Content Security

Process Your VOD Files with Confidence

We take multiple steps to ensure the highest levels of security throughout the VOD workflow. This emphasis on safeguarding your content is why industry leaders such as NBCUniversal, WarnerMedia and Discovery Networks rely on us for processing their most precious assets.

 

Highlights

  • Job API calls and notifications sent over 256-bit SSL encryption

  • Ingestion support for encrypted source assets

  • Media processing and temporary storage completed with content never leaving highly secure AWS MPAA-aligned data centers

  • Content encryption and key registration support for a number of DRM technologies, including Widevine, Playready and FairPlay

  • Integration with third-party KMS providers, including BuyDRM, iStreamPlanet, Sky and others; CPIX support simplifies new KMS integrations

  • OKTA support for proprietary identity providers, permitting single sign-on, centralized identity management, auditing and optional multi-factor authentication

Secure Workflow Option #1:
Encrypted S3 Asset as Source and Destination

AWS S3 integration support includes S3 bucket or user policies and ACL permissions to securely grant access to content with either an AWS Key/Secret or a Canonical ID, as well as pre-signed URLs for source and destination URLs in your job request. Assumed Role support lets you define the permissions associated with individual API calls, ensuring that the scope of each request be limited to the minimum needed to support workflow operations. AWS Security Token Service can provide you with a set of temporary credentials that are specific to the role you want to assume.

security-option01.png

Secure Workflow Option #2:
Aspera Location as Source and Destination

Accelerated and encrypted ingestion and delivery support with Aspera FASP technology.

security-option02.png

Application Architecture and Security

Tiered Application Architecture

The Vantage Gateway web application is multi-tiered into logical segments (front-end, mid-tier and data), each independently firewalled from each other. This ensures maximum protection while giving developers the flexibility of a multi-layer architecture.

Industry-Standard Programming Techniques

We leverage industry-standard programming techniques, such as having documented development and quality-assurance processes, and we also follow guidelines such as the OWASP ESAPI library to ensure that all applications meet security standards. In addition, all code is peer reviewed prior to being released to QA, which ensures the engineering lead of each portion of the platform has approved any requested change to the platform.

Application Testing

All application changes undergo both automated and manual testing, including full functional testing in a QA environment, and full performance testing in a staging environment, before final deployment into production. Automated deployments are blue-green in nature, including a full regression test on the candidate environment before traffic is moved between the old and new commit. This thorough testing process ensures that if anything fails during any step, the production system is not compromised.

Vulnerability Testing

Web application security is evaluated continuously by our Security & Risk Management team in sync with the application release cycle. This vulnerability testing includes the use of commonly known web application security toolkits and scanners to identify application vulnerabilities before they are released into production. We also leverage third parties for periodic vulnerability assessments and penetration testing, ensuring our environment is secure and web transactions can occur with minimal risk to evolving threats.

 System and Network Security

Production System Access

Only authorized members of the operations team have access to production systems. This means that no employee, contractor or person outside of this restricted group can physically enter the place where production systems reside.

Authentication Procedure

All our production systems are accessed through bastion hosts, and remote access to the bastion hosts requires multi-factor token-based VPN access.

Password Policies

We maintain strict password policy settings related to password strength, length and expiration time.

Access Logging

Production system access audit logs (success/failure) are stored both locally and in a central log repository. Access to the logs are restricted to appropriate personnel on the operations team.

Production Security Patching

We follow a strict process in which standard security patches are applied within 30 days of release and critical patches are applied as appropriate to the risk.

Software Build Process

All systems employ a standard build configuration defined by the operations team and vetted by Security & Risk Management. Changes to the standard build configuration follow the standard change management procedure.

Vulnerability Scans and Penetration Testing

Vulnerability scans are performed and reviewed weekly, and third parties are engaged periodically to perform both penetration and application vulnerability testing.

Firewalls

We leverage industry-standard enterprise firewalls for filtering traffic between the production environment and other internal corporate networks.

Monitoring

We monitor all production application and underlying infrastructure components 24/7/365 using dedicated NMS (Network Management Systems). Critical alerts are sent to on-call operations staff members and escalated as appropriate to operations management.