controlling access while caching video content on-site on client's network

Question

we have many hours of video training courses that we want to deliver on-site to clients with encryption or something to control access

Currently , we offer via website (eg like udacity), but some large companies want it on-site due to internet bandwidth. We don't want to just hand them a hard drive with the mp4 files, but we also don't need military grade encryption (since in the end, they could record it with a video camera)

I'm thinking we can give them a media server with the videos, and have our local web app running on their network and talking to our (web) server for tracking/getting tokens, and talking locally with the media server for the videos.

I'm told "other providers are offering this" but I don't know "how". I'm guessing they use a Adobe Media Server or something.

How can I "cache locally" the videos on-site with the client, yet still have some control over the access to the videos?

Answer 1

Interesting problem. You want to give your Intellectual Property to a third party, in a way that they can display it (through your Portal), behind their firewall, but in a way that they can't actually get at the source files.

1. You'll need to provide an appliance (either as a big-ass OVA - so they can run it on VMware/HyperV/etc..), or as a hardware thing they can stick in a rack and connect to their network. Given the amount of multimedia involved, I suspect the latter is easier.. Dell R530 with a stack of 4TB disks in it. Done.

2. You'll need a 'secure' Operating System. Something you can lock down, and install things like Tripwire (so you can tell if the system's been poked by your customer). You could also do with fail2ban (so you can detect and prevent ssh bruteforcing), and a strict IPTables lockdown, so that only the webservice is accessible from the customer ip address range.

3. You'll might find that your customer's IT security policy might prevent your system calling home (either for analytics, or for "tracking/getting tokens" - so I'd be tempted to build the appliance to have the token generation/authorization built in, rather than having it rely on a webservice which might not be accessible. If you can get the customer to agree to it, you could have your box call-home to an API endpoint you host, so that you can have it pull settings down if they need to be updated. You probably don't want to be seen to be pushing data to it, or having a constant ssh connection, as that'll ring alarm bells for a bunch of IT security folks at the customer site.

4. You will need a media server of some kind. Adobe Media Server probably offers most in regard to out-of-the-box functionality, and DRM, but Wowza Media Server is also an option. Red5 is open-source, but there's a professional version that allows high-availability clustering too.

5. Finally, you'll probably want to offer some level of integration between their existing systems and yours, so that'll probably be via LDAP integration with their Active Directory (typical enterprise integration method).

You should also try to get your appliance accredited by some third-party security consultants, so that you can have it verified to your customers that you're not stealing their datas, or exposing them to new threats.