Secure Video Streaming Tactics: Video DRM, Geo-blocking, and More (Update)
Successfully delivering live and on-demand video content starts with choosing a secure video streaming platform. Unauthorized access can compromise the revenue-boosting strategies of subscription and pay-per-view services. If a streaming implementation involves sensitive or private data, then protection is key. Learn more about the various tools and features secure video streaming platforms use to protect your content.
Table of contents
Video Streaming Security Features
Before we explore these security features in detail, note that there is no one-size-fits-all approach, nor are you limited to using only one of the following to secure your streams. Many of these features can and should be paired with others for added protection.
We’ll start (and end) with digital rights management (DRM). This is a method for securing and managing the rights of digital content. It prevents unauthorized use and copying of your content. It may also dictate where your content can be viewed from. We address some of the most common questions and concerns in the next section.
Chosen by the US government to protect classified information, Advanced Encryption Standards (AES) is an extremely effective method for securing data. It functions by generating a special key that grants users access to the protected data. In the case of video streaming, only viewers with the key can watch the protected video. That means any hackers that manage to intercept the stream won’t be able to view it. This simple and easy-to-implement solution is a very strong option that can still be used in concert with other security features.
This is exactly what it sounds like; users must know the password to access your video. This solution is simple and effective for most video streaming purposes. However, it’s not the most secure, as passwords can be leaked or hacked. When exploring this option, think about the level of risk that you’re willing to incur. Consider using passwords with other security measures to enhance protection.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are security protocols that encrypt data being exchanged between a server and a user. While you may still hear SSL used to describe this type of technology, it is technically the predecessor to the more secure TLS protocol. In any case, these security features can be used to protect private data that users might enter into a website, like payment information in a video paywall. But more broadly speaking, they protect any communications being sent over the internet. They do this using what’s called the SSL/TLS “handshake” between client machines and servers.
Also referred to as geographic or IP restrictions, this method blocks certain geographic regions from accessing your content. Keep in mind that doing so could limit certain legitimate viewers from viewing your video. However, there are valid reasons for why you might want to do this. Some geographic regions are at a higher risk for piracy than others. In fact, the US Office of the Trade Representative maintains a list of some 36 countries considered high risk.
IP Whitelisting is similar to geo-blocking. But instead of refusing access to specific regions, you allow access to specific IP addresses. This may or may not be useful depending on your target audience. If you are looking to cast a wide net, then this method may be too restrictive.
Also sometimes referred to as domain blocking for embedded players, this allows you to restrict access to your content by domain. Enabling this feature allows a system of digital security tokens to check your server regularly and detect if your video has been embedded on an unauthorized site. If so, then the video is immediately blocked from playback.
A Closer Look at DRM Video Streaming
Imagine purchasing a movie from Amazon Prime. In order to access the movie, you need to use their streaming platform or proprietary app. You can’t download it to an unapproved device, and you definitely can’t burn it onto a DVD. Did you really purchase the movie, or did you just purchase the right to access the movie in specific ways? Whatever your personal take on this scenario, one thing is clear: DRM is an effective method for preventing unauthorized access to digital content by controlling how and where that content can be accessed.
DRM can apply to more than just your movie purchases. All digital media is subject to copyright. Your favorite Kindle eBook, for example, is likely subject to DRM protections. However, DRM in video streaming refers specifically to any video files locked behind paywalls or otherwise subject to copyright protections. Most video streaming platforms now require it.
How does DRM protect your video files? For starters, don’t confuse DRM with video encryption. DRM does not encrypt your video files, but it can provide an added layer of protection. Many common types of video encryption have weak key exchanges, making them prone to hacking. DRM comes in and protects the encryption key, a process known as black-boxing. DRMs are afforded this level of control because Google, Apple, and Microsoft —makers of the three most common DRMs (Widevine, Fairplay, and PlayReady respectively) — have additional control over your browser, OS, and hardware.
When you restrict video using DRM, you may be restricting what devices the content can be viewed on or how long a viewer has access to it. Users can stream DRM protected content by going through the standard channels and using the approved devices. In some cases, they may need to enable their browser or device to stream DRM content. When considering DRM secure video streaming protections for your content, consider closely your audience, how they would want or need to access your content, and how DRM protections may affect that.
Wowza Streaming Engine: Security Step-by-Step
Wowza offers secure video streaming features at every step of the workflow. We make it easy to layer security features and provide a more holistic defense against piracy.
Step One: Protect the Source
Wowza Streaming Engine protects your data integrity from the very start with password-based source protection. This allows you to place restrictions on RTMP and RTSP-based encoder connections. In other words, no one can use your server to upload and stream video without your permission.
By restricting access to only those with a username and password, source authentication thwarts unauthorized users from streaming to your server. Broadcasters can configure credentials at an application level in the Wowza Streaming Engine Manager.
Step Two: Control Playback
Wowza’s security token module restricts playback to specific IP addresses through a challenge and response security system on all viewing fronts. The security mechanism uses a handshake between Wowza Streaming Engine and the client to secure content. A random single-use key and a password (shared secret) protect each connection. A secure hashing algorithm and customizable security parameters help validate each client attempting to access a stream. This helps prevent spoofing threats.
Step Three: Consider StreamLock for Increased Playback Protection
The Wowza StreamLock AddOn is a network encryption option that provides near instant provisioning of free 2048-bit Secure Sockets Layer (SSL) certificates for RTMP and secure HTTP streaming. This global standard for security technology protects streams by scrambling the data being transmitted across the internet.
- HTTPS: Use SSL in conjunction with token-based authentication to secure your HTTP streaming via Apple HLS, Adobe HDS, and Microsoft Smooth Streaming.
- RTMPS: RTMPS is a secure form of RTMP – with the ‘S’ standing for ‘secure’. By streaming encrypted data via a secure connection, RTMPS prevents third parties from intercepting your live streams.
Step Four: On-The-Fly DRM as You Stream
For premium content, studio-approved DRM offers yet another level of protection. Wowza DRM provides integration with various DRM platforms, delivering real-time Apple FairPlay, Microsoft PlayReady, or Google Widevine encryption of live and video-on-demand content to any screen. It enables three third-party DRM key-management service providers to deliver encryption keys to Wowza Streaming Engine during encryption and license keys to viewers’ devices during playback.
Wowza Video: Security Step-by-Step
Wowza Video enables many of the same secure video streaming methods with some added features. These work together to prevent unwanted publishing, encrypt HTTP-based streaming data, and restrict access to controls.
Step One: Protect the Source
Just as with our media server, you’ll want to prevent unauthorized access to your cloud system. Wowza Video uses CDN token authorization to provide a secure connection into the ingest origin server by requiring the source encoder to use username and password credentials to connect.
Step Two: Establish Access Permissions
Wowza Video has geographic targeting and restriction capabilities, which involves blocking specific countries where your video shouldn’t be streamed. This automatically blocks unauthorized viewers from accessing your content. You can also be even more targeted and restrictive by using IP whitelisting to allow playback access to only approved addresses within these restricted regions.
Step Three: Control and Expand Playback
Wowza Video uses Secure Sockets Layer (SSL) certificates to provide encrypted HTTPS connections as streams move through the network. This not only prevents stream interception by unauthorized sources, but also inspires confidence in users who now often see warnings in their browsers when accessing content that does not utilize these sorts of protections. Establishing yourself as a trusted streaming source could enhance viewership.
Step Four: Further Restrict Playback with Token Authorization
Token-based authentication ensures that only authorized users – like those who’ve paid or registered – have access to content. This prevents link sharing by only providing tokens to approved users. We accomplish this by generating unique URLs for each playback request that expire after an allotted period, preventing all users from seeing the true stream URL.
Step Five: DRM Option for Added Control
To protect premium content from piracy or illegal redistribution, we offer digital rights management (DRM) technology that supports all studio-approved DRM providers, including Apple FairPlay, Google Widevine, and Microsoft PlayReady.
Secure Video Streaming Tips
Use multiple lines of defense. Layer your streaming security solutions to bolster your defenses. Not all of the listed solutions accomplish the same tasks and not all of them may be right for your purposes. Choose wisely.
Regularly monitor your systems for suspicious activity. No solution is 100% failproof. Keep an eye out for unauthorized access to your streaming platform. Make sure that everyone with access is aware of security best practices. You can also go so far as to search your video title and password on the internet to spot any websites that may be leaking your login credentials.
Enable multi-factor authentication for any accounts used for broadcasting. Sometimes passwords just aren’t enough. It may seem tedious having to go that extra mile to access the streaming platform, but the added security will protect you against leaked or hacked passwords.
Consider a watermark for your content if appropriate: This may or may not work for you depending on what you’re streaming and to whom. But if you are putting video content out there that could be at risk of reproduction and reposting, then let viewers know who it really belongs to.
Consider your audience. Many of these security measures are far more restrictive than others. Know that you don’t have to implement every option available to you, especially if that option could severely limit legitimate viewers from accessing your content.
Find a SOC-2 certified streaming solution. When you choose a streaming partner, you are placing a lot of trust in them to handle your data responsibly. SOC-2 certification is an auditing procedure that ensures service providers securely and responsibly manage data. Companies that obtain this certification must meet certain compliance standards centered around access controls, change management, system operations, and mitigating risk.
Wowza Can Help
As a SOC-2 certified company, Wowza promotes data integrity and confidentiality. Our streaming solutions, the security features of which are outlined above, are reliable, secure, and easy to use. Let us help you figure out what security features best suite your needs.
Search Wowza Resources
About Sydney Roy (Whalen)
Sydney works for Wowza as a content writer and Marketing Communications Specialist, leveraging roughly a decade of experience in copywriting, technical writing, and content development. When observed in the wild, she can be found gaming, reading, hiking, parenting, overspending at the Renaissance Festival, and leaving coffee cups around the house.