This text was a contribution from Grass Valley, and was part of the Essential Guide: Making Cloud Systems Secure, published by The Broadcast Bridge. This Essential Guide shows how to make cloud systems secure for media companies by using a Zero Trust approach to cybersecurity. Download the complete Essential Guide for free here.

This article was written by:

Chris Merrill, Director of Strategic Marketing

There are many philosophies out there about who and when to trust. When it comes to securing high value assets, you really can’t be too careful. 

SaaS processing and storage offers great benefits to media companies:

• Remote production workflows become easier and more affordable.
• Collaborative work among geographically separated teams is simplified.
• Resources scale to match the immediate demand.
• Multi-stage processes are automated and consolidated.
• Productions costs are easily matched to asset revenue.
• The list goes on…

But any member of the digital community has heard worrisome stories about distributed denial-of-service (DDoS) attacks, data breaches, and other digital security issues.

And while malicious actors make the headlines, researchers from Stanford University and the security firm Tessian found that approximately 88% of all data breaches are actually caused by an employee error. So how do we ensure that valuable data remains secure?

The answer is Zero Trust. Zero Trust is not a manifestation of extreme paranoia. Rather, Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating the assumption that any user that is inside the network firewall should have free access. A Zero Trust strategy continuously validates every stage of a digital interaction.

Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern environments and enable digital transformation by using strong authentication methods, leveraging network segmentation, preventing lateral movement to other hosts or applications, providing Layer 7 (application layer) threat prevention, and simplifying granular, “least access” policies.

Because Grass Valley’s AMPP is a SaaS solution that runs on any infrastructure, it can offer URLs to the public internet. Here’s what we’ve learned about keeping the production platform secure.

Require Every User To Sign On With Their Own Credentials

For small installations, user credentials can be configured inside the AMPP Identity service, where users have their passwords secured in a salted one-way hash. AMPP Identity can also be connected to a customer’s Identity Provider, to securely delegate authentication and authorization. An external Identity Provider can perform multifactor authentication if required.

Encrypt All Traffic

Following AMWA security recommendations for NMOS, AMPP only supports HTTPS encrypted traffic. This ensures that no man-in-the-middle attacks are possible while communicating with edge devices or user interfaces.

Secure Every Call To Every URL

A typical monolithic “lift and shift” development uses a simple password. Once the initial password is compromised then the entire system is vulnerable. AMPP keeps the simplicity of a Single Sign On with assignable roles and responsibilities for each user – often through an external Active Directory – but takes security a step farther with a modern microservice architecture.

Each microservice has its own URL. These URLs are assigned to specific units that form specific tasks. Authorization checks are required when exchanging information between each of these units, so even if one unit is compromised there is no simple means of spreading out to other units.

All traffic inside the platform requires URLs to carry an “OAuth2 OpenID Connect (OIDC) JSON Web Token.” That complex statement strings together three different security schemas from different providers in multilayered security. It means:

• OAuth2: The tokens prove the source of the request is from an authorized user without providing the user’s password.
• OpenID Connect (OIDC): The identity of the user making the request can be authenticated against an external source.
• JSON Web Token (JWT): The token used for the request is digitally signed by a cryptographically secure signature to ensure nothing has been tampered with.

All this exchanging and validating of information takes place at speeds that never impact the real-time performance of the system.

Limit Duration Of Credentials

Each time AMPP users log in, their identity is issued a timeboxed JWT which is no longer valid on expiration. The software the users interact with must provide their secure JWT to each RESTful endpoint they call. Because these JWTs are time constrained, it narrows the window opportunity for access to the system.

Because JWTs are constantly refreshed by all client-side libraries, if an admin changes the access rights for an individual, the new JWT issued will reflect the new access status.

Encrypt All Data Stores

Whether your data is stored on-prem or in the cloud, it needs to be protected while at rest as much as when it is being transported. Hence, all data stores in AMPP encrypt their data before storing, so that even if the content of these stores is compromised, the data is useless to the attacker, who has no ability to decrypt the content.

Secure Workloads

It’s not just humans that need authentication. All AMPP Workloads are issued with Client Credential Keys that limit their access to all APIs. In the same way that a human user needs to provide credentials to be authenticated and authorized, so do all software components. Client Credential Keys can be managed from within the AMPP Identity user interface.

Audit, Audit, Audit

Just as malicious actors never stop trying to enter the system, AMPP never stops looking for weaknesses to strengthen. This constant process is part of the SOC 2 certification. Grass Valley has gone through a rigorous evaluation by a trusted third party to be accredited with SOC 2 compliance.

By implementing the latest in technology, AMPP conforms to the best practices of the IT industry. AMPP provides a reliable, secure work environment for creating valuable content. We’re not asking you to trust us. We’re asking you to put it to the test.