How it Works
Pinnacle Systems
Loading...
Avid
User Manual
22 pgs251.77 Kb0
Table of contents
Loading...

Pinnacle Systems Avid User Manual

Avid® MediaCentral Platform Services
Security Architecture and Analysis
Purpose of This Document
This document provides the MediaCentral administrator with an overview of the security architecture for the MediaCentral environment and recommended best practices for a secure operation. The document also provides an analysis of the MediaCentral UX application against the most common security flaws for Web-based applications.
Intended Audience
This document is intended for anyone responsible for system security, including MediaCentral administrators, Chief Security Officers, and IT administrators.
Product Version
MediaCentral version 2.3 and version 2.4.
c
Beginning with version 2.0, the product name “MediaCentral” replaces “Interplay Central.” Specific product names are Avid MediaCentral Platform (bus infrastructure) and Avid MediaCentral | UX (Web and mobile applications).
Revision History
Date Revised Changes Made
November 23, 2015 Added multiple-zone port information. See “MediaCentral Security
Architecture” on page 6
Updated version to MediaCentral version 2.4.
July 13, 2015 First publication of version 2.3.
Added information about strong password validation. See
Authentication” on page 8
Added information for Media Index. See
on page 16
June 27, 2014 Version 2.0 published.
.
“User
.
“Media Index Security”

Contents

Overview of MediaCentral . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Overview of MediaCentral Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
MediaCentral Security Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Strategies and Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Media Index Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Security Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Where to Find More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2

Overview of MediaCentral

MediaCentral Platform Services deliver workflow tools for media professionals through both Web and mobile applications. The MediaCentral UX application allows individuals in different media production roles to access the tools they need to complete tasks with greater access to assets, team collaboration, and workflow agility. Through MediaCentral UX, users can access existing Interplay Production assets and iNEWS story/rundown information.

Overview of MediaCentral Security

This section describes some common Web application concerns and how they are addressed by the MediaCentral architecture.
Internet Security and Availability
The MediaCentral client accesses the MediaCentral server functionality through a Web-based client. As with any Web-based application, information is passed over the Internet for the user to log in and operate the application. MediaCentral utilizes standard HTTPS Internet transfer protocols for secure information transfers, such as user login credentials. MediaCentral relies on consistent Internet access for successful operation. If the application is disconnected due to faulty Internet access, the user session closes and users are required to re-enter their credentials when access is restored.
Overview of MediaCentral
MediaCentral version 2.0 and later uses Red Hat Enterprise Linux (RHEL) v6.5 as the server operating system. For the latest information on approved security updates for RHEL 6.5 see the Avid MediaCentral Platform Services ReadMe. You can download the ReadMe for version 2.3 from the following Knowledge Base page:
http://avid.force.com/pkb/articles/en_US/ReadMe/Avid-MediaCentral-Version-2-3-x-Document ation
Data Privacy
MediaCentral provides the client with access to existing Interplay Production assets and iNEWS story/rundown information. As part of the login to MediaCentral, the user is also logged into associated Interplay Production and iNEWS sessions using their existing Interplay Production and iNEWS credentials. Access to these assets is controlled by the underlying applications themselves, based on the user’s existing account privileges. The MediaCentral client does not provide users access to any assets for which they do not have existing privileges.
3
Overview of MediaCentral Security
In order to provide for a single login experience, MediaCentral stores user login credentials (MediaCentral, iNEWS, Interplay Production, and other customer user account information) in a central user management database. All data is stored in this central database and all passwords are maintained in an encrypted form. Note that MediaCentral leverages the existing iNEWS and Interplay Production credentials (no modifications are made to existing accounts).
Control of Data
MediaCentral stores system configuration information, some of which includes login credentials to other applications (such as iNEWS, Interplay Production). MediaCentral also stores user configuration information (roles) and login credentials. A MediaCentral administrator does not have access to any user private information. Access to user and system settings is limited as described below.
There are three categories of settings:
Home > User Settings (Basic, Video, Logging layouts), which are accessed only through a user login. A MediaCentral administrator cannot access these settings.
System Settings (System Settings layout), which are accessed only through an administrator login. These settings define the overall MediaCentral environment.
User Management settings (Users layout), which are accessed only through an administrator login. These settings include settings for individual users, groups, and roles.
Specific information about the settings is available in the MediaCentral UX documentation. See
“Where to Find More Information” on page 22.
Security Incident Tracking
MediaCentral does not have the ability to track specific security incidents related to the application.
Through the MediaCentral UI, the administrator has access to user session information (who is logged in and at what time) and has the ability to manually terminate a specific user session if required. The administrator also can review information contained in /var/log/audit/audit.log and /var/log/secure, which contain a history of remote logins, authentication and authorization privileges.
Example:
Jan 7 14:39:59 localhost sshd[3781]: Accepted password for root from
172.24.41.133 port 43239 ssh2
4
Overview of MediaCentral Security
Disaster Recovery and Business Continuity
The MediaCentral application can operate within a clustered server configuration, providing Active/Passive failover for continuity of services.
The MediaCentral Playback Services (MCPS), which supports the player functionality in the MediaCentral UI, is also load balanced, providing performance and failover support for video streaming.
The underlying MediaCentral database, which stores the user settings and system configuration data, can be configured for data replication and failover. Continuous database
®
replication is performed by LINBIT
DRBD® (www.drbd.org).
Additional details are provided in the Avid MediaCentral Platform Services Installation and Configuration Guide.
The MediaCentral Messaging Broker can operate in an active/active configuration with load balancing. Other MediaCentral services (such as Attributes) are highly available using Active/Passive failover and are not load balanced. All services are managed as a single combined resource and will fail over as a group.
Regulatory Compliance
Due to the nature of the application and the information that is accessed and stored, the MediaCentral application is not currently validated against any existing security compliance standards (such as HIPAA, DSS, ISO 19779/27001).
5

MediaCentral Security Architecture

MediaCentral Security Architecture
MediaCentral Server (Node 2)
MediaCentral Server (Node 1)
Interplay
Production
Workgroup
ISIS 7000
MediaCentral Client (External)
1Gb
10 GigE
10 Gb Network
VPN Router /
Firewall
Internet
To House
Network
Data In Transit:
x User Credentials x JPEG Images x Machine
Instructions
x User
Credentials
x User Settings x System
Attributes
Edge Switch
HTTPS
Session Creation and Termination Logs
1 Gb
Netwok
MediaCentral Client (WAN/LAN)
ISIS 5000 ISIS 2000
10Gb port
The diagram below provides an overview of the MediaCentral architecture with specific references to application and data security. This diagram shows a clustered MediaCentral server configuration.
MediaCentral Security Architecture
6
MediaCentral Security Architecture
A MediaCentral client requires user login credentials in order to gain access to the underlying functionality. All data transfer to and from the MediaCentral client (user credentials, session information, user configuration settings, media images and files, text, and machine instructions) are transported in a secure manner to the MediaCentral server using HTTPS protocol.
MediaCentral clients that connect through the public Internet require VPN access into the server network. All connections pass through the VPN router/firewall through identified ports. Once the data has passed into the “house network” it is secured using the customer’s existing network security infrastructure.
Users connected within the corporate LAN/WAN would not typically use VPN access but would likely need to pass through firewalls and other network security devices with ACLs before accessing the Avid Interplay network.
The following table lists the ports used by MediaCentral server that should be allowed through the VPN firewall.
Table 1: VPN Firewall Port Settings
Protocol and
Component Port
Direction Usage
MediaCentral Web application 80 TCP Inbound MediaCentral Playback
Services (MCPS) HTTP calls
File streaming from MCPS
443 Secure TCP Inbound MediaCentral HTTPS calls
Communication with MediaCentral server
843 TCP Inbound Serving Flash Player socket
policy files
5000 TCP Inbound Playback service (loading
assets, serving JPEG images and audio, etc.). Outbound flow to client serving inbound request.
MediaCentral mobile applications
80 TCP Inbound MediaCentral Playback
Services (MCPS) HTTP calls
File streaming from MCPS
443 Secure TCP Inbound MediaCentral HTTPS calls
Communication with MediaCentral server
7
Loading...
+ 15 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use