Save your FREE seat for Streaming Media Connect this August. Register Now!

Best Practices for Premium Video Streaming, Part 6: Content Protection

Article Featured Image

Best practices for security in commercial video streaming are becoming increasingly complicated. Distributors must contend with complexities in content protection as well as the need for new levels of defense against operational disruption.

When it comes to content protection, distributors must be able to accommodate many factors that have a direct bearing on which digital rights management (DRM) platforms are used, whether there’s a need for forensic watermarking, and which other advanced protection mechanisms might be required. But the emergence of watermarking and other new requirements introduces additional uncertainty for distributors taking advantage of UHD, early window releases, and VR. At the cybersecurity level, media and entertainment companies have entered a new era in which the risks of disruption, intrusion, and personal identity theft require further protections.

This piece explores the conditions mandating new levels of security and recommendations for best practices in both the content protection and cybersecurity spaces.

Trends and Issues Impacting Content Protection Policies

Many of the procedures content suppliers set for OTT consumption have become fairly routine for distributors. But, in planning business strategies, it’s important for distributors to learn firsthand what a licensor’s protection policy will be for granting them rights to a given category or use of content rather than making assumptions.

Accommodating Protection Requirements in the SD and HD Domains

The lowest level of content protection uses authentication tokens for authorized users with content streamed in the clear to prevent link sharing. In some cases, distributors use a basic level of encryption with Advanced Encryption Standard (AES) 128, delivering decryption keys only to token-authorized recipients. This mode of protection is commonly used for older SVOD content without policy terms relating to copying or redistribution.

License holders often require more rigorous protection or geo-restrictions for new or live HD such as services that provide detection of user requests coming from VPNs and DNS proxies, as well as DRM systems that set policy restrictions for on-demand distribution. Industry consolidation on specific DRM has made providing this level of protection much easier for distributors, but industry standards are still evolving.

Distributors must take policies for different formats into account when setting up DRM. On-demand content typically uses a single key from the DRM server for as long as the session is active. But live streaming now requires key refreshment at regular intervals. Timely provisioning delivery of protection and authentication mechanisms is also essential for live programs that may spike in viewership, such as sporting or special events. Without backup capacity, user session requests can linger on DRM servers, resulting in delays.

Meeting Protection Requirements for UHD 4K and Other High-End Services

MovieLabs, the research and development joint venture started by the six major motion picture studios, recently issued the Enhanced Content Protection (ECP) recommendations to address online privacy and new video formats. While not yet widely required, they may spell additional operations costs for distributors as new requirements emerge.

Most prominently, these include the insertion of forensic watermarks into content streams, a requirement commonly associated with the emergence of UHD content but which could attach to HD content for early release windows or high-profile live content streaming. They are also forming as streaming VR content becomes more common.

Beyond watermarking, advanced protection requirements recommended by MovieLabs include:

  • “Factory burned” hardware roots of trust to provide a secure mechanism for locally storing encryption keys
  • Software renewability of DRM supported in hardware
  • Secure media path end-to-end, including the transition from external to in-home networks and other measures that have not been part of the typical streaming licensing paradigm

There is still much to be worked out when it comes to watermarking. Watermarks must either be injected into the content by the device at playback or on a session-by-session basis from the server by the studios’ standards. Either way, distributors need vendors that can provide full support for automating content pre-processing to enable on-the-fly watermarking on live content. Watermarking vendors and CDNs should integrate in a robust manner to do A/B switching on the edge using the per-session unique watermark ID (A/B pattern) at scale.

Moreover, to be effective, watermarking must be backed by broad cooperation on the use of these invisible codes to track and shut down illicit operators. CDN services should leverage relationships with forensic watermarking solutions and enforcement services to help distributors by shutting down illicit live broadcast streams or unauthorized sessions in real-time. Such relationships require a commitment by CDN operators to validate the trustworthiness of alerts to avoid shutdown of legitimate streams. CDN services can also help facilitate server-side watermarking, enabling providers to interact directly with individual session streams to insert streaming segments with the watermarks.

Addressing Soaring Cybersecurity Threats

The need for cybersecurity protection has become more urgent as the global surge in attacks such as credential stuffing, distributed denial of service (DDoS), automated bots, hacking intrusions, and others signal the threat to providers of video streaming services can no longer be ignored.

Credential Stuffing Attacks

One area of rapidly increasing malicious activity that demands the attention of streaming providers is the rise of “credential stuffing attacks,” which are automated trial-and-error attacks on login fields to discover usable combinations of usernames and passwords. A variation of this attack involves the attackers creating a large amount of trial accounts.

According to an Akamai report, more than 40% of global login attempts are attributable to malicious bot-driven credential stuffing attacks. Akamai saw almost 400 million such attacks against media and entertainment customers in a single month in Q4 2017.

By compromising multiple accounts to a streaming service, attackers are able to evade DRM by pivoting between user accounts as they are blocked by the streaming service, download the entirety of a service’s VOD assets, and set up their own for-profit pirated live streaming service that still functions when one stream token is disabled. They then steal users’ payment and other personal data and generate spam reviews and ratings. A similar “switch between user accounts” attack can be used to download all of a service’s video-on-demand content.

Defacement and Watering Hole Attacks

Sometimes, the websites hosting streaming content are attacked simply because they have a large viewership. In a defacement, the attacker alters the site content to display their message, usually around geopolitical issues associated with a live streaming event location. In the case of a watering hole attack, the site is compromised and used to distribute malware to the end user.

Distributed Denial of Service

In 2017, DDoS attacks worldwide as registered by Akamai’s analysis of traffic on its CDN rose by 14% in Q4 compared to the previous year. Akamai’s and others’ research shows that DDoS and website attacks are more costly to enterprises using the internet than any other modes of attack instigated by outsiders, measuring on par with cybercrimes committed by insiders.

Internal Data Breach

Most enterprises have a large variety of internal data that is targeted by attackers: finance and payments, internal IT, contracts, and human resources. In the case of streaming services, they also have high-quality versions of content (mezzanine files), viewer data, and content licenses. This allows traditional enterprise attacks such as phishing, malware, ransomware, and more to impact the streaming service in the form of lost assets, investigation costs, and loss of service.

A related class of attacks has to do with weak defenses against misuse of authorized access—or over-privileged—network access by outside contractors and other third parties. Once access credentials have been compromised, attackers have access to roam through the victim’s network until target data is identified.

Protection against such threats is especially challenging in video distribution. Content producers regularly outsource preparation functions, including mezzanine-level encoding and transcoding for OTT streaming. Simply granting network-level access through traditional approaches like VPNs to all these parties, and trusting that they are not coming into the internal environment with infected devices, poses an unacceptable risk.

There is no question that the risks OTT providers face from security breaches and content protection will continue to grow. Each company assessing what precautions to take should consider the likelihood they will need additional layers of protection as time passes. As they take their initial steps in cybersecurity and content protection it’s essential their measures have the reach, analytic intelligence, and solutions sufficient to meet future needs.

[This is a vendor-contributed article from Akamai. Streaming Media accepts articles from vendors based solely on their value to our readers.]

Streaming Covers
for qualified subscribers
Subscribe Now Current Issue Past Issues
Related Articles

Rampant Piracy Is the Elephant in the Live-Streaming Room

Tokens? Watermarking? DRM? Content owners try them all, but as of today there's no foolproof solution. Perhaps the way forward isn't with higher walls, but new experiences.

Major Financial Institutions Provide the Funding for Video Piracy

Curtailing video piracy could be as simple as cutting off the money that funds it. Irdeto points a finger at Visa, MasterCard, and other payment systems.

Security Pros Respond to New Challenges: Ransomware, Drones

When security solutions are too difficult to use, creatives ignore them. What's needed is an approach that's both unified and simple. Luckily, help is on the way.

Security Needs (Part II)

Since September 11, jitters have reached an all-time high, and many webcam surveillance companies are finding their products and services are in high demand. Contributor David Ferris reports on the emerging remote surveillance and security market.

Security Needs

Since September 11, jitters have reached an all-time high, and many webcam surveillance companies are finding their products and services are in high demand. Contributor David Ferris reports on the emerging remote surveillance and security market.