Lock it Down: How to Keep Enterprise Video Safe and Secure
The use of video continues to grow across the enterprise—from large-scale, all-hands meetings to customer service to research and analysis—with some estimates showing the market growth of enterprise video products and services at more than 11 percent per year for the next 6 years, for a total anticipated market of almost $37 billion by the year 2020.
Given this uptick in enterprise video, there’s a corresponding and ever-increasing need to analyze which security approaches to implement. Some video content, whether it is intended for consumption inside or outside the firewall, needs to be embargoed to avoid leaking information prior to a product launch. Other content may need to be even more highly protected, such as video that contains competition-sensitive information.
This article explores content security on three levels: encryption (whether for content that’s being transported or stored), rights management, and content management. Along the way, we will also briefly touch on customized enterprise video platforms (EVPs) versus more generic EVPs.
This distinction of generic EVPs, customized EVPs, and even generic media asset management (MAM) solutions is key, since the majority of video solutions used within companies have their origins in online video platforms (OVP).
While OVPs and EVPs are not created equal, the expertise in content encryption tends to fall into the more mature OVP solutions. This isn’t to say that secure EVPs are lacking in encryption options, but the expertise of handling encrypted video content appears to reside within OVP support teams a bit more than EVP support teams.
Brightcove, a large OVP service provider, offers a few tips for encrypting Apple HTTP Live Streaming (HLS) for delivery to a variety of iOS devices. This flavor of HLS, called HLSe (for encrypted), uses the Advanced Encryption Standard (AES) as well as other technologies. Brightcove claims that there is “no detectable difference to video playback” when compared to standard HLS-segmented delivery.
The encryption for HLSe works at the segment level (an HTTP-based video is divided into multiple segments or chunks). At the point of ingestion and packaging for standard HLS segments, often 2–10 seconds in length, each segment file is encrypted.
HTTP-based delivery uses a manifest file (for Apple it’s a file designated with the .m3u8 extension), and this file is key to unlocking encryption of the segment files. The manifest files contain links to the keys for each segment, and the keys are switched out every 10 minutes (although Brightcove says its application programming interface (API) allows specific key rotation periods other than the default 10-minute one).
When content arrives at the HLS-capable device, whether it’s an iPhone or iPad or Mac or even an Android device, the license key approves the decryption of a specific media segment file. This continues until there are no more segment files or until the key is rendered invalid.
As with anything dealing with encryption, there are a few caveats. One of the biggest is that HTML5 playback of an HLSe segment may work, or it may not. As Brightcove notes in its support documents, “HLSe support is completely determined by the underlying OS/device” that uses an HTML 5 player.
Even for iOS devices, there’s a possibility that HLSe can introduce a number of oddities. For instance, Brightcove notes that, when a user has already played an HLSe-based video “on an Apple device and then attempts to replay it after the TTL [time-to-live] has expired, playback will fail to start, and will not provide an alert message to the user.”
When looking at encryption options for an OVP or an EVP, consider the fact that some solutions offer accounts that are either fully encrypted or not encrypted at all.
Brightcove notes that HLS encryption applies across an account, so if customers have “promotional or other videos you want to deliver without encryption, you can upload them to a different Video Cloud account without HLS encryption enabled.” In addition, any HLS content in an account that’s not encrypted will need to be fully re-transcoded prior to delivering as HSLe.
Content that has been encrypted may also be marked in such a way as to have additional security, in the form of rights management. If encryption is the lock, digital rights management (DRM) is one of the keys needed to unlock the content at a local player device.
“Encryption is the first step in a DRM deployment, but it’s not the only step,” said Christopher Levy, founder of BuyDRM in a recent Streaming Media East interview. “The encryption component creates a need then to express and create rights around content.” According to Levy, those rights are expressed in a license key that is sent to a device that is requesting playback.
“That license key then taps into either software- or hardware-based security that’s on the playback platform,” said Levy, “and enforces those rights—things like where content can be played, what happens if the user has a broken device or their computer hasn’t been individualized, what happens if they hit Chromecast or output to HDMI.”
Rights management works with unencrypted content as well as encrypted content. In the early days of Apple’s iTunes music downloads, the content was encrypted and had DRM. But in more recent years, the content itself is not encrypted, but there is a rights-management component to content downloaded from the iTunes store, to keep it from being too widely disseminated.
To properly work, then, DRM may require optional encryption, but must always contain the rights—rights expression language that explains the business rules and rights through the actual license fee—and then the actual license key.
EZDRM, a company that provides DRM as a service, notes the benefits of using a common encryption setup, such as the Common Encryption Scheme that is part of the MPEG-DASH media player standard.
“Having a common framework, with standards [that] we all vote on and agree on .... actually makes the content owners’ lives much simpler,” said David Eisenbacher, CEO and co-founder of EZDRM, in another interview from Streaming Media East. He adds that one of the benefits is that content owners don’t have to have seven different versions of their content: “They can have one, tie that into common encryption, and then the actual endpoint, the actual device, is able to work by its native abilities.”
For content that involves more than just a live stream, there’s a need to secure the assets themselves. From video on demand (VOD), such as recordings of live events intended to later be used for on-demand playback, to pseudo-live streams that have TiVo-like digital video recording (DVR) functionality, there’s a need for tamper-proof storage.
IT departments aren't as resistant to video as they once were, but there's still pushback. Here are five ways to get the conversation started.
Companies are increasing their reliance on live video in-house, and several of the most popular uses involve training workers, finds a Brandlive report.
Microsoft, Kaltura, Brightcove, and others are putting streaming video to use at work, creating cutting-edge features that any viewer would enjoy.
The company's enterprise platform customers can now deliver live streams to viewers while monitoring audience counts in real-time.
The questions companies need to answer: Build vs. buy? Cloud, on-premises, or hybrid? Here's what to decide before staring a search.
In an exciting period of revival, new features and new formats stemming from last year's entertainment solutions bring significant changes to the enterprise. Here are seven areas to watch.
The Haivision Media Platform promises secure low-latency live video from any location, and offers three editions for different needs.
Enterprise video vendors are touting a slew of new features, from enterprise YouTube to HTML5 support, but enterprises themselves—particularly in the financial sector—move slowly and face hurdles to adopting the latest technologies
Companies and Suppliers Mentioned