protect sensitive data in the cloud.