gosphotodesign - Fotolia
When using Amazon Elastic Transcoder for AES-128 encryption on HTTP Live Streaming content, data keys can be created by us, or generated by Elastic Transcoder. What are the security implications of each offer, and which option would be best in an enterprise?
This question is an instance of the broader issue of how to manage encryptions keys. Let's start with some definitions:
Amazon Elastic Transcoder is a service for transforming media content from one format to another. It is used to map media files into a format appropriate for a particular device, such as a mobile phone.
HTTP Live Streaming or HLS is a protocol for optimizing media playback. HLS sends segments of media files from servers to devices as needed to render content.
As with any other message or content sent over the network, there are reasons to encrypt HLS data. Amazon Elastic Transcoder services support AES-128 encryption; that is, segments of media are encrypted before leaving the server and decrypted by the client device. The server will need access to the encryption key and the client will need access to the decryption key. Amazon Elastic Transcoder handles both of those requirements.
That leaves one question, where do these keys come from? Amazon gives you a choice: You can use the key generation features of Amazon Transcoder service or you can generate your own.
If you have an existing private key infrastructure that is centrally managed, it makes sense to use that to generate keys. Managing keys is not a trivial task, but you can take advantage of the fact that you have policies and procedures in place to manage and govern key generation. This is especially the case if you have other applications that make use of the centralized key management service. By using the same key management system for multiple applications, you may be able to streamline and reduce management overhead. For example, when auditing your key management practices, you would only have to reference the centralized key management service instead of multiple, application specific key management services.
If you do not have a private key infrastructure in place, it may be simpler to use Amazon Transcoder's encryption service and manage the keys as part of the media management process. If you want more control over key management, consider using AWS Key Management Services. This service is designed to support key management for both cloud-based and on-premises encryption.
Ask the Expert:
Have a question about cloud security? Send it via email today. (All questions are anonymous.)
Learn more about the security benefits of AWS Key Management Services
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading