Cloud Broadcasting - Introduction to Security

In the last article on Cloud Broadcasting we looked at reliability and the client-server model in Amazon Web Services high availability zones. In this article, we look more at cloud security, a very emotive word in the IT community.

A bank can take an amount of cash, put it in a safe, weld the doors shut, enclose it in a four-foot-thick reinforced concrete box and bury it two hundred feet underground with no doors or staircase. We could continue for hours about how we improve the security for our cash; put a building over the container so nobody knows it’s there, delete all documentation, then end up with a solution that is so secure the money would probably decay before anybody could get their hands on it.

Draconian Methods

It’s fair to say we could make the storage so secure that the money would never be seen again. And here lies the problem, the solution starts to become insecure when we provide access to the cash. We have a door to the safe, steps to the underground chamber, signposts to the staircase. All potential areas of vulnerability.

Once we provide access we can start to improve security again using increasingly draconian methods; guards could be placed on the entrance to the staircase, electronic retina scanners could be used to open locked doors and all staff would need to be accredited. These seem like good security measures to stop thieves and anybody trying to break into our datacentre. However, any one of them can be easily defeated, not using hi-tech computer hacking methods, but simple old-school criminal behaviour as people are the weakest link in any security system.

Criminal Psychology

To build effective security systems we need to understand the psychology and behaviour of the criminal. What do they want from breaking in? What are they going to achieve? What is their true motivation? In our banking analogy, the answers to these are straightforward; it’s possible that some criminals have broken into banks for the challenge, but it’s more likely they want the cash.

Understanding criminal behaviour in the IT world is a whole different game. Terrorist attacks over the past ten years have demonstrated some people think differently to us, they possess strange ideologies that seem to support terrorist behaviour which is completely alien to most of us.

Analyzing data from network monitoring tools is a full time job and the amount of work needed can easily overwhelm IT departments.  (click to enlarge).

Analyzing data from network monitoring tools is a full time job and the amount of work needed can easily overwhelm IT departments. (click to enlarge).

Criminals still break into computer systems to gain cash, but we also have the added dimension of terrorists breaking into networks to show they can, gaining publicity they demonstrate a superiority which shows their perceived dominance.

Even gaining cash isn’t as simple as it used to be. Criminals lock important business files and send ransom notes to owners to unlock and release the data.

Always Playing Catchup

The biggest problem with IT security is that many of us simply do not think like criminals. If we did, we would be a criminal and wouldn’t bother coming into work each day. Although IT managers do a fantastic job of protecting their datacentres, they’re not in control of the entire system as users need to gain access to the network and data servers. As soon as we provide access the system becomes vulnerable.

Firewalls can stop outside attackers from trying to access the system, and anti-virus software can check for malicious code such as ransom-ware. But it’s always playing catch-up, the vendor of the firewall or anti-virus software must have had an attack on one of their other clients before they can send an update to you to protect your system.

Cannot Compete with AWS

Security is an exercise in risk management, not absolute truths and guarantees. No IT Manager in the world can guarantee a user system to be completely secure. If your private datacentre hasn’t been compromised, then it’s only a matter of time.

Cloud service providers like Amazon Web Services (AWS) do provide a good compromise and hope for the future. They have some of the best security network and infrastructure engineers in the world working on their systems twenty-four hours a day all year round. Few companies could hope to compete with their knowledge and experience, to the point where government agencies have started to use cloud services.

AWS reports on its web site that it has seventeen security certificates including the US Department of Defence Security Requirements Guide (DoD SRG), and a plethora of independent audits are regularly conducted to keep check on security.

Security starts with the users and they must play their part in keeping systems secure

Security starts with the users and they must play their part in keeping systems secure

Locations of datacentres is a closely guarded secret and AWS go to great lengths to restrict human access to the infrastructure. Power backups, fire detection and suppression, and temperature are constantly monitored and maintained where required. Even decommissioning of old hard disk drives is taken seriously, they are degaussed and physically damaged beyond repair, before disposal, all with appropriate audit controls in place.

Advanced Authentication

Network security includes limited points of access with firewalls and advanced monitoring systems at cloud access points. Traffic is constantly monitored for distributed denial of service attacks, man in the middle attacks, IP spoofing, port scanning and IP sniffing by other users. Dedicated teams of engineers are employed to deal with these issues when they occur.

Management access is provided using SSH public-key authentication as well as traditional login credentials to provide audit trails of whose logged in, and advanced levels of security to protect your system from unscrupulous attackers.

Personal Security

Although cloud service providers make their infrastructures and networks as secure as they can possibly be, they do rely on their clients making their software and access to their services secure. Appropriate risk management should be conducted by broadcasters to assess users access to the system.

Even in today’s security aware working environments, it’s not uncommon to see a yellow note stuck to the side of a computer monitor with the word “password” written on it. The best cloud security systems in the world cannot protect valuable data against this and CEO’s must support their IT department in enforcing personal security.

You might also like...

Designing IP Broadcast Systems: Routing

IP networks are wonderfully flexible, but this flexibility can be the cause of much frustration, especially when broadcasters must decide on a network topology.

Audio For Broadcast: Cloud Based Audio

With several industry leading audio vendors demonstrating milestone product releases based on new technology at the 2024 NAB Show, the evolution of cloud-based audio took a significant step forward. In light of these developments the article below replaces previously published content…

Future Technologies: New Hardware Paradigms

As we continue our series of articles considering technologies of the near future and how they might transform how we think about broadcast, we consider the potential processing paradigm shift offered by GPU based processing.

Standards: Part 10 - Embedding And Multiplexing Streams

Audio visual content is constructed with several different media types. Simplest of all would be a single video and audio stream synchronized together. Additional complexity is commonplace. This requires careful synchronization with accurate timing control.

Designing IP Broadcast Systems: Why Can’t We Just Plug And Play?

Plug and play would be an ideal solution for IP broadcast workflows, however, this concept is not as straightforward as it may first seem.