Vendors, large and small, from across the industry, will no doubt be talking about or showing off their new cloud enabled/based/compatible/native product offerings. And for good reason. The cloud has a lot to offer broadcasting and it would almost be negligent of those responsible for technology, product and service selection within a media organisation not to be at least familiar with developments in this area.
However, there are some common reservations and concerns that potential and actual users of today’s cloud services hold. One of the more prominent is security, or perceived lack of it, in shared public cloud environments. There are good and obvious reasons for such concern – moving high value content and data out of the known visible confines of a private facility, into the ethereal virtual world of the cloud, carries a different risk profile. The controls, procedures and systems used to protect our private estates simply don’t transfer, unaltered, into this radically different environment.
But it would be a mistake to suggest that the cloud is not secure, or at least that it cannot be secure. The first thing to understand is how the responsibility for security is shared between your organisation and the public cloud provider. The provider will typically protect the physical security of their facility and the equipment installed within in. This includes the building perimeter, physical location, internal access and everything upto and including the hypervisors that host your virtual machines. And they do this very well. If you have had the unusual opportunity to visit a public cloud datacenter, as I have, it will almost certainly compare favourably to your own private equivalent.
So that’s that then, it’s very secure. Well yes and no. While you inherit some of the best facility security around, you, or your service provider, take responsibility for what is built on top of it. Here are some important points to consider:
Your cloud provider should offer a vast array of identity and access management controls that determine who, what and when a resource can operate or be operated on. Use these wisely and with the appropriate level of granularity to provide only the level of access necessary to perform a given task at a given time. You will also have to replicate this level of control within your own applications and services.
Log everything. Storage is cheap in the cloud, so don’t be afraid to be highly verbose in tracking every action performed across your cloud infrastructure and applications. However, be clear on the security objectives of this data and ensure you fully understand and respect data privacy and all relevant legislation.
This is particularly important. Your media assets are hosted in a shared domain, encrypt every asset with a unique key backed up by a secure key management implementation. If your access controls let you down, make sure your content is still protected. Don’t simply rely on at-rest-encryption provided by your cloud provider. That will protect you against physical attack on a disk storage subsystem but won’t prevent an attacker who presents the appropriate access credentials from open access to your content. Take great care to protect the key management infrastructure and the key material itself – accidental or malicious loss here could spell disaster.
This blog has merely scratched the surface of this topic. Security in public cloud environments is a genuine concern. However, with a well designed implementation that’s takes advantage of what your cloud provider offers on the facility side, with those that protect your applications, assets and data, you can build not just highly secure systems but an overall level of security that might put your private environment to shame.
Steve Plunkett, Chief Technology Officer.