The Sponsors Perspective: Trust No One
There are many philosophies out there about who and when to trust. When it comes to securing high value assets, you really can’t be too careful.
SaaS processing and storage offers great benefits to media companies:
- Remote production workflows become easier and more affordable.
- Collaborative work among geographically separated teams is simplified.
- Resources scale to match the immediate demand.
- Multi-stage processes are automated and consolidated.
- Productions costs are easily matched to asset revenue.
- The list goes on…
But any member of the digital community has heard worrisome stories about distributed denial-of-service (DDoS) attacks, data breaches, and other digital security issues.
And while malicious actors make the headlines, researchers from Stanford University and the security firm Tessian found that approximately 88% of all data breaches are actually caused by an employee error1. So how do we ensure that valuable data remains secure?
The answer is Zero Trust. Zero Trust is not a manifestation of extreme paranoia. Rather, Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating the assumption that any user that is inside the network firewall should have free access. A Zero Trust strategy continuously validates every stage of a digital interaction.
Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern environments and enable digital transformation by using strong authentication methods, leveraging network segmentation, preventing lateral movement to other hosts or applications, providing Layer 7 (application layer) threat prevention, and simplifying granular, “least access” policies.
Because Grass Valley’s AMPP is a SaaS solution that runs on any infrastructure, it can offer URLs to the public internet. Here’s what we’ve learned about keeping the production platform secure.
Require Every User To Sign On With Their Own Credentials
For small installations, user credentials can be configured inside the AMPP Identity service, where users have their passwords secured in a salted one-way hash. AMPP Identity can also be connected to a customer’s Identity Provider, to securely delegate authentication and authorization. An external Identity Provider can perform multifactor authentication if required.
Encrypt All Traffic
Following AMWA security recommendations for NMOS, AMPP only supports HTTPS encrypted traffic. This ensures that no man-in-the-middle attacks are possible while communicating with edge devices or user interfaces.
Secure Every Call To Every URL
A typical monolithic “lift and shift” development uses a simple password. Once the initial password is compromised then the entire system is vulnerable. AMPP keeps the simplicity of a Single Sign On with assignable roles and responsibilities for each user – often through an external Active Directory – but takes security a step farther with a modern microservice architecture.
Each microservice has its own URL. These URLs are assigned to specific units that form specific tasks. Authorization checks are required when exchanging information between each of these units, so even if one unit is compromised there is no simple means of spreading out to other units.
All traffic inside the platform requires URLs to carry an “OAuth2 OpenID Connect (OIDC) JSON Web Token.” That complex statement strings together three different security schemas from different providers in multilayered security. It means:
- OAuth2: The tokens prove the source of the request is from an authorized user without providing the user’s password.
- OpenID Connect (OIDC): The identity of the user making the request can be authenticated against an external source.
- JSON Web Token (JWT): The token used for the request is digitally signed by a cryptographically secure signature to ensure nothing has been tampered with.
All this exchanging and validating of information takes place at speeds that never impact the real-time performance of the system.
Limit Duration Of Credentials
Each time AMPP users log in, their identity is issued a timeboxed JWT which is no longer valid on expiration. The software the users interact with must provide their secure JWT to each RESTful endpoint they call. Because these JWTs are time constrained, it narrows the window opportunity for access to the system.
Because JWTs are constantly refreshed by all client-side libraries, if an admin changes the access rights for an individual, the new JWT issued will reflect the new access status
Encrypt All Data Stores
Whether your data is stored on-prem or in the cloud, it needs to be protected while at rest as much as when it is being transported. Hence, all data stores in AMPP encrypt their data before storing, so that even if the content of these stores is compromised, the data is useless to the attacker, who has no ability to decrypt the content.
Secure Workloads
It’s not just humans that need authentication. All AMPP Workloads are issued with Client Credential Keys that limit their access to all APIs. In the same way that a human user needs to provide credentials to be authenticated and authorized, so do all software components. Client Credential Keys can be managed from within the AMPP Identity user interface.
Chris Merrill.
Audit, Audit, Audit
Just as malicious actors never stop trying to enter the system, AMPP never stops looking for weaknesses to strengthen. This constant process is part of the SOC 2 certification. Grass Valley has gone through a rigorous evaluation by a trusted third party to be accredited with SOC 2 compliance.
By implementing the latest in technology, AMPP conforms to the best practices of the IT industry. AMPP provides a reliable, secure work environment for creating valuable content. We’re not asking you to trust us. We’re asking you to put it to the test.
Supported by
You might also like...
IP Security For Broadcasters: Part 1 - Psychology Of Security
As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security, but the first port of call in designing any secure system should be to consider the user and t…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
If It Ain’t Broke Still Fix It: Part 2 - Security
The old broadcasting adage: ‘if it ain’t broke don’t fix it’ is no longer relevant and potentially highly dangerous, especially when we consider the security implications of not updating software and operating systems.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.
NDI For Broadcast: Part 3 – Bridging The Gap
This third and for now, final part of our mini-series exploring NDI and its place in broadcast infrastructure moves on to a trio of tools released with NDI 5.0 which are all aimed at facilitating remote and collaborative workflows; NDI Audio,…