The Sponsors Perspective: Trust No One

There are many philosophies out there about who and when to trust. When it comes to securing high value assets, you really can’t be too careful.

This article was first published as part of Essential Guide: Making Cloud Systems Secure - download the complete Essential Guide HERE.

SaaS processing and storage offers great benefits to media companies:

  • Remote production workflows become easier and more affordable.
  • Collaborative work among geographically separated teams is simplified.
  • Resources scale to match the immediate demand.
  • Multi-stage processes are automated and consolidated.
  • Productions costs are easily matched to asset revenue.
  • The list goes on…

But any member of the digital community has heard worrisome stories about distributed denial-of-service (DDoS) attacks, data breaches, and other digital security issues.

And while malicious actors make the headlines, researchers from Stanford University and the security firm Tessian found that approximately 88% of all data breaches are actually caused by an employee error1. So how do we ensure that valuable data remains secure?

The answer is Zero Trust. Zero Trust is not a manifestation of extreme paranoia. Rather, Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating the assumption that any user that is inside the network firewall should have free access. A Zero Trust strategy continuously validates every stage of a digital interaction.

Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern environments and enable digital transformation by using strong authentication methods, leveraging network segmentation, preventing lateral movement to other hosts or applications, providing Layer 7 (application layer) threat prevention, and simplifying granular, “least access” policies.

Because Grass Valley’s AMPP is a SaaS solution that runs on any infrastructure, it can offer URLs to the public internet. Here’s what we’ve learned about keeping the production platform secure.

Require Every User To Sign On With Their Own Credentials

For small installations, user credentials can be configured inside the AMPP Identity service, where users have their passwords secured in a salted one-way hash. AMPP Identity can also be connected to a customer’s Identity Provider, to securely delegate authentication and authorization. An external Identity Provider can perform multifactor authentication if required.

Encrypt All Traffic

Following AMWA security recommendations for NMOS, AMPP only supports HTTPS encrypted traffic. This ensures that no man-in-the-middle attacks are possible while communicating with edge devices or user interfaces.

Secure Every Call To Every URL

A typical monolithic “lift and shift” development uses a simple password. Once the initial password is compromised then the entire system is vulnerable. AMPP keeps the simplicity of a Single Sign On with assignable roles and responsibilities for each user – often through an external Active Directory – but takes security a step farther with a modern microservice architecture.

Each microservice has its own URL. These URLs are assigned to specific units that form specific tasks. Authorization checks are required when exchanging information between each of these units, so even if one unit is compromised there is no simple means of spreading out to other units.

All traffic inside the platform requires URLs to carry an “OAuth2 OpenID Connect (OIDC) JSON Web Token.” That complex statement strings together three different security schemas from different providers in multilayered security. It means:

  • OAuth2: The tokens prove the source of the request is from an authorized user without providing the user’s password.
  • OpenID Connect (OIDC): The identity of the user making the request can be authenticated against an external source.
  • JSON Web Token (JWT): The token used for the request is digitally signed by a cryptographically secure signature to ensure nothing has been tampered with.

All this exchanging and validating of information takes place at speeds that never impact the real-time performance of the system.

Limit Duration Of Credentials

Each time AMPP users log in, their identity is issued a timeboxed JWT which is no longer valid on expiration. The software the users interact with must provide their secure JWT to each RESTful endpoint they call. Because these JWTs are time constrained, it narrows the window opportunity for access to the system.

Because JWTs are constantly refreshed by all client-side libraries, if an admin changes the access rights for an individual, the new JWT issued will reflect the new access status

Encrypt All Data Stores

Whether your data is stored on-prem or in the cloud, it needs to be protected while at rest as much as when it is being transported. Hence, all data stores in AMPP encrypt their data before storing, so that even if the content of these stores is compromised, the data is useless to the attacker, who has no ability to decrypt the content.

Secure Workloads

It’s not just humans that need authentication. All AMPP Workloads are issued with Client Credential Keys that limit their access to all APIs. In the same way that a human user needs to provide credentials to be authenticated and authorized, so do all software components. Client Credential Keys can be managed from within the AMPP Identity user interface.

Chris Merrill.

Chris Merrill.

Audit, Audit, Audit

Just as malicious actors never stop trying to enter the system, AMPP never stops looking for weaknesses to strengthen. This constant process is part of the SOC 2 certification. Grass Valley has gone through a rigorous evaluation by a trusted third party to be accredited with SOC 2 compliance.

By implementing the latest in technology, AMPP conforms to the best practices of the IT industry. AMPP provides a reliable, secure work environment for creating valuable content. We’re not asking you to trust us. We’re asking you to put it to the test.

Supported by

You might also like...

Audio For Broadcast: Cloud Based Audio

With several industry leading audio vendors demonstrating milestone product releases based on new technology at the 2024 NAB Show, the evolution of cloud-based audio took a significant step forward. In light of these developments the article below replaces previously published content…

An Introduction To Network Observability

The more complex and intricate IP networks and cloud infrastructures become, the greater the potential for unwelcome dynamics in the system, and the greater the need for rich, reliable, real-time data about performance and error rates.

Next-Gen 5G Contribution: Part 2 - MEC & The Disruptive Potential Of 5G

The migration of the core network functionality of 5G to virtualized or cloud-native infrastructure opens up new capabilities like MEC which have the potential to disrupt current approaches to remote production contribution networks.

Next-Gen 5G Contribution: Part 1 - The Technology Of 5G

5G is a collection of standards that encompass a wide array of different use cases, across the entire spectrum of consumer and commercial users. Here we discuss the aspects of it that apply to live video contribution in broadcast production.

NAB Show 2024 BEIT Sessions Part 2: New Broadcast Technologies

The most tightly focused and fresh technical information for TV engineers at the NAB Show will be analyzed, discussed, and explained during the four days of BEIT sessions. It’s the best opportunity on Earth to learn from and question i…