Enterprise Rushes to the Cloud, Yet Significant Hurdles Remain

The concept of the cloud -- whether for encoding, transcoding, distribution, or all three -- holds promise for the enterprise. There’s enough promise that a panelist on one recent Streaming Media West panel said that, if he had to start from scratch, he’d move his enterprise video platform (EVP) to the cloud.

It’s not hard to see why. Cloud-based EVPs offer the chance to push the heavy lifting of dozens of servers away from capital expense (CAPEX)-heavy server farm purchases -- which may only see significant use once per quarter during the CEO’s all-hands meeting -- and toward an on-demand, per-instance overhead model that eliminates the need to budget operating expenses (OPEX) for maintenance of the oft-idle servers.

Still, as the media and entertainment industry has found out, the cloud is not perfect. Several major hurdles need to be tweaked to offer a better overall solution.

Security and the Cloud

One major issue upon which vendors and enterprise video managers agree is the need for strict security policies, especially with the growing number of bring-your-own-device (BYOD) policies within enterprise on a growth path to outpace employer-provided devices.

Many of these devices are now being used to consume internal-facing video communications, requiring -- at a minimum -- the need for sandboxing of corporate content on an employee device. In addition, there are three primary streaming security factors to consider when using the cloud for streaming content: user authentication, asset security, and streaming security.

Tom Wilde, CEO at RAMP, says security around user authentication starts at home.

“Be certain that the platform you select can integrate with your existing user authentication approach, such as Active Directory or LDAP,” says Wilde. “Approach this either by selecting a vendor that can integrate into your existing intranet or content management platform (i.e., SharePoint) or via Single Sign On.”

Single sign-on (SSO) is used on the general web for users who subscribe to a service -- say Twitter or Facebook or Gmail -- but want to use those credentials to log in to another site. According to Wilde, in the enterprise video streaming world this means that “the video platform should pass through the user’s login info they already use for their network.”

One additional approach to this user-authentication approach is to ask employees to view content via a virtual private network (VPN) so that user authentication and asset security are equally addressed.

Denis Khoo, CTO of MediaPlatform, says that the VPN approach is often the first solution that enterprise deploys.

“They originate the mobile stream (generally HLS) from inside the firewall,” says Khoo, “and require external mobile devices to VPN in and pull the stream over the VPN.”

Khoo says the success of the VPN-based streaming approach leads to an additional problem.

“This works for a limited number of external mobile viewers, and can quickly consume the VPN concentrator,” he says. “ This is when an enterprise then decides to move to the second approach.”

The second approach Khoo sees companies embracing is the use of the cloud to generate playback for BYOD devices, which requires security beyond just the asset- and user-based authentication of a VPN-based solution.

“In the second approach, where the external mobile device pulls directly from the internet,” says Khoo, “we strongly advise securing the mobile stream above and beyond application-level authorization.”

Khoo’s point is well-taken, as some enterprise IT departments will create a company-only application for one or several mobile device types, and then attempt to limit this application’s release to employees only. Khoo calls this “security through obscurity.”

“Application-level authorization sometimes relies on security through obscurity,” says Khoo, “rather than securing the actual stream. As a best practice, we advise a few additional security measures: CDN token authentication, CDN player verification, and HLS stream encryption.”

Akamai supports both the token authentication and player verification models. With token authentication, the application performs all the authentication and authorization, and it generates a token in concert with Akamai to grant the end user access to the video stream.

HLS stream encryption may be overkill for most enterprises, but it is worth knowing about. The encrypted HLS stream is delivered to the user with a header identifying the authorization server to get the decryption key from. It is the authorization server’s job to determine whether the user requesting the decryption key should receive it or not.

Ramp’s Wilde agrees with Khoo: “Be sure the video stream is encrypted from the CDN,” says Wilde. “Our company generates a unique one-time use URL for every stream request so the URL cannot be forwarded to anyone else.”

This secure streaming is important whether the stream emanates from an enterprise’s internal server or from a CDN or any SaaS -- needs to be properly configured.

A third security area is that of secure storage and provisioning. Alper Turgut, president and CEO of Anvato, notes that this proper provisioning aligns with an assumed core premise of cloud-based solution security.

“When customers choose a cloud encoding service, they should be sure the SaaS provider is properly partitioning data,” says Turgut. “A proper multi-tenant solution, like Anvato’s, is able to serve multiple customers and yet ensure content, applications and data remain distinct between each SaaS customer. ... In addition, user authentication and robust encryption must be used during digital delivery and while on storage.”

Wilde says “at rest” storage security requires an ability to receive reporting on the use of content.

“Be sure that your video content is encrypted at rest in the cloud,” says Wilde. “Also, be sure your video content management system allows you to have detailed control over video-sharing rules.”

To do this, Wilde says enterprise customers should be able to set global rules as well as editing sharing rules for each individual video.

MediaPlatform’s Khoo says the company has approached multitenant security very carefully, but also with some flexibility.

“We generally support multi-tenant cloud (traditional SaaS), on-premise, and single tenant cloud,” says Khoo, adding that a hybrid approach is also growing.

“We also have single tenant cloud with Amazon Web Services’ VPC,” says Khoo, referring to an AWS flavor of VPN (aws.amazon.com/ vpc). “The general idea is to have a cloud environment that is not publicly accessible, and is tied to the corporate network via some type of VPN type connection.”

What’s the overall benefit? Khoo says it is security.

“This approach provides most of the benefits of being on-premise, and allows us to leverage the AWS infrastructure and maintain the deployment on behalf of the customer,” says Khoo. “We get the best of SaaS while still meeting the security needs (through VPC) of most customers.”

Trade Secrets in the Cloud

This topic is a bit more “legalese” than we have time to cover in a general cloud-based article, but an excerpt from FindLaw sums up a primary issue around trade secrets -- from documents to videos -- being stored in and delivered from the cloud.

“Trade secrets can be a particularly tricky issue when it comes to cloud storage,” the FindLaw posting states. “Generally, trade secrets must be kept confidential to be entitled to protection. But if you voluntarily share your trade secrets with a cloud storage company, are those trade secrets no longer ‘secret,’ legally speaking?”