Lock it Down: How to Keep Enterprise Video Safe and Secure
Many countries, especially in Europe, require personal data to be stored in a secure fashion. Videos can be designated as personal data, which means that an EVP solution should at least offer the option. Most of the time, though, multinational corporations have business-related requirements that specific data should be stored in specific countries, for both compliance and governance reasons.
As such, a secure EVP must cater to these business needs by providing use-case-compliant storage options. As part of the audit process, there will also be a high likelihood that the EVP will be required to present its clients with legal documentation regarding how data processing is done and where a sample subset of files is stored.
Companies that focus on storage as their primary service, such as Box and DropBox, offer cloud-based storage solutions with varying degrees of security. Box, for instance, offers in-country storage as well as an alphabet soup of best practices compliance: ISO 27001, ISO 27018, SOC 1 (SSAE 16), PCI DSS, and FedRAMP, to name just a few.
Since videos can be easily posted and shared from a cloud storage account, it is the responsibility of the corporate IT group to verify that a cloud-based storage solution can curtail video content access in a way that it should only be available to a limited circle of employees—in other words, tight granular access control per user, per video.
While the big push for cloud-based storage is preventing data loss, the need for securing content—and extending security controls into the cloud for authentication, identity, and network—continues to advance. One area where security is becoming more prevalent is controls for security information and event management (SIEM).
The SIEM approach is a holistic approach, combining information management (IM) with event management (EM) as a way to gather relevant data about an enterprise’s security from multiple locations, viewing that information at a single point or with an overall purpose of spotting anomalies and trends for usage patterns that are out of the ordinary.
Another key area is mobile security, especially with the rise in bring-your-own-device- (BYOD) culture—employees using their personal tablets and other mobile devices for work-related functions. The BYOD approach to security essentially looks to protect the company’s data—whether it be apps or documents or videos—from the rest of the data or APIs on an inherently non-secure, consumer-focused device.
In a 2016 survey report by the LinkedIn Information Security Community, the topic of BYOD and mobile security was addressed by over 800 cybersecurity professionals. Even among these professionals, the fear around BYOD security far outweighed other concerns (such as employee privacy) by a factor of more than 3-to-1 (39 percent versus 12 percent, respectively) when it comes to BYOD adoption in the enterprise.
Yet the survey also noted that “half of the globe’s employers require BYOD by 2017,” setting up a huge amount of cognitive dissonance for IT teams and chief information officers. In addition, almost two-thirds of the CIO responses to the LinkedIn survey indicated that BYOD and mobile will have a major impact on their workforce—“as much, or more, than the Internet did in the 1990s.”
Buy Versus Build
While we don’t have space here to get into the weeds of a buy-versus-build decision for EVP solutions—and we covered parts of this in a 2017 Streaming Media Industry Sourcebook buyer’s guide—the fact is that security is often an overlooked factor when deciding between in-house and third-party solutions.
“Purpose-built EVP solutions are designed from the ground up like an enterprise application,” said Oliver Jäger, global vice president of marketing and communications at MovingImage, in another Streaming Media East interview. He adds that enterprise applications “provide granular permission systems, auditing support, and personal API access.”
Audit touchpoints are key, since this is how most secure EVP solutions will be assessed, short of an actual security breach.
According to MovingImage, the focus during security audits is usually authentication and authorization. “Having support for single-sign-on standards like SAML,” said Jäger, “and being able to map user, group, and role information from the corporate ActiveDirectory or LDAP system fulfills such security requirements.”
In addition, besides authorizing a user in a role-based or group-based enterprise environment, authentication of content sits alongside the overarching DRM functionality.
The need for authentication has been most prevalent in live-linear solutions like TV Everywhere, with authentication occurring based on a consumer’s cable service subscription. In the enterprise, though, there’s a bigger need for authentication of content. Internal videos should be kept internal, which means basic authentication is essential to verifying that only intranet clients are allowed to watch certain videos.
Authenticated streaming makes sure that embedded videos are only watchable by those who are allowed to do so. This makes the most sense if the stream is encrypted, offering a trifecta of security options that we’ve covered above: encryption, rights management, and asset management.
Trying to retrofit an OVP solution into an enterprise-specific solution may add an increased burden on the information technology teams—for instance, trying to retrofit even basic “table stakes” functionality for critical enterprise requirements like security. This is oftentimes only possible on a feature level, making it very hard to guarantee things like access control throughout the software.
Rainer Zugehoer, founder and CEO of MovingImage, sums up this concept nicely: “It is not enough to rename an OVP and call it EVP, by simply making some adjustments on the feature level and expecting it to meet enterprise security requirements. A proper EVP has to be built from the ground up for the enterprise, with scalability, security, and application integration in mind.”
[This article appears in the July/August 2017 issue of Streaming Media Magazine as "Lock it Down."]
IT departments aren't as resistant to video as they once were, but there's still pushback. Here are five ways to get the conversation started.
Companies are increasing their reliance on live video in-house, and several of the most popular uses involve training workers, finds a Brandlive report.
Microsoft, Kaltura, Brightcove, and others are putting streaming video to use at work, creating cutting-edge features that any viewer would enjoy.
The company's enterprise platform customers can now deliver live streams to viewers while monitoring audience counts in real-time.
The questions companies need to answer: Build vs. buy? Cloud, on-premises, or hybrid? Here's what to decide before staring a search.
In an exciting period of revival, new features and new formats stemming from last year's entertainment solutions bring significant changes to the enterprise. Here are seven areas to watch.
The Haivision Media Platform promises secure low-latency live video from any location, and offers three editions for different needs.
Enterprise video vendors are touting a slew of new features, from enterprise YouTube to HTML5 support, but enterprises themselves—particularly in the financial sector—move slowly and face hurdles to adopting the latest technologies
Companies and Suppliers Mentioned