The move to IP in live content production is well documented but a major trend within that shift is the increasing prevalence of software-based systems, moving away from hardware-only solutions for a growing number of applications. Video and audio processing can now be carried out by software, either on optimized hardware platforms, on COTS server hardware, or in the cloud. Network orchestration and broadcast control are also typically handled in software.
Olivier Suard, VP Marketing at Nevion, believes that while software brings greater versatility and durability to products, it also presents new security issues that threaten broadcasters’ content or their ability to produce it. Adopting the appropriate media network security strategies will be critical for broadcasters to thrive in a software-dominated world.
Management and Orchestration
The security concerns related to software are mainly about how devices are managed and controlled. In many cases, a variety of systems might be responsible for these tasks – from the device’s own management system to broader network and resource orchestration systems – and nowadays most are entirely software-based.
“Simply put, whoever or whatever has control over the management and orchestration has control over the flows and infrastructure,” Olivier said. “This can potentially lead to content being diverted to other locations (such as for theft) or a ‘denial of service’ situation. Securing the orchestration, as well as the media network and the devices within that network, is therefore absolutely critical.
“In the first instance, all communication between the control layer (management and orchestration) and media network elements should be made secure, for example by using encryption. This may seem obvious, nevertheless, the broadcast industry is still using many protocols and interfaces that are not entirely secure.
Olivier described user security is another important consideration and potential risk. Modern access control functionality allows users to be assigned one or more roles, defining exactly what they are allowed to do, and the resulting access rights are the superset of all roles. Jurisdiction over access control can be facilitated via a security screen that clearly lays out user’s roles and access rights. He said, “Classification in terms of create, read, update and delete (CRUD) capabilities can be applied to various entities, including devices (the system’s nodes), apps and dashboards.
“Across the media network, further risk can be introduced by failing to segment sections of the network into key areas of responsibility. Bringing in multi-tenanting security can benefit both telecom operators and broadcasters. Telecom operators can allow broadcasters to control parts of their WAN network, while broadcasters can assign responsibility for segments of their network.
“By segmenting different LANs to assign control to different people, one location could be under the control of one team, or the production network and playout could be under the control of different teams in a single location. Security is ensured as organisations are only able to see and control the network area assigned to them.”
Alongside users, equal focus should be placed on security of systems connecting to the production network in some way. Part of an effective software deployment is authentication of users. Login credentials can be checked against a database, which is validated with LDAP (Lightweight Directory Access Protocol), a software protocol used to locate data about the resources in a network, including organizations, individuals, files and devices.
During this process, XSRF tokens are applied to protect against CSS (cross-site scripting) attacks, which attempt to trick users into performing actions on a website that they did not intend to do. “For occasions when access is attempted via external systems, one-shot authentication can help avoid repeated attempts,” Olivier said. “Session time-outs can also provide an extra layer of security. Security protocols such as REST (HTTPS), SSH and Linux firewalls can be applied to user interfaces and other systems to enable secure communication.
“A variety of secondary security measures can play a part in media network security. This includes validation of data inputs to avoid SQL and other injections, protection against cross-site script attacks and the hardening of the underlying OS.”
SQL injection is used to attack data-driven applications by inserting malicious SQL statements into an entry field for execution. Software developed with Open Web Application Security Project (OWASP) risks as a priority, including injection, broken authentication, and sensitive data exposure, adds another secure layer.
Software Development Standards
According to Olivier, software needs to be developed to the highest possible standards in terms of security. He said, “This applies to the actual coding itself obviously, but also to the processes involved in their development. In particular, attention needs to be paid to the use of third-party and open-source components that are embedded in vendor software.
“These components are not under the direct control of the vendor and may be prone to security flaws. It is essential, therefore, for the vendor to maintain precise records of what third-party software is used in their products (including release details), apply regular updates and patches, and promptly implement fixes to any concerns.
“Surprisingly, this commonsense requirement is ignored by many vendors, who focus instead on getting products and capabilities out to customers as fast as possible.”
The Human Factor – Training and Processes
Underpinning these key software considerations is the need to make sure that the human factor is accounted for. Olivier noted that even an act as simple as sharing passwords can compromise a network, and that every organisation needs to factor in the relevant training and processes that keep software deployments protected. Product software should also be regularly updated to ensure the latest patches are added.
“Software is opening up a number of new opportunities in the broadcast sector, but broadcasters must be aware of the inherent risks. By encompassing all aspects of user and system security in their media networks, with a key focus on protection of the orchestration layer, broadcasters can be well prepared to secure their growing number of software deployments as hardware moves aside,” said Olivier.
“At the same time, broadcasters can demand from their vendors compliance to standards like ISO 27001, which set out the specification for an effective Information Security Management System, to demonstrate that they are managing risk in a structured and appropriate manner. Independent accredited certification to the Standard is recognised worldwide.” www.nevion.com