What Every CIO Needs to Know About Video Security

About a month ago, a leaked video of an all-hands meeting at Google revealed that the tech giant was struggling to deal with controversial topics that have been plaguing its internal company culture. Of course, this is not the first time an organization’s sensitive information has been made public–it almost feels like we hear about a new instance every single day. From business secrets to company culture, and beyond, the non-verbal cues able to be seen in video often go beyond what is spoken. 

As a CIO, you’re likely responsible for the overall information technology at your business. Whether you’re looking to protect company relations and trade secrets, or just looking to make the information at your meetings more secure (or something else!), content made available should always only be accessible by the intended audience. This is why enterprise-level video security protocols and encryption need to be a part of every piece of tech that touches your company. 

And, when it comes to video content, here’s a guide to what you need to know to improve the privacy of internal content so you can better protect videos from prying eyes.

How (and Why) Videos Are Created


We all know what a video is, but do you know the key components of these complex files? All videos contain a series of pictures (or frames), glued together to create motion (Fun fact: that’s why they were originally referred to as “motion pictures”). Audio track(s) are then synced with these continuous optical tracks to give them life. Depending on how the audio is packaged, and its containers, these tracks may stay bundled in one single file or made available as a separate file.

Almost 5 billion videos are watched on YouTube every single day. Further, though, video is arguably the most engaging medium for everything from learning a new skill, to sales training and overall business communication and beyond. Giving your employees the chance to make their own video content is also a great opportunity for your business. Not only is it convenient, saving time and money for your organization, but it also gives you a library of materials to use as needed. 

Once upon a time, you couldn’t create videos without fancy equipment and a sophisticated setup. But those days are long gone. Thanks to the advancements in mobile technologies and modern browsers, capturing screens and webcams has never been easier. Now, videos are being used everywhere in business, from marketing to training, onboarding to sales enablement–the list goes on. 

This widespread adoption is why making content available to the right audience remains an important job. While some videos are appropriate for the general public, oftentimes, you’ll need to secure them internally or for prospects.

Protecting Internal Videos


Any CIO knows that a combination of technologies is ideal when it comes to protecting trade secrets and content. Any of the single options listed below can be ineffective for video security when deployed alone. For best results, it’s recommended you implement more than one mechanism to secure content as dictated by its business classification.

Firewall

This mechanism is widely deployed in enterprises with any kind of content security. Firewalls restrict content availability within a boundary: It may be a physical device such as a network or a logical perimeter as we see with IP restriction. While it’s effective, it prevents employees from accessing content on the go. Since an increasing amount of employees are working remotely these days, firewalls can create barriers when accessing important videos like all-hands meetings unless deployed in conjunction with secure remote access technologies such as VPN.

Cloud technologies/software as a service (SaaS) is typically accessible from everywhere. This creates opportunities for remote employees to get connected and consume company resources in the same manner as in-house employees while bringing them together virtually.

Authentication

Limiting access to employees or partners via authentication should be the first defense mechanism implemented, as authentication plays an important factor in restricting content only to those you trust. Username/password combinations may be an easy way to start, but that becomes another password management overhead for personnel and makes the overall user experience less than desirable.

Almost all enterprises use some sort of a directory management service which stores users in a database:

  • Single sign-on provides a bridge between user experience and security while helping you achieve compliance.
  • Cloud applications need an extra bit of security, so a single factor authentication may not be enough and in this case, implementing a second-factor authentication such as smart card or TOPT devices is a good idea.

Cloud Identity management services like Okta, OneLogin or Ping improve the user experience while providing the security for cloud applications enterprises need.

Authorization

Authorization refers to limiting access to a defined user set like a department or a group but it does not work without authentication. Cloud video platforms like CircleHD enable you to restrict your videos to specific audiences with very little effort. You can even utilize segments your company already uses, such as cost center or department.

Encryption

Encryption has been utilized since 600 BC when the ancient Spartans used it to send messages during a battle, but it’s more modern form has been in use since World War I. The technology works by altering bits of content with a secret key. Then letting someone access that original content again with a complimenting key. 

There are four types of commonly used algorithms:

  • Symmetric encryption – algorithms use the same key to encrypt and decrypt the content. Its usage is considered less secure when used alone over the internet since the sender and receiver share the same key. Symmetric encryption is faster and often used to encrypt large blocks of data such as video.

  • Asymmetric encryption – This uses a public key to encrypt and a private key to decrypt the video. It can also be used to verify the authenticity of a video if a MITM attack is a risk. This algorithm is slower and requires a higher computation power, making it an unsuitable option for video security, as videos are often played on low-powered devices such as mobile phones and tablets.

  • Encryption at rest – Essentially, this can be described as converting your sensitive data into another form, which generally happens through an algorithm that cannot be understood by a user who doesn’t have the encryption key to decode it It’s particularly useful in rendering data useless to hackers, should your information be compromised.

    This is the recommended approach if you’re on a public data center or public-facing object store like AWS S3. We do that CircleHD. All your content is encrypted by KMS (key management service) where the content can only be decrypted by a key that is periodically rotated to reduce the surface of an attack vector.

  • Encryption on transit – This describes how data is transmitted. TLS (or SSL) is a secure transport channel. When used, it reduces the man in the middle (MITM) attack. The content is encrypted using a negotiated symmetric key algorithm.

AES ( Advanced Encryption Standard) is a symmetric encryption algorithm widely used for video encryption for the above-mentioned reasons. This algorithm supports various lengths of key bits, such as 128, 256, 512 or a higher multitude of 128. The downside of AES is that, once the video encryption key is shared, the keyholder can continue to decrypt the video as long as it is available. 

Intranet videos are often played on web browsers, but HTML5 player is not capable of playing an encrypted video by itself. That means you can’t just encrypt an mp4 video file and have the browser stream to play it.

Thankfully, most modern browsers (89%) support Media Source Extension (MSE). Therefore, it allows javascript to download encrypted videos, decrypt them and feed them to the media player programmatically. This process is complicated, and implementation was left up to various video vendors, however, they like to support it.

Over the years, the advancement of internet video streaming has led to 2 popular protocols for standardization: HLS (HTTP Live Streaming) by Apple & DASH (Dynamic Adaptive Streaming over HTTP) by MPEG. If your users are on the Apple ecosystem, you are out of luck and have to stick with HLS.

Why do we need HLS or DASH but not just encrypt the mp4 file?


The old mp4 file format (or container) wasn’t designed to support encryption. Your HTML5 player needs the meta-data, which is often at the end of the file. To play an encrypted video, such as a regular mp4, your browser has to download a large file before playing it. This gives your end-users a large buffering period, high CPU usage, and bad user experience. 

Solution: 

Chunking – A file splitting mechanism that allows your large video file to split into smaller blocks and encrypt each block individually. Your device or browser can then download only the necessary parts to start playing. And then download other parts as needed. Another advantage is that each block can be encrypted with a different encryption key. 

Sticking with a standard protocol such as HLS or DASH has the following benefits:

  • Portability across browsers and devices
  • Standardization of encoders and encoding algorithms
  • Adaptive bitrate streaming 
  • Standardization of encryption algorithms
  • Support for content delivery networks

While encryption of video improves the security of the content, it’s not bulletproof. Once the key is stolen, attackers can decrypt the video.

DRM – Digital Rights Management


DRM is a stronger encryption protection mechanism. It can work on an existing protocol such as HLS or DASH. It’s widely used by Hollywood and streaming services, such as Netflix and Amazon, for compliance requirements. This method, however, depends on cryptographic module support from hardware and operating system vendors. 

Most DRM solutions are fragmented and available today are proprietary and may require licensing and royalty payment. Google’s Widevine DRM is a popular solution currently made popular due to out of the box support in Chrome and Firefox browsers. Other technologies include: 

  • PlayReady from Microsoft
  • FairPlay by Apple
  • ClearKey by MPEG

(Note: CircleHD has plans to support DRM in Q2 2020 for our enterprise plans and enterprises that require higher grade video security. Please contact our sales team if you are looking for a DRM solution for your enterprise video.)

At CircleHD, we believe the ease of access to videos should be every employee’s right. It’s worth noting that over-guarding content can create a barrier to consumption across your organization. Be sure to strike a balance between your enterprise video security needs and user experience to encourage adoption across your teams. 

—–

We’d love to speak further with you about how to effectively implement a secure content management platform at your company. Please contact us to learn more about how CircleHD can meet your video security needs while encouraging employee engagement and collaboration at your enterprise.