Introduction

It is no surprise that as much as the world has shifted towards digital globalization with access to information over the internet, cybercrime has taken its toll on enterprises striving to protect access to confidential information. According to a report by Software Alliance, cybercriminals stole around 423 million different identities in the year 2015. In 2018 alone, 5 billion records were exposed in alleged data breaches around the globe.


With proliferation of threats to data security, businesses proactively opt for solutions that allow end-to-end encryption of content. Read further to understand how VIDIZMO allows your content to be encrypted at rest, in transit as well as in use.


To learn how to enable content encryption in your portal, see: How to enable Content Encryption in Portal.


What is Encryption?

Encryption is a mechanism to encode your information such that it is no longer decipherable even if it is compromised. A typical encryption algorithm substitutes alphanumeric characters with other characters to create a cipher. A cipher is a sequence of characters that represent the original data but can not be made sense of if intercepted or gained illegal access of. Only the computer/authorized person who created the cipher possess the key to decode it into readable language again.


Encryption at-rest, in-use and in-transit

Content can be encrypted in one of the three states:

  • Encryption at rest
    This refers to having your data or content encrypted where it is resting (or is stored). This entails that the physical location of your data (on stand-alone hardware disks or storage servers), even if hacked or fallen victim to unlawful custody, will not contain raw data that can be intercepted or perceived by an unauthorized user.
  • Encryption in transit
    This refers to when your data is being transferred from one physical location to another such as being transmitted over the internet - an example of which would be an email being sent or a video being uploaded on cloud.
  • Encryption in use
    This refers to when you consume data in a cloud-based application such as when you view an image, watch a video or annotate an image within VIDIZMO portal. 


Purpose of Encryption

Encryption is a crucial component of a defense-in-depth approach because it can mitigate vulnerabilities in your primary access control mechanism. What if an access control mechanism fails and allows access to the raw data on disk (at rest) or traveling (in transit) along with a network link? If the content is encrypted using strong algorithms, it is computationally infeasible for an attacker to decrypt your content. Encryption ensures your data is safe in various common business scenarios such as:

  • When data is forsaken due to unauthorized access of physical hard disks.
  • When deleted data from the application is attempted to be recovered from storage servers
  • When content is played back, such as in a video streaming solution as VIDIZMO, via browser applications and original content URLs are intercepted between network calls.


Concept

How does VIDIZMO Encryption work

VIDIZMO uses AES-128 encryption algorithm to generate keys for content encryption. An AES-128 bit key is proven to be computationally very difficult to decrypt. In 2016, it was projected that to crack just one AES-128 bit key would take 500,000,000,0002 years. Cracking a new, different AES-128 bit key would likely take the same amount of time.


Meanwhile, VIDIZMO uses a double encryption mechanism where it uses another AES-128 Encryption key to encrypt the key that was originally used to encrypt the content. This magnifies the complexity of the key by multifold. Both of these keys are saved securely in the database.


When a media is uploaded in an encryption-enabled VIDIZMO portal then during transcoding, the media and its corresponding renditions (HLS) will be encrypted and uploaded on content storage. Similarly, all meta-data files associated with a media will be encrypted afterwards such as Closed Caption files or Geo-Spatial (KLV) files.


When encrypted content is played back, then HLS content will be decrypted chunk by chunk. Encrypted content would be served from all browsers and devices on the playback page, media info, studio space and clipping screen, and thumbnail capture.


What Media types and files does VIDIZMO encrypt

VIDIZMO provides support for end-to-end content encryption using VIDIZMO On-Premise Encoder which can be configured with all available storage providers


VIDIZMO encrypts all supported media types that can be ingested in the platform:

  • Videos & Audios: They are decrypted by VIDIZMO player on-the-fly, and will otherwise be unintelligible to anyone who does not have the authority to access it.
  • Images & Documents: They are encrypted similarly by a key that renders them as password-protected for unauthorized users.


The following is a list of files that are encrypted at-rest for all above media types when using VIDIZMO portal:

  • Rendition files produced after transcoding, wherever applicable
  • Preview Thumbnails (Sprite Images)
  • Closed Caption Files
  • KLV Files for Geo-Spatial Data


If content encryption is enabled, VIDIZMO encoder automatically encrypts every chunk produced as a result of transcoding activity. These encrypted HLS chunks are then stored into your configured Storage Provider


Note: For videos, only HLS rendition files are produced by default which are then encrypted and stored in the content provider. If a Manager+ user opts to enable other available encoding profiles for media, then those additional renditions will not be encrypted at-rest.


How to Download Encrypted Content

In case a user requests for downloading encrypted content, they will be able to receive two options:

  • Original file
  • mp4 file for ease of playback

Once they choose their preferred format, they will receive a time-limited link to download the decrypted content. Users will also be alerted about the expiry of the download link- which will be configurable by Manager+ users via the Download Policy in Portal Settings.


Considerations & Limitations

There are a few limitations that you should keep in mind while availing the feature for Content Encryption:

  1. It is highly unlikely that your portal (with encrypted content) is hosted on a domain without a secure SSL/TLS protocol, but if it is, then encrypted content shall only be playable in Internet Explorer browser. Our player is intelligent enough to highlight this incase you are using any other browser for playback.
  2. Information generated as video insights using Indexing apps available in VIDIZMO will not be encrypted at-rest.
  3. Currently, offline video playback will not work with encrypted content.
  4. When using VIDIZMO Encoder for Content Encryption, the mechanism for downloading physical files will only work with Azure Storage Provider for now.
  5. Once you upload CC files when encryption is enabled in your portal - we send your file for encryption which in turn changes its name. This entails that if you hit Save again on Media Settings without refreshing the page, we will mistake your originally uploaded CC file as a new CC file and submit it again for processing eventually overriding the first file.
  6. Please note that if you choose to disable encryption after enabling it in the portal, the content that has once been encrypted will remain encrypted throughout its life in VIDIZMO portal. Changing the portal's encryption setting will determine whether or not to encrypt newly uploaded files only.


Note: VIDIZMO does not alter the original uploaded media file in order to maintain the integrity of the uploaded content. This helps VIDIZMO Digital Evidence Management (DEMS) users ensure the credibility of the digital evidence by verifying the checksum of the raw file before and after upload.


Impact of Content Encryption

Below are a few workflows that will be impacted after enabling content encryption in the portal. Read further to understand the various scenarios and their outcomes.


Data Migration Workflows

If you turn on data migration during setup wizard, then irrespective of the current encryption workflow - your data will be migrated from previous content provider to the new content provider with its encryption settings prevailed.

Here is a flowchart to aid understanding: 




Copy Workflows

When you copy media from one portal to the other, irrespective of the current encryption state of the media - the encryption setting in the destination portal determines whether the copied media will be saved as encrypted or unencrypted. Here, destination portal refers to the portal in which the media is being copied to.

Here is a flowchart to aid understanding:




Clipping Workflows

When you clip media in an encryption-enabled portal, there are two scenarios applicable:

  1. When you clip original media and save it as-is, that is when we preserve the encryption state of the media such that it remains encrypted/unencrypted irrespective of the current encryption setting in the portal
  2. When you create a new clip from original media, that is when we save media as encrypted only if your portal is currently encryption-enabled.

Here is a flowchart to aid understanding:




Reupload Workflows

When you clip media in an encryption-enabled portal, there are two scenarios applicable:

  1. When you clip original media and save it as-is, that is when we preserve the encryption state of the media such that it remains encrypted/unencrypted irrespective of the current encryption setting in the portal
  2. When you create a new clip from original media, that is when we save media as encrypted only if your portal is currently encryption-enabled.

Here is a flowchart to aid understanding:




Note: Similarly, whenever any metadata files such as Closed Caption files will be uploaded or re-uploaded within a media - they will be saved as encrypted if the media is encrypted.