The Sponsors Perspective: Trust No One

There are many philosophies out there about who and when to trust. When it comes to securing high value assets, you really can’t be too careful.


This article was first published as part of Essential Guide: Making Cloud Systems Secure - download the complete Essential Guide HERE.

SaaS processing and storage offers great benefits to media companies:

  • Remote production workflows become easier and more affordable.
  • Collaborative work among geographically separated teams is simplified.
  • Resources scale to match the immediate demand.
  • Multi-stage processes are automated and consolidated.
  • Productions costs are easily matched to asset revenue.
  • The list goes on…

But any member of the digital community has heard worrisome stories about distributed denial-of-service (DDoS) attacks, data breaches, and other digital security issues.

And while malicious actors make the headlines, researchers from Stanford University and the security firm Tessian found that approximately 88% of all data breaches are actually caused by an employee error1. So how do we ensure that valuable data remains secure?

The answer is Zero Trust. Zero Trust is not a manifestation of extreme paranoia. Rather, Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating the assumption that any user that is inside the network firewall should have free access. A Zero Trust strategy continuously validates every stage of a digital interaction.

Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern environments and enable digital transformation by using strong authentication methods, leveraging network segmentation, preventing lateral movement to other hosts or applications, providing Layer 7 (application layer) threat prevention, and simplifying granular, “least access” policies.

Because Grass Valley’s AMPP is a SaaS solution that runs on any infrastructure, it can offer URLs to the public internet. Here’s what we’ve learned about keeping the production platform secure.

Require Every User To Sign On With Their Own Credentials

For small installations, user credentials can be configured inside the AMPP Identity service, where users have their passwords secured in a salted one-way hash. AMPP Identity can also be connected to a customer’s Identity Provider, to securely delegate authentication and authorization. An external Identity Provider can perform multifactor authentication if required.

Encrypt All Traffic

Following AMWA security recommendations for NMOS, AMPP only supports HTTPS encrypted traffic. This ensures that no man-in-the-middle attacks are possible while communicating with edge devices or user interfaces.

Secure Every Call To Every URL

A typical monolithic “lift and shift” development uses a simple password. Once the initial password is compromised then the entire system is vulnerable. AMPP keeps the simplicity of a Single Sign On with assignable roles and responsibilities for each user – often through an external Active Directory – but takes security a step farther with a modern microservice architecture.

Each microservice has its own URL. These URLs are assigned to specific units that form specific tasks. Authorization checks are required when exchanging information between each of these units, so even if one unit is compromised there is no simple means of spreading out to other units.

All traffic inside the platform requires URLs to carry an “OAuth2 OpenID Connect (OIDC) JSON Web Token.” That complex statement strings together three different security schemas from different providers in multilayered security. It means:

  • OAuth2: The tokens prove the source of the request is from an authorized user without providing the user’s password.
  • OpenID Connect (OIDC): The identity of the user making the request can be authenticated against an external source.
  • JSON Web Token (JWT): The token used for the request is digitally signed by a cryptographically secure signature to ensure nothing has been tampered with.

All this exchanging and validating of information takes place at speeds that never impact the real-time performance of the system.

Limit Duration Of Credentials

Each time AMPP users log in, their identity is issued a timeboxed JWT which is no longer valid on expiration. The software the users interact with must provide their secure JWT to each RESTful endpoint they call. Because these JWTs are time constrained, it narrows the window opportunity for access to the system.

Because JWTs are constantly refreshed by all client-side libraries, if an admin changes the access rights for an individual, the new JWT issued will reflect the new access status

Encrypt All Data Stores

Whether your data is stored on-prem or in the cloud, it needs to be protected while at rest as much as when it is being transported. Hence, all data stores in AMPP encrypt their data before storing, so that even if the content of these stores is compromised, the data is useless to the attacker, who has no ability to decrypt the content.

Secure Workloads

It’s not just humans that need authentication. All AMPP Workloads are issued with Client Credential Keys that limit their access to all APIs. In the same way that a human user needs to provide credentials to be authenticated and authorized, so do all software components. Client Credential Keys can be managed from within the AMPP Identity user interface.

Chris Merrill.

Chris Merrill.

Audit, Audit, Audit

Just as malicious actors never stop trying to enter the system, AMPP never stops looking for weaknesses to strengthen. This constant process is part of the SOC 2 certification. Grass Valley has gone through a rigorous evaluation by a trusted third party to be accredited with SOC 2 compliance.

By implementing the latest in technology, AMPP conforms to the best practices of the IT industry. AMPP provides a reliable, secure work environment for creating valuable content. We’re not asking you to trust us. We’re asking you to put it to the test.

Supported by

You might also like...

Audio For Broadcast - The Book

​Audio For Broadcast - The Book gathers together 16 articles into a 78 page eBook which explores the science and practical applications of audio in broadcast.  This book is not aimed at audio A1’s, it is intended as a reference resource for …

Comms In Hybrid SDI - IP - Cloud Systems - Part 1

We examine the demands placed on hybrid, distributed comms systems and the practical requirements for connectivity, transport and functionality.

Designing IP Broadcast Systems: Part 2 - IT Philosophies, Cloud Infrastructure, & Addressing

Welcome to the second part of ‘Designing IP Broadcast Systems’ - a major 18 article exploration of the technology needed to create practical IP based broadcast production systems. Part 2 discusses the different philosophies of IT & Broadcast, the advantages and challenges…

Project Managing The Creative Elements Of Live Sports Production

Huw Bevan is an Executive Producer, Consultant and Head of Cricket for Sunset+Vine, in London, one of the UK’s leading independent sports production companies that produces a full slate of rugby, soccer and cricket events each year. This…

Audio For Broadcast: Cloud Based Audio

As broadcast production begins to leverage cloud-native production systems, and re-examines how it approaches timing to achieve that potential, audio and its requirement for very low latency remains one of the key challenges.