Looking for security consideration strategies related to enterprise video delivery? Curious at how to approach user roles inside an organization around managing video delivery?
Technology exists that can effectively scale video delivery from a global perspective through CDNs. In addition, solutions exist that can be deployed on location to reduce the network footprint of video content, mitigating strain that might be placed on the WAN (wide area network) from consumption. However, this technology, which includes monitoring and other capabilities, requires some form of management. With security being paramount for internal video content and maintaining network integrating, a question arises from how to approach access for this.
This article will cover a few best practices for managing security across an enterprise video delivery infrastructure. It also details some of the recent updates to the IBM ECDN (Enterprise Content Delivery Network) solution. This includes important updates to how users interface with the portal, in particular the addition of user roles.
What is ECDN?
Briefly, ECDN is a virtualized edge server that reduces network strain through caching video assets at a specific location. These assets can be either live or on-demand content.
An example of how this works is: let’s say that 120 people inside an office each consume around 3mbps for a 1080p high definition stream. This would create a total WAN usage of around 360mbps. Now with ECDN at that location it would be reduced to around 3-6mbps, with the range given as it would cache the various resolution options available for that video as well. The reason being is that the cached version is accessed by all the viewers at that location.
ECDN also has built-in load balancing, making it ideal to have two instances per location to double the capacity and handle increased viewership at that location.
Portal and network monitoring
IBM ECDN is a managed SaaS (Software as a Service) delivered solution. It has two components. An on-premise server that caches video streams, and a cloud based web portal that provides a centralized way to manage all your ECDN server instances deployed globally within your network.
Once inside the web based portal, an array of analytics and monitoring capabilities are available. This includes metrics like current use of the system, CPU usage, memory usage and more. To assist in trouble shooting, data is available in virtually real time through the portal and is able to be drilled down to specific locations and instances of ECDN.
User roles and managing access
In enterprises, to support separation of responsibilities a role based solution is required. IBM ECDN provides three roles within the portal: Reader, Admin and Super Admin.
Reader
This role provides read-only access to see a wealth of information from the portal. This includes the ability to see traffic in near real time on the ECDN servers across the various locations associated with your portal. It can also be used for monitoring, seeing how much buffering might be occurring for viewers.
Users marked in this role are not allowed to make any changes to the ECDN location and server definitions. It’s intended for team members who need to monitor, help with troubleshooting or get historical usage reports.
Admin
Users in the Admin role have additional privileges to make changes to ECDN location and ECDN server configuration definitions. Admins can also add or delete any SSH keys registered in the account, which control access to the ECDN server instances.
This role will be suitable for team members who are responsible for the enterprise video delivery infrastructure within the company.
Super Admin
This role includes all the privileges of the Admin role and then some. They have the ability to view and manage other logins to the ECDN portal. This is provided in a details page that houses historical log data of all successful logins to the portal. They can change the roles assigned to each team member login. For auditing Super Admins can also view a historical log of access by a given team member. This log includes the login timestamp and the public IP address from where the access was made.
Note, though, that Super Admins can not completely delete a user login. In fact, due to logs and keeping a comprehensive view of historical access, it’s recommended not to delete users but rather leave them suspended. That said, if permanently revoking access is required, a Super Admin needs to open a support ticket and the personnel at IBM will manage the deletion. This process will include deleting or anonymizing all mentions of that user login as well, being mindful of any privacy regulations that might mandate their deletion.
Another ability of a Super Admin is that they can also manage user roles as well. For example, a Super Admin can promote a “Reader” to an “Admin”. This can also include designating other Super Admins as well. As a result, the Super Admin should be seen as more of a leadership role as it relates to maintaining the enterprise video delivery infrastructure.
Note: Admins and Super Admins, via SSH (Secure Shell) keys management in the portal, can granularly control access to the ECDN server instances, without having to share privileged access to the portal. This can enable workflows like running a security scan on the ECDN servers by someone who doesn’t need to access the actual portal interface. Admins and Super Admins can do this by simply adding their SSH key in the portal to grant them remote SSH access. Similarly, they can revoke access by deleting that temporary key afterwards.
Summary
An interface where users can login and not just monitor an enterprise video delivery infrastructure but also manage it is powerful. However, the way the interface is accessed and by who needs to be considered in a logical way. Not only that, but logs and records to access are important for the longterm security of the solution as well.
This recent update introduces more of these considerations into the IBM ECDN solution. When joined with the global delivery infrastructure in place, this presents a flexible solution that can be used across a variety of different organizations.
Want to learn more about best practices for internal video delivery? Download this Internal Video Delivery Without Bottlenecks eBook.