1. Introduction
Protecting your personal information and content is critical, this is why the MediaSilo platform was
built with security being a core focus. The MediaSilo platform is SOC 2 Type II certified and we
follow a Secure SDLC (Software Development Life Cycle) to ensure that every feature and
component is built securely. The application also offers many features and tools that you can use
to further protect your data. This document will outline those tools and features so that you can
understand their purpose and implement them effectively, ensuring your data is secure and
protected at all times.
2. Account Settings
There are several account level settings that can be implemented to increase and enforce
better security across your workspace. In this section we will discuss these settings and how
best to use them, all of these settings are optional and left up to the administrators of the
workspace to enable.
If you are an administrator, once you log into MediaSilo you will see a gear icon in the left
navigation bar. Select the gear icon and then select the ‘Settings’ tab at the top to find the
options discussed in this section.
2.1 Security > Multi-Factor Authentication (MFA)
Security Impact: High / Recommended: Yes
Under the ‘Security’ section to the left you will see the option to enable Multi-Factor
Authentication (MFA) for your workspace. When this is disabled individual users are still
able to enable MFA for their user, but it is not required. When you enable this feature it
requires all users in your workspace to set up and use MFA when accessing the account.
This feature is overridden if you have SSO (Single Sign On) enabled on your account. More
information about MFA can be found here.
2.2 Links
Security Impact: Low / Recommended: Yes
This section allows you to set default settings when creating shareable links within
MediaSilo. These settings are not enforced and a user can override them, however the
majority of users create links without changing the settings. They often do not understand
what settings to use or do not bother changing the defaults. Because of this setting the
defaults to something more secure increases the likelihood that a user will create more
secure links when using the platform.
2.2.1 Access
The drop down labeled ‘Access’ controls the default selection for who can access the link
being created. Below are the three options and what they mean:
Public: This creates a link that can be viewed by anyone with the URL, this provides no
security and allows users to share the content outside of who initially received it. It also
limits our ability to report analytics on usage of the link as anonymous users may access
the link.
Password Protected: This creates a link that has a password that is entered at the time of
creation. The password is required to access the content but there is nothing that prevents
a user from sharing the password with whomever they like. It also limits our ability to
report analytics on usage of the link as anonymous users may access the link.
Workspace Users: This requires the user creating the link to enter named users who
already have access to the current workspace, however the named users do not need
access to the content in the workspace to access the link. This provides the most security
and the best analytics as all users will be named and granted access and prevents sharing
with other users or externally.
The ‘Workspace Users’ provides the best security and tracking and is what we suggest, but
may not be right for your workflows and use cases.
2.2.2 Expires (Days)
This settings controls the default number of days before the link being created expires and
is no longer available. In general we do not recommend leaving links available for long
periods of time because this increases the risk of exposure and that you may forget about
the content. Setting a short period of time will help you manage shared links and prevent
exposure, but you should set this based on your needs and workflows.
2.2.3 Select Default Template
This determines the default watermark template for links, this requires that you have
watermarking enabled for your account and that the user selects watermarking when
creating the link. Watermarking is one of the most effective methods of adding security
when sharing content, but it's only as good as your template. Many users will use
templates that provide limited data or do not obscure the content properly to be effective.
Selecting a good well thought out template as the default will greatly increase the usage
of proper watermarks on links.
2.3 Users
The users section has some global settings that impact existing and new users. These can
improve overall security but must be managed carefully to ensure users are not locked out
and are able to access what they need to perform their day to day operations.
2.3.1 Global User Settings > Deactivate Inactive Users
Security Impact: Medium / Recommended: Yes
When this setting is enabled you can enter the number of days of inactivity before a user is
locked out of their account and unable to access the workspace. Inactivity is measured by
logging in, meaning a user must login to the workspace at least once in the number of days
entered. Users are not automatically locked out after the time period, they will still show up
as active until they attempt to login, when they attempt to login it will fail and the user will
be marked as inactive.
This feature can help manage contractors and outside collaborators as administrators can
often forget to deactivate or remove their access. It can also help prevent old or unused
credentials from falling into the wrong hands.
Make sure to set this appropriately as administrators tend to not login as frequently and
will get locked out if they fail to login within the entered number of days.
2.3.2 Global User Settings > Allow Access to All Users in This Account
Security Impact: Medium / Recommended: No
When a user shares a link internally or accesses their contacts within the MediaSilo
platform they will only see the users that they share projects with, and not all users who
have access to the workspace. When this feature is enabled, users will see all users in the
workspace regardless of shared access when performing those actions. This may show
them emails to users they should not have access to or grant them ability to share with
users that were not intended to receive content.
There are workflows and use cases where this feature is needed and you should determine
what fits your needs best, but unless you have a specific need for this we do not
recommend turning it on.
2.3.3 New User Settings > Enable Spotlight Access
Security Impact: High / Recommended: No
The Spotlight feature allows sharing content and customizing the user experience. While
Spotlight is a powerful and useful tool it does risk exposing content publicly when not
managed correctly. We do not recommend that all users have access to Spotlight, but
rather specific users whose job and responsibility is to manage your Spotlights and sharing
your content externally.
3. User Management
Managing users of any system can be a challenge, even more so when you have more than one
account or thousands of users. The MediaSilo platform provides tools and settings to help with
this task and alleviate work and risk involved.
The most important best practice when it comes to creating and managing users, is to make
sure that every person that will access your workspace has their own unique user. Credentials
and emails should never be shared, using generic emails or sharing access increases your risk
of exposure and reduces our ability to report analytics of activity within your workspace.
3.1 User Type
When creating or editing users you must select a type, there are three types to select from.
Below is more detailed information about each type, however the administrator type has
total control over the workspace and should only be assigned to people whose job and
responsibility is to manage the workspace.
Administrator: This role grants full control over the workspace, they can create users,
manage account settings, change security settings and have authority to make account and
billing changes.
Manager: These users can create and manage their own projects, but they do not have
access to the administration section of the workspace nor are they able to change account
level settings. They are able to invite new users to their projects, but they must select from
existing roles and are unable to create their own roles with custom permissions and they
can not create administrators.
User: The user role does not grant any special permissions or access. These users are only
able to access projects they have been assigned to and can only do what their roles within
these projects allow.
3.2 Roles
Roles are groups of permissions that can be assigned to users at the project level. The
MediaSilo platform comes with default roles but also supports custom roles allowing you
to have granular control over permissions based on your specific needs.
3.2.1 Permissions
Below are the permissions available on the MediaSilo platform and what actions they
allow a user to perform.
Asset Permissions:
View: This permission allows a user to view assets in the given project, without this
permission a user can view the project but will be unable to interact with the content in the
project. This can be helpful when you need a user to upload or perform other actions but do
not want them interacting with content.
Delete: Allows the deletion of content in the given project.
Download: Enables the user to download the source file, or the original file uploaded to the
MediaSilo platform, for the given project.
Edit: This allows a user to make changes to content within the given project. This includes
changing the title, poster frame, metadata, versions, moving content within the same project,
etc.
Upload: Having this permission for a given project allows a user to upload new content and
create new assets.
Sharing Permissions:
External: Having this permission allows a user to share content in the given project
externally. This should be used with caution as it permits a user to make content in your
project public or share with people outside of your workspace.
Internal: This permission allows a user to share content with other users of the workspace.
Who it's being shared with must be a member of your workspace, but may not have access
to the content or the project being shared from.
3.2.2 Default Roles
Your workspace will come with four default roles to help get your started. These defaults
should cover many common workflows and use cases. Below are the default roles and
what they are intended for.
Uploader: This role is intended for users or contractors who only need to ingest content into the
MediaSilo platform. They are able to upload and view contents in the project, nothing else.
Asset Manager: Users with this role are able to perform most asset management tasks,, which
include uploading new content, editing and deleting existing assets, and the ability to share
internally with other users in the workspace.
Internal Collaborator: This role allows users to share and work with other users in the workspace.
They can not remove content but can make basic changes and share with other users already in the
workspace.
Public Collaborator: This role gives elevated permissions to the user and should be used with
caution. These users can perform all actions on content except deletion, and are able to share
content outside of the workspace.
3.2.3 Custom Roles
We strongly recommend the use of custom roles, because this allows you to create
granular permission sets for your users. This ensures that users get the permissions they
need and nothing more. Using proper names and descriptions makes it easy to assign the
proper roles to your users during the creation process. This helps prevent excessive
permissions and improves the overall security of your workspace.
3.3 Multi-Factor Authentication (MFA)
Security Impact: High / Recommended: Yes
One of the easiest and most effective ways to secure your user is MFA or multi-factor
authentication. This requires a user to authenticate in two different ways before being
granted access to the MediaSilo platform. This protects the user because they have two
sets of credentials that need to be compromised which can be very challenging for any
hacker or malicious actor.
MediaSilo offers a workspace setting found in section 2.1 that requires all users on your
workspace to set up MFA. When this setting is disabled individual users can opt to set up
MFA for themselves by opening their profile found in the lower left of the MediaSilo
application, and going to the security section. We advise all users to enable MFA either
individually or via the workspace setting.
The platform currently support TOTP MFA, more information can be found here.
3.4 Single Sign On (SSO)
Security Impact: High / Recommended: Yes
Managing user access can be a difficult task, especially when you have many users
on-boarding and off-boarding. SSO or single sign on is an industry best practice for making
this task easier and more secure.
MediaSilo offers the SSO integration at the enterprise level, and allows the platform to use
your SSO provider to authenticate users attempting to access MediaSilo. This gives you
centralized control over granting and removing user access.
The MediaSilo platform can integrate with almost all forms of SSO and is configured at the
email domain level.
4. Watermarking (SafeStream)
Security Impact: High / Recommended: Yes
Watermarking is by far the best form of security you can use to protect your content. DRM
must be decrypted for playback which allows bad actors to obtain decrypted copies, and
there are many tools for extracting DRM content available online. Watermarking remains
with the content regardless of user action, download, etc, and any attempt to remove it
would make the content unwatchable, when implemented properly.
This is a premium feature on the MediaSilo platform, talk to your account manager to
determine what is right for you and cost.
4.1 Visual / Destructive
This form of watermarking allows you to put user information visually into the video in real
time. This is NOT an overlay or browser based implementation, we are actually modifying
the video stream in transit before playback, which means it is not possible to remove or
extract. The user’s only option to block this data is to blur the video before distribution, and
with proper watermark usage this would make the video unwatchable.
We allow you to make your own templates for what data is burned in and where. We
support burning the name, email and custom text into playback of your content. This
ensures that if content is leaked you can trace it back to the user, this is often a deterrent for
malicious use of sensitive content and will frequently prevent leaks.
4.2 Forensic
Similar to visual watermarking, forensic also modifies the video stream in transit prior to
playback. However unlike visual watermarking, forensic hides user data in the video that is
invisible to the user watching the content. While forensic does not act as much of a
deterrent as visual, it does allow tracking a leak back to the original user. This can be
helpful when the viewing experience does not allow for visual changes to the content.
To protect your content we recommend the use of visual and forensic watermarking on
all video content.
4.3 Template Best Practices
How you use watermarking is as important as using it. Placing a small watermark in the
corner of your content does not adequately protect your content and may not deter a user
from sharing or attempting to blur it out.
- We suggest that all watermarks contain both the user’s email and name.
- Text should be big, the bigger the better, but we recommend no smaller than 25 px.
- Text should not be too transparent, when setting opacity we recommend no less
than 50%, the higher the better. - Alignment of the text is important, it is tempting to stick in a corner or off to the
side, but this may not properly protect your content. We recommend the text be
centered in the middle of the content for maximum protection, but at least centered
at the top or bottom
4.4 Account Watermark Settings
The MediaSilo application has several settings at the account level that can help enforce
best practices with watermarking throughout your workspace. These settings can be found
in the administration section of the application, go to the ‘SafeStream’ tab and select
‘Watermark Settings’ on the left menu.
4.4.1 Only Allow Templates
Security Impact: High / Recommended: Yes
When this is enabled a non-admin user will be unable to create their own watermarks and
will be forced to use a template already created in the administration section of the
MediaSilo application. An administrator can create secure templates and restrict other
users to these templates.
4.4.2 Require SafeStream on New Projects
Security Impact: Medium / Recommended: Yes
This setting forces all new projects to have watermarking automatically enabled, it also
allows you to determine what template is used. Users will be unable to disable
watermarking on projects once this is enabled. You have to determine what is best for your
workflows but this guarantees that users are creating properly protected and secure
projects
Comments
0 comments
Please sign in to leave a comment.