Secure Video Streaming Tactics: Video DRM, Geo-blocking, and More
Successfully delivering live and on-demand video content starts with choosing a secure video streaming platform. Unauthorized access can compromise the revenue-boosting strategies of subscription and pay-per-view services. If a streaming implementation involves sensitive or private data, then protection is key. Learn more about the various tools and features secure video streaming platforms use to protect your content.
Table of contents
Video Streaming Security Features
Before we explore these security features in detail, note that there is no one-size-fits-all approach, nor are you limited to using only one of the following to secure your streams. Many of these features can and should be paired with others for added protection.
DRM
We’ll start with digital rights management (DRM). This is a method for securing and managing the rights of digital content. It prevents unauthorized use and copying of your content. It may also dictate where your content can be viewed from.
AES Encryption
Chosen by the US government to protect classified information, Advanced Encryption Standards (AES) is an extremely effective method for securing data. It functions by generating a special key that grants users access to the protected data. In the case of video streaming, only viewers with the key can watch the protected video. That means any hackers that manage to intercept the stream won’t be able to view it. This simple and easy-to-implement solution is a very strong option that can still be used in concert with other security features.
Password Protection
This is exactly what it sounds like; users must know the password to access your video. This solution is simple and effective for most video streaming purposes. However, it’s not the most secure, as passwords can be leaked or hacked. When exploring this option, think about the level of risk that you’re willing to incur. Consider using passwords with other security measures to enhance protection.
SSL/TLS
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are security protocols that encrypt data being exchanged between a server and a user. While you may still hear SSL used to describe this type of technology, it is technically the predecessor to the more secure TLS protocol. In any case, these security features can be used to protect private data that users might enter into a website, like payment information in a video paywall. But more broadly speaking, they protect any communications being sent over the internet. They do this using what’s called the SSL/TLS “handshake” between client machines and servers.
Geo-blocking
Also referred to as geographic or IP restrictions, this method blocks certain geographic regions from accessing your content. Keep in mind that doing so could limit certain legitimate viewers from viewing your video. However, there are valid reasons why you might want to do this. Some geographic regions are at a higher risk for piracy than others. In fact, the US Office of the Trade Representative maintains a list of some 36 countries considered high risk.
IP Whitelisting
IP Whitelisting is similar to geo-blocking. But instead of refusing access to specific regions, you allow access to specific IP addresses. This may or may not be useful depending on your target audience. If you are looking to cast a wide net, then this method may be too restrictive.
Referrer Restrictions
Also sometimes referred to as domain blocking for embedded players, this allows you to restrict access to your content by domain. Enabling this feature allows a system of digital security tokens to check your server regularly and detect if your video has been embedded on an unauthorized site. If so, then the video is immediately blocked from playback.
Tokenized URLs
These are also called Signed URLs. This is a method to secure the delivery of video content by controlling who can access the streams and for how long. They prevent unauthorized sharing by only providing access to certain viewers for certain periods of time. Without them, anyone could easily fetch the stream’s manifest URL and republish it elsewhere, granting access to anyone indefinitely.
| Security Feature | What It Does | Level of Protection |
| Digital Rights Management (DRM) | Prevents unauthorized use or reuse of video | Asset-based or Viewer-based |
| AES Encryption | Encrypts video data unless the viewer has the decryption key | Asset-based or Viewer-based |
| Password Protection | Prevents access unless the viewer has the designated password | Asset-based or Domain-based |
| Secure Socket Layer/Transport Layer Security (SSL/TLS) | Encrypts and protects sensitive data in transit | Domain-based |
| Geo-blocking | Prevent access based on where the viewer loads the video from | Location-based |
| IP Whitelisting | Prevent access based on the viewer’s specific IP address | Device-based |
| Referrer Restrictions | Prevents video from being embedded elsewhere | Domain-based |
| Tokenized URLs (or Signed URLs) | Provides specific access to content via a unique, temporary link | Asset-based |
A Closer Look at DRM for Video Streaming
Imagine purchasing a movie from Amazon Prime. In order to access the movie, you need to use their streaming platform or proprietary app. You can’t download it to an unapproved device, and you definitely can’t burn it onto a DVD. Did you really purchase the movie, or did you just purchase the right to access the movie in specific ways? Whatever your personal take on this scenario, one thing is clear: DRM is an effective method for preventing unauthorized access to digital content by controlling how and where that content can be accessed.
DRM can apply to more than just your movie purchases. All digital media is subject to copyright. Your favorite Kindle eBook, for example, is likely subject to DRM protections. However, DRM in video streaming refers specifically to any video files locked behind paywalls or otherwise subject to copyright protections. Most video streaming platforms now require it.
How does DRM protect your video files? For starters, don’t confuse DRM with video encryption. DRM does not encrypt your video files, but rather it manages access to the decryption keys to provide an added layer of protection. Many common types of video encryption have weak key exchanges, making them prone to hacking. DRM comes in and protects the encryption key, a process known as black-boxing. DRMs are afforded this level of control because the three most common DRM providers (Google Widevine, Apple Fairplay, and Microsoft PlayReady) have additional control over your browser, OS, and hardware.
When you restrict video using DRM, you may be restricting what devices the content can be viewed on or how long a viewer has access to it. Users can stream DRM-protected content by going through the standard channels and using the approved devices. In some cases, they may need to enable their browser or device to stream DRM content. When considering DRM-secure video streaming protections for your content, consider your audience closely. How would they want or need to access your content, and how could DRM protections affect that?
Why Secure Video Streaming Matters
There are many applications for secure video streaming, especially as cameras and capture devices become more widely adopted and implemented. Current use cases can include businesses looking to stream internal Town Halls, law enforcement agencies looking to monitor remote security and surveillance feeds, or Departments of Transportation managing and optimizing traffic flow across a network of traffic cameras. In these scenarios, information security, low latency, and intelligent automation become critical requirements.
A secure, reliable media streaming server like Wowza Streaming Engine supports these use cases with robust, compliant, developer-friendly infrastructure. Public sector agencies, remote field operations teams, and law enforcement groups have already seen noticeable value.
Wowza Streaming Engine: Security Step-by-Step
Wowza offers secure video streaming features at every step of the workflow. Easily layer advanced stream security features for a more holistic defense against piracy.
Step One: Protect the Source
Wowza Streaming Engine protects your data integrity from the very start with password-based source protection. This allows you to place restrictions on RTMP and RTSP-based encoder connections. In other words, no one can use your server to upload and stream video without your permission.
By restricting access to only those with a username and password, source authentication thwarts unauthorized users from streaming to your server. Broadcasters can configure credentials at an application level in the Wowza Streaming Engine Manager. Surveillance teams can ensure that only designated security personnel can view CCTV feeds.
Step Two: Control Playback
Wowza’s secure token module restricts playback to specific IP addresses through a challenge and response security system on all viewing fronts. The security mechanism uses a handshake between Wowza Streaming Engine and the client to secure content. A random single-use key and a password (shared secret) protect each connection. A secure hashing algorithm and customizable security parameters help validate each client attempting to access a stream. This helps prevent spoofing threats.
Step Three: Consider StreamLock for Increased Playback Protection
The Wowza StreamLock integration is a network encryption option that provides near instant provisioning of free 2048-bit Secure Sockets Layer (SSL) certificates for RTMP and secure HTTP streaming. This global standard for security technology protects streams by scrambling the data being transmitted across the internet.
- HTTPS: Use SSL in conjunction with token-based authentication to secure your HTTP streaming via Apple HLS and DASH.
- RTMPS: RTMPS is a secure form of RTMP. By streaming encrypted data via a secure connection, RTMPS prevents third parties from intercepting your live streams.
Step Four: On-The-Fly DRM as You Stream
For premium content, a studio-approved DRM offers yet another level of protection. Wowza enables flexible integrations with DRM platforms, delivering real-time live and on-demand video content to any screen, securely, via Apple FairPlay, Microsoft PlayReady, or Google Widevine. It enables three third-party DRM key-management service providers to deliver encryption keys to Wowza Streaming Engine during encryption and license keys to viewers’ devices during playback.
Secure Video Streaming Tips
Use multiple lines of defense. Layer your streaming security solutions to bolster your defenses. Not all of the listed solutions accomplish the same tasks, and not all of them may be right for your purposes. Choose wisely.
Regularly monitor your systems for suspicious activity. No solution is 100% failproof. Keep an eye out for unauthorized access to your streaming platform. Make sure that everyone with access is aware of security best practices. You can also go so far as to search your video title and password on the internet to spot any websites that may be leaking your login credentials.
Enable multi-factor authentication for any accounts used for broadcasting. Sometimes passwords just aren’t enough. It may seem tedious to go that extra mile to access the streaming platform, but the added security will protect you against leaked or hacked passwords.
Consider a watermark for your content if appropriate: This may or may not work for you, depending on what you’re streaming and to whom. But if you are putting video content out there that could be at risk of reproduction and reposting, then let viewers know who it really belongs to.
Consider your audience. Many of these security measures are far more restrictive than others. Know that you don’t have to implement every option available to you, especially if that option could severely limit legitimate viewers from accessing your content.
Find a SOC-2 certified streaming solution. When you choose a streaming partner, you are placing a lot of trust in them to handle your data responsibly. SOC-2 certification is an auditing procedure that ensures service providers securely and responsibly manage data. Companies that obtain this certification must meet certain compliance standards centered around access controls, change management, system operations, and mitigating risk.
Frequently Asked Questions:
Secure video streaming is just like normal live or on-demand video streaming, but with a focus on safeguarding and preventing unauthorized access to video content. This could be because the video contains sensitive or proprietary information, or it could be to preserve revenues by preventing unauthorized duplication of monetized content.
There are many ways to protect live streaming video content from being pirated. The level of protection depends on the degree of granular control needed for that specific use case. For example, for highly sensitive streams that can not be leaked externally, a group could impose SSL/TLS encryption and referrer restrictions to encrypt and protect the video data in transit, and prevent that content from being embedded elsewhere. Conversely, if a group wants to provide widespread access to live streams for those who have purchased a ticket or other special key that grants permission to view, that group could impose password restrictions and AES encryption.
DRM, or Digital Rights Management, is a way to prevent unauthorized viewing, use, or reuse of proprietary content. This is usually a granular control that is configured per video or per live-stream on the asset level. Encryption is a method of obscuring the underlying video data, either at rest or in transit. To outside viewers, this makes the video unintelligible. Only designated viewers with the decryption key can view the original video content, unencrypted and unmodified. This level of control is typically managed on the asset or the viewer level.
Wowza Can Help
As a SOC-2 certified company, Wowza promotes data integrity and confidentiality. Our streaming solutions, the security features of which are outlined above, are reliable, secure, and easy to use. Let us help you figure out what security features best suite your needs.