About Television Broadcasts Limited (TVB) and Big Big Channel
TVB New Media Group Limited (TVBNMG) is a fully-owned subsidiary of TVB, one of the broadcasters in the world that operates a vertically integrated business in production, broadcasting and distribution, supplemented by a strong artiste pool. TVBNMG is responsible for supporting all the technology and engineering of Big Big Channel. Big Big Channel is an all-in-one multimedia site combining the functions of a traditional TV, a mobile app and a social platform. It brings the audience an all-new experience through live streaming and video recording by TVB artistes and online celebrities from China, Japan, Korea and Taiwan. Viewers can watch the videos for free after they have registered as members. They are able to interact with artistes and KOL during live streaming, and even purchase emoji and virtual gifts to the artistes they wish to support.
- Multiple AWS IAM users are created for various members across the enterprise.
- Staff roles and permission updates on corporate IAM does not reflect the change on AWS permission access.
- A lot of manual operations and hence affect the security on AWS resources.
- Each member who has the assigned IAM user authenticates through AWS console with a separate password and authentication method is not ideal if it can be consolidated.
- MFA for administrator access is enforced as company policy but self-enrollment of MFA with AWS IAM is not supported.
Solutions provided by eCloudvalley
- eCloudvally provided a SSO setup for multi-account environment on AWS.
- User authentication will be through client’s on-premise VPN connection to AD FS server on AWS. OTP MFA authentication is required for certain power admin. This allows Single Sign-On to AWS console through Microsoft AD with OTP authorised by PrivacyIdea.
- Utilizing Infrastructure as Code (IaC) such as CloudFormation to easily deploy the same infrastructure for performance testing, UAT, Staging and for other regions.
- Building the continuous monitoring and compliance with automated infrastructure provisioning
Proposed Solution & Architecture
Amazon EC2: Allow customers to define security group and network access control rules. Allow customers to change default vendor configurations, security controls, and vendor default passwords. Allow customers to secure and compliant configuration for all customer- configurable items. This may include OS configuration for Amazon EC2 instances, logging and log retention for data base services, or permissions for AWS management functions.
AWS KMS : Allow customers to create, use, and manage encryption keys in accordance with
Amazon S3: Allow customers to configure bucket logging and monitoring logs.
Amazon GuardDuty: Continous monitoring VPC flow logs and CloudTrail logs.
Amazon RDS: Allow customers to configure database access logging and monitoring logs.
AWS CloudFormation: AWS CloudFormation templates deploy the architecture within stacks that align with AWS best practices and the security compliance framework as below:
- IAM stack: Creates a basic IAM configuration with custom policies, groups, and roles
- Logging stack: Sets up baseline AWS Config rules for monitoring. Enables AWS CloudTrail, S3 buckets, and bucket policies for logging and archive data. Creates standard Amazon CloudWatch alarms for security-related CloudTrail events.
- VPC stack: Configures a secure Amazon VPC for a application that includes subnets, NAT instances or NAT gateways, route tables, security groups and custom network access control list (network ACL) rules.
- Config rules stack: Sets up baseline AWS Config rules for monitoring.
- Application stack: Sets up EC2 instances for web application, an Amazon RDS database, HTTPS Elastic Load Balancing, Amazon CloudWatch alarms.”
- TVB realize centralized access control. With Single Sign-On to AWS console through Microsoft AD with OTP authorised by privacyIdea, access controls are only deployed on one AWS account instead of numerous accounts. This mechanism largely reduce the complexity of account management. Furthermore, it dramatically reduce the time updating latest user list. Before this deployment, TVB needed to spend 2 to 3 days finishing the process that removing a resigned person from an account. Now HR & IT staff can easily remove a resigned person from a linked account through modifying Microsoft AD in 2 hours without spending time for cross department coordination. This method dramatically increases the convenience, security and efficiency for account management.
- Combined with master & linked accounts, TVB realized centralized logging and metrics visualizing. All logs from each accounts are transmitted to Amazon Elasticsearch cluster in master account. Types of log formats are unified as one making the ease of processing and analysing. Cross department logs are stored centrally for large-scale analysis and comparison to find out underlying patterns. Furthermore, metrics are centrally processed and visualized with dashboards which allows IT staff monitoring resources in different accounts more efficient. Both resources performances and account security events can be observed with least latency. Now IT staff can make quick response to incidents without logging to each account. That mechanism significantly improve IT management efficiency.
- Cross region redundancy enables TVB’s better ability handling incident. Deploy traditional on-premise website hosting, TVB is incapable restoring website in a short time when experiencing physical equipment failures. Spare servers need to be prepared to avoid hardware outages, and service restoration process could spend up to 12 hours, let alone human error might deter the whole schedule. Now the single service failure can be covered trough high availability design like multi-AZ or auto scaling group. Even experiencing regional outages, the website can be restored in another region and the whole restoration process with CloudFormation template provided by ECV can be completed less than 1 hour. Besides, when news contents are founded being tampered by attackers, TVB can use backup restored in other region to keep providing correct news to readers. Meanwhile, IT team can work on correcting the content in the primary website and investigate the issue. After the original website is restored, IT team can simply failover back to it. This design not only enable high ability but also improve the security and incident response ability.