Systems security, whether in the cloud or on-premises, has been a critical issue facing systems integrators for as long as we’ve had buildings, facilities, and networks. On-prem, we’ve traditionally managed security largely by limiting physical access, whether it was a badge required to get into the facility or certificates on devices limiting physical network access to those with authorization. Or we’ve air gapped the system, isolating it from the public internet or other unsecured networks.
But when you move some or all of your operation and infrastructure from on-prem to the public cloud—where there are potentially millions of users—the only way to create security is through software tools and methodologies that restrict access and systems to your assets in the cloud.
[Cloud Power: Cloud or On-Prem?]
Tiered access, also called hierarchical access, is typical for any networked facility. Administrators or engineers may have access to control everything within the environment, while end users like editors or graphic artists will have access and visibility only to the tools and assets required to do their job.
It has become the job of systems integrators to evaluate all available security technologies and recommend the solutions that address their clients’ immediate and future needs.
In the public cloud, access to tools like virtual editing, virtual video switching, or a storage pool is commonly accomplished through authentication management with profiles defining classes of users, with each user having an individual password. Passwords, however, are the biggest vulnerability for businesses. Whether bad actors get the password from phishing, stripping emails, or using key loggers, it can take a long time for them to be discovered because they’re using a legitimate password.
Layers of Protection
We add a second layer of security called two-factor authentication. Whether you’re accessing a network that is local, in the cloud, or a hybrid of the two, you need a unique, one-time authorization code that could only be issued to the user via text, phone, or physical token. This security tool is familiar to anyone who’s accessed their bank account via the cloud.
[NAB 2022: LiveU Moves to the Cloud]
In a high traffic network environment like a real-time production infrastructure, we add a third layer of security with a virtual private network. The VPN is typically encrypted and extends the private network across the public internet, emulating the concept of an on-prem closed network where you must have authorization to access anything on it. Still, you’ll want to limit the targets for bad actors.
For example, you might have a laptop allowing you to set up a lighting console from home. But if that laptop happens to be sitting on the VPN that also contains the organization’s entire accounting system, is the risk of having your bank account hacked worth the benefit of being able to work remotely? Every benefit brings with it an inherent risk that you need to consider carefully.
The security layers of tiered access, two-factor authentication, and a VPN also give you the option to create single sign-on (SSO), which is all about not making users type their passwords over and over to access the correct IP address, internet traffic routing, assets they’re entitled to use—while still making it harder for anyone to hack into the system.
[Viewpoint: It’s Time to Reintroduce Accountability to Pro AV]
Another strategy that’s rapidly being implemented in cloud networks is the concept of zero trust, which focuses less on your password and more on biometrics or the device you’re using to access the cloud, not unlike Face ID on your smartphone. As time goes on, other forms of zero trust like trust certificates—explicitly installed on your web browser and required to log onto certain assets—will become more prevalent in enterprise applications.
Mobile phones are actually a great place to use trust certificates because they’re hardware-based and come with numerous ways of communicating. Whether you use them on your laptop or your phone, apps are much safer than browsers for accessing content, because they’re inherently designed with zero trust already built in.
Most Vulnerable Player
The organizations that are most vulnerable to security breaches generally aren’t the hyperscalers who provide your cloud, networking, and internet services via IaaS models, such as AWS, Google, Microsoft, Facebook, or Alibaba. They have large, sophisticated security teams working on these challenges every day, can easily implement Zero Trust and one-time passwords, and can even use AI to detect a breach very quickly.
Instead, the greater challenges are for the creative production houses, corporate facilities, houses of worship, and other mid-size organizations who don’t have the skills or the resources to implement that level of security. That’s why the hyperscalers are increasingly offering these tools as a service, providing users with a system where the security is already baked in.
Just as they must be able to evaluate the audio and video technologies they recommend to their clients, it has become the job of systems integrators to evaluate all available security technologies and recommend the solutions that address their clients’ immediate and future needs. For a mid-size organization, using trust certificates and a VPN is the foundation of security that’s going to make them roughly 90% safe from the casual hacker. But this is just the beginning of an overall security strategy.
[ASG Provides Virtual Control Rooms, Cloud-Native Production for Summit]
When we created our Virtual Production Control Room—designed with best-in-class components from multiple vendors—we considered security so important that we hired DoD-level experts to help us architect the security environment, ensuring that it’s secure in every way possible. The result is a single system inside a secure VPN to control routing of the audio, video, and metadata traffic over IP.
Tiered access lets us restrict users to only the parts of the system required to do their jobs, delivering secure control of the devices. SSO streamlines the process for users. Two-factor authentication provides additional security. And it’s created as a zero trust environment, with the ability to bind into the client’s existing security environment, so users don’t have to go through double authentication. Combined, these many layers of security tools have resulted in a VPCR that is consistent, portable, and implementable in the environments of many different types of organizations, without the need to re-engineer the system from scratch for each client.
If you're working in the public cloud, it's already implied that you're taking some risks. So, educate yourself on security tools, solutions, best practices, and tradeoffs. You’ll take a big step toward minimizing those risks, while delivering the incredible flexibility and ease of use that working in the cloud offers.
