© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.

Securing Media Content and Applications in

the Cloud

Usman Shakeel, Amazon Web Services

Ben Masek. Sony Media Cloud Services

November 14, 2013

Does AWS meet customer’s

security requirements?

Does AWS meet customer’s

security requirements?

Can my media content and

applications on AWS be

aligned to MPAA?

TOGETHER

Cost of Business Infrastructure management

Infrastructure security

Infrastructure audit

DR, HA

Core Differentiators Better customer experience

Reach more customers

Better quality content

More cool features

More analytics

Constant Pressures Better vendor relationships

Shorten procurement cycle

Audits and compliance

Cut costs

Your $$$$ Can Go Farther !

Cost of Business • Infrastructure management

• Infrastructure security

• Infrastructure audit

• DR and HA is complicated

Core Differentiators • New product features

• Better customer experience

• More analytics

• More monetization opportunities

Happy Customers !!

The Shared Responsibility Model

Virtualization infrastructure

Network infrastructure

Physical infrastructure

Physical security

Facilities

Application

OS firewalls

Security groups

Operating system

Account management

Network configuration

Certifications and Compliances

Facilities

Physical security

Physical infrastructure

Network infrastructure

Virtualization infrastructure

Certifications

• SOC 1, SOC 2 & SOC 3 (SSAE16/ISAE 3402 audit)

• ISO 27001 certification

• PCI level 1 service provider

• FedRAMP (FISMA)

• AWS GovCloud (US)

• MPAA best practices alignment

Customer are running Sarbanes-Oxley (SOX), HIPAA

(healthcare), FISMA (US federal government), DIACAP

MAC III sensitive ATO, International Traffic in Arms

Regulations (ITAR)

Security Innovation – Customer Driven Improvements

Everyone’s Applications

AWS Security Infrastructure

Requirements Requirements Requirements

AWS Services Stack in a Media Workflow

AWS Direct Connect

Elastic Load

Balancing

AWS Import/

Export

Amazon

S3

AWS Storage

Gateway

Amazon

Glacier

Amazon

EBS

CloudFront

Amazon

CloudSearch

Amazon

SNS

Amazon SQS

Amazon

SWF

Amazon

Elastic

Transcoder

Amazon

EC2

Amazon

EMR

DynamoDB

Amazon

VPC

Amazon

RDS

Amazon

Redshift

Elasti

Cache

AMI

Route 53

Ingest Store Deliver Process

Amazon

EC2

MPAA Security Best Practices

AWS alignment to MPAA security best practices reviewed October 2012

Based on AWS shared responsibility model

(MPAA Best Practices) – AWS Services in Scope

– Amazon Elastic Compute Cloud (EC2)

– Amazon Virtual Private Cloud (VPC)

– Amazon Simple Storage Service (S3)

– Amazon Elastic Block Store (EBS)

– Amazon Relational Database Service (RDS)

– Amazon DynamoDB

– Elastic Load Balancing (ELB)

– AWS Identity and Access Management (IAM)

– Amazon CloudFront

– Amazon Glacier

– AWS Import/Export

– AWS Direct Connect

– Amazon Route 53

– Amazon Elastic Transcoder

– and the supporting data centers

AWS Direct Connect

Elastic Load

Balancing

AWS Import/

Export

Amazon

S3

Amazon

Glacier

Amazon

EBS

CloudFront

Elastic

Transcoder

Amazon

EC2

Amazon

DynamoDB

Amazon

VPC

Amazon

RDS

Route 53

(MPAA Best Practices) - Content Types in Scope

Preproduction Production Production Wrap Postproduction Distribution

Storyboards

Scripts

Location

Footage

Screen

Tests

Call Sheets

Raw Files

Dailies

Script Edits

Editorial

Audio Files

Media Files

VFX

Master Files

Editorial

Theatrical

Prints

MPAA Content Security Best Practices

MPAA Content Security Best Practices on AWS

Management Systems

Physical Security Digital Security

Organization &

Management

Competency

Facility

Asset Management

Transport

Infrastructure

Content Management

Content Transfer

Management Systems

MPAA Content Security Best Practices on AWS

Organization & Management

Competency

Facility

Asset Management

Transport

Infrastructure

Content Management

Content Transfer

Physical

Security

Management

Systems

Digital

Security

Organization & Management

Competency

Content Management

Management

Systems

Virtual Resources

Digital

Security

AWS Physical Infrastructure Security

What AWS controls do have in the

shared responsibility model?

AWS Security Controls • Access points

• HTTP or HTTPS using SSL access

• Amazon VPC allows VPN access as well

• Redundant connection to more than one communication service at each

Internet-facing edge

• API requests

• SOAP – must be signed (using X.509 certs with an RSA public key)

• Query – SHA1 and SHA-256 cryptographic hash signature

• SSH to Amazon EC2 instances – Require a public/private key pair or RDP certificate

• AWS multi-factor authentication (MFA)

• Key management and rotation

AWS Identity and Access Management (IAM)

Unique security credentials

• Access keys, login/password, MFA device

• Federated authentication (AWS Security Token Service STS)

Policies control access to AWS APIs

• API calls must be signed by either: X.509 certificate or secret key

Deep integration with other AWS services

• Amazon S3: policies on objects and buckets

• Amazon SimpleDB: domains

• Amazon EC2 resource permissions

Amazon EC2 Security Controls

EC2 (guest) operating system

• Controlled by YOU

• YOU have admin/root

• AWS has NO visibility

• YOU generate the key pairs

Security Group

Availability Zone A

Instance

AWS Cloud

Security groups (stateful filters)

• YOU control the mandatory inbound firewall

• Default is deny all

• +Egress in the case of Amazon VPC

Signed API calls

Security Group Adobe_FMS Configuration

Protocol Port range Source

TCP 80 0.0.0.0/0

TCP 1111 0.0.0.0/0

TCP 1935 0.0.0.0/0

UDP 1935 0.0.0.0/0

SSH 22 192.168.0.41/10

Amazon Virtual Private Cloud (VPC)

Virtual Private Cloud

VPC Public Subnet

Instances

Security

Group

• Isolated environment

• Ingress and egress filters

• Network ACLs

• Routing rules

VPC Private Subnet

Instances

Security

Group

VPN Gateway

Internet Gateway

VPN Connection

Corporate

Data Center

Elastic IP

Amazon S3 Security Controls

• Bucket- and object-level permissions

• Owner only access (by default)

• Signed URLs/query string authentication

• IAM policies

• Versioning (MFA delete)

• Detailed access logging

✔Access Logs

Corporate Data Center

Content

S3 Client Side Encryption with AWS SDK for Java

Look for AmazonS3EncryptionClient class (subclass of AmazonS3Client)

Master Key

AWS SDK for Java

Envelope Key

Encrypted Content

Encrypted Envelope Key

S3 Server-Side Encryption (at Rest)

Content to be Uploaded

(encryption enabled in the

HTTP header)

Envelop Key

Encrypted Stored Key Encrypted Stored Data

Master S3 Key

• Encryption

• Decryption

• Key management (Encrypted by S3 master key)

(Stored separately from your data)

• 256-bit AES encryption

Amazon S3

Example S3 Policies { "Statement":[ { "Effect":"Allow", "Action":["s3:ListAllMyBuckets”], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":["s3:ListBucket”,"s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::examplebucket" }, { "Effect":"Allow", "Action":["s3:PutObject”,"s3:GetObject”,"s3:DeleteObject" ], "Resource":"arn:aws:s3:::examplebucket/*" } ] }

Example S3 Policies "Statement":[

{ "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource":"arn:aws:s3:::examplebucket/${aws:username}/*" } ] }

Amazon S3

(Media Storage)

Amazon CloudFront

Amazon CloudFront Security

End User

HTTP

• CloudFront’s private content feature Only deliver content to securely signed requests

• HTTPS ONLY requests/delivery

• CloudFront origin access identity

• Signed URL verification Policy based on a timed URL or a CIDR block of the requestor

• HTTPS ONLY origin fetches

• Trusted signers

• Access logs

Delivery EC2 Instances

Security Group

Signed Request

Amazon S3

(Logs Storage)

Cloudfront Origin Access Identity

"Statement":[{ "Sid":" Grant a CloudFront Origin Identity access", "Effect":"Allow", "Principal":{ "CanonicalUser":"79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8" }, "Action":"s3:GetObject", "Resource":"arn:aws:s3:::example-bucket/*" } ]

Edge Locations

Availability Zone

Region

Dallas (2)

St.Louis

Miami

Jacksonville Los Angeles (2)

Seattle

Ashburn (3)

Newark

New York (3)

Dublin

London (2)

Amsterdam (2)

Stockholm

Frankfurt (2) Paris (2)

Singapore(2)

Hong Kong (2)

Tokyo (2)

Sao Paulo

South Bend

San Jose Palo Alto Hayward

Osaka Milan

Sydney

Madrid Seoul

Mumbai

Chennai

A Word on Content Location..

You are making API calls...

On a growing set of services around the

world..

CloudTrail is continuously

recording API calls…

And delivering log files to you…

Introducing AWS CloudTrail

AWS CloudTrail

• Conduct audits for compliance

• Review API call activity within your account

• User activity logs to demonstrate compliance with government and

industry regulatory standards

• Monitor user activity for suspicious behavior

• Monitor user activity for specific known undesired behavior(s) and

raise alarms using their (SIEM) solutions

• Conduct security analytics to identify potential security issues

• Identify suspicious behavior and latent patterns that don’t trigger

immediate alarms but that may represent a security issue

AWS CloudTrail Usage

1. Create an S3 bucket on the customer's account (default name generated

or customer specified)

• Permissions added to the bucket to allow AWS CloudTrail to write to it

• User-specified bucket expiration policy applied

2. Optionally, create an Amazon SNS topic in the same manner as the bucket

above

3. Call CreateTrail to provide the bucket, topic, and S3 object prefix

4. Call StartLogging to start event processing for the account

Lines 1 and 2 are called directly as the user to Amazon S3/SNS

Lines 3 and 4 are the only AWS CloudTrail calls.

Path to MPAA Best Practices Alignment

Virtualization infrastructure

Network infrastructure

Physical infrastructure

Physical security

Facilities

SOC 1/2

ISO 27001

Application

Security groups

Operating system

Access management

Network configuration

Third-Party

Auditor

MPAA Alignment for Sony MCS

(Powered by AWS)

Sony Media Cloud Services On-demand cloud-based solutions designed

to empower media professionals to create

and securely manage high-value, high-

resolution content.

Who?

EXPONENTIAL

GROWTH

SECURELY ORGANIZE,

MANAGE & ARCHIVE

Why?

PUTTING THE CLOUD TO

WORK.

TELEVISION EDITORIAL & LEGAL REVIEW

MAJOR MOTION PICTURE DAILIES PREVIEWING

SMALL BUDGET PRODUCTIONS & ORIGINAL CONTENT

EMERGENCY CONTENT BACKUP

ARCHIVED CONTENT

MARKETING & STOCK FOOTAGE OPERATIONS

Sony MCS Alignment to MPAA

• Ensure security becomes part of tech team DNA

• Leverage internal + MPAA best practices

• Leverage AWS security features (IAM, VPC…)

• ISO 27001 certification preparation

• Vulnerability assessments – penetration testing

• On-going security program

• MCS alignment to MPAA Security Best Practices reviewed March 2013

MCS – MPAA Content Security Best Practices Alignment

Infrastructure Security

• Facilities

• Physical security

• Network infrastructure

• Virtualization infrastructure

Logical Security

• Operating system

• Applications

• Security goups/ VPCs

• Network config

• Account mgmnt

AWS Accelerators

• IAM

• VPCs

• S3 security features

• EC2 security features

• CloudFront security

features

Applications deployed

on the AWS Cloud

Applications deployed

on-premises

LOG/

REVIEW

ROUGH CUT

PREVIEW

CREATIVE

DIRECTO

R

VFX

UPLOAD/

INGEST

EDITOR

WORKFLOWS AND CLOUD CHALLENGES

ARCHIVE

STREAM/

INTERACT

PRODUCER

LEGAL

MARKETING

SEARCH/

MANAGE

Store/

Process

Access

Control

Stream/

W-Mark

SHARE/

DOWNLOAD

Integrity

Availability

Sony MCS AWS Security Considerations

RDS NoSQL

API

Auto scaling

Group

UI

Content

Processing

Auto scaling

Group

S3

ElastiCache SWF

Logging

Glacier

SES

Transfe

r

Cluster

Auto scaling

Group

• VPC isolation

• Security groups

• Other

CloudFront

Not shown… SQS

Signed url/

SSE/

checksum

Access

control Monitorin

g

Auth

File check

Virus scan

Encrypted

transfer

W-mark / https

Signed url

verification

STS

Partner with AWS to Innovate on Security

AWS Controls

AWS IAM

Agile trust zones

(Security groups + VPC)

Standardized environments

AWS solution architects

AWS professional services

AWS premium support

AWS Trusted Advisor

AWS Partner Network

More Information – Where to Go Next ..

• AWS Security Center (aws.amazon.com/security)

• AWS security white paper

• AWS security procedures

• AWS Compliance website (aws.amazon.com/compliance)

• AWS compliance white paper

• Third-party attestations, reports, and certifications

• AWS assurance programs

• Contact us

• Contact your sales team

• AWS help and support center

Please give us your feedback on this

presentation

As a thank you, we will select prize

winners daily for completed surveys!

MED 401