Single Blog

Managing streaming access

20 July 2021, Written by 0 comment

Managing streaming security

Many people think of video and audio streaming as publicly accessible content. In reality, almost any professional content publisher needs to protect their media.

Two examples why media protection is important:

  1. If you offer or monetise free to air videos, you don’t want third parties to deep-link to your media from their websites. You have to pay for the traffic, while they get the audience, and perhaps even the revenues.
  2. If you broadcast an exclusive event, you don’t want uninvited people to attend the show. Your audience may have paid for access.

There are so many more examples. Actually, most of our customers have a use case where they need to prevent unauthorised access to their media and live streams. Think of job interview videos, closed court hearings, pay per view, subscriptions, internal presentations: this is content that needs protection.

Videoplatform security is weak
You can’t put content that needs protection on regular video platforms. Security is flawed with most video platforms; they use obscurity: anyone who knows the link can still access your private media.

DRM can be an overkill
The heaviest possible security technology is Digital Rights Management. Your media is encrypted. A license server is required to grant each user access to your content. DRM however, is expensive, complicated and is a serious threshold for you and your audience. DRM is therefore typically used for licensed and paid content such as video subscription and pay per view services with enough revenues to cover the costs and headaches of DRM.

Remember that no security technology is 100% safe: even with DRM, your media can be screen recorded. The challenge is to make it as hard as possible, without spending too much time and money.

Filling in the Security Gap
So there is a wide security gap between the not-so-secure private links of video platforms, and the – for many use cases – overly secure, complex and expensive DRM.

At Jet-Stream we’ve designed our platform from the ground up to fill this gap:

Secure streaming
By design, the Jet-Stream platform uses secure streaming. All communication between you, our platform, our CDNs and the viewers is encrypted. Our European cloud is a highly redundant, secure environment where your media is stored and streamed. In contrary to other CDNs, you don’t have to manage SSL certificates and worry about certificate renewals, we’ve already taken care of this for you, for free. It’s automated, even in Multi-CDN mode.

Internal tokens
By design, our servers and integrated Multi-CDN partners deny access to any direct request. They require a token to be in the URL. These tokens are dynamically generated by our active load balancers, per individual request. When a valid token is presented, the servers and CDNs generate a unique session ID, for each individual user. The user can only access the media file, playlist and segments that are granted for that request. We don’t use cookies or profiles and the sessions are automatically deleted, to protect the viewers privacy. If this user shares their session link with anyone else, their requests are denied. You can only access media if our load balancers allowed you to get there in the first place.

Add security rules
Our customers can add enhanced security rules in realtime to our load balancers. Each individual title and live stream can be locked, geo fenced and password protected, via our web interface or API.

Geo fencing
Customers can create and manage Geo Groups that contain a list of countries. Each title and stream can be Geo Fenced to one or multiple groups. The load balancers check the users’ IP-address against our Geo database. If the IP address matches, the request is processed. Else, the user gets to see a (customisable) video that explains that access was denied.

Locking
Customers can lock individual titles and streams. If a requested title or stream is locked, the request routers require a valid token in the URL. If that token is valid, the request is processed. Else, the user gets to see a (customisable) video that explains that access was denied. Your portal generates a token, which is validated by our load balancers, who in turn instantly generate a new token, which is validated by our servers and our selected third party CDNs too, so that your locking is enforced, even in a Multi CDN scenario. Tokens automatically expire so sharing URLs is pointless.

Your own access rules
Tokens are a great way to prevent deep-linking since third party portals have no idea to generate a valid token. You can add all kinds of additional logic to your portal. For example, you can validate whether a user is logged in, and has the rights to access the media, before generating a valid token. Or you can check if the user has paid for the media. You can do your own geo-fencing. Any rule can be applied, and there is no need to share (potentially privacy invasive) information about users with Jet-Stream: simply generate the token, or not and we will grant or forcefully deny access.

Implement tokens in minutes, years of joy
Secure tokens may sound complicated but you can implement these in minutes in your portals. We’ve created sample code in Javascript, Python and PHP here: https://docs.jet-stream.com/docs/vdo-x/tokens/. You can find your private key in your account, under the API menu.

New: Password protection
Recently we’ve added a new security feature: password protection. Simply set a password for any individual title or live stream. Privacy Player Pro will ask your viewers to enter this password, before they can watch your media. Password protection is built upon the same secure fundaments as secure tokens.

Use case 1: password
Enter a password. The password is set and the object is automatically locked. The Jet-Stream platform will deny anyone access to your media unless they provide the password in Privacy Player Pro.
You don’t need to implement tokens. Passwords are encrypted.

Use case 2: token access
Lock an object and the Jet-Stream platform will deny anyone access to your media unless you add a valid secure token to the URL. This way you can manage secure single-sign-on access from your websites and apps: you decide who’s allowed to watch. There’s no risk of passwords being shared.

Use case 3: token and password
Enter a password. The password is set and the object is automatically locked. The Jet-Stream platform will deny anyone access to your media unless they provide the password in Privacy Player Pro. If you decide to add a valid secure token to the URL, a password is not required. Protect your media. Let selected people test and access your media with a password, bypassing your token implementation.

Security features are free and unlimited
Secure streaming, internal tokens, geo fencing and secure tokens are integrated features of the Jet-Stream platform, bundled for free, with unlimited use. Our web interfaces offer easy access to these advanced security features and our APIs let you automate and scale your security workflow. These features work regardless the player being used: Privacy Player or third party players.

Note: password protection is available to customers with Privacy Player Pro. It offers advertisement support, unlimited views, dynamic branding, 4K, 360°VR and much more for a low fixed price per month.

Combine tokens and passwords with geo-fencing
Password protection and token access control work together with the built-in geo fencing security feature. If a user is outside your specified geo region, they will not be able to access the media, even if they have a valid password, or if you provide a valid token.

Finest granularity, realtime control
Locking, passwords and geo fencing can be managed per individual video, per live stream, via the API and the web interface. Settings are effective immediately. So instantly after uploading new video’s, you can protect them. Instantly turn locking on and off, change a password immediately, and add and remove countries instantly from your Geo Groups.

DRM support
By default, CDNs don’t allow you to use custom DRM headers. If you upload or stream DRM encrypted content to Jet-Stream, or configure a Remote Origin server that stores your DRM encrypted vod and live streams, our platform transparently respects your DRM headers. This way, you can fully operate your own secure encryption, licensing and storage environment combined with the Jet-Stream platform to deliver your media to your audiences, in the most secure way. All Jet-Stream security features can be used in conjunction with DRM encrypted media and streams as well. (Note that some third party CDNs in a MultiCDN configuration block DRM headers. Contact us for advise.)

Hundreds of streaming professionals rely on Jet-Stream for their core streaming services. For them, uptime, performance, security and privacy are key fundaments for their mission critical operation.

Would you like to test drive our services? Request a free trial here.