I want to enable encryption in transit and encryption at rest for all the content stored in media storage.
As I read here,
No encryption is used. This is the default value. When using this
option your content is not protected in transit or at rest in storage.
But since all my data resides in storage itself, won't it be encrypted by default at rest because of the SSE in Azure Storage ? Am I missing something here ? Also, how is the metadata (Asset information, Locator information etc.) about the content stored ?
with Media Services v2, you can use AssetCreationOptions.StorageEncrypted option, as shown here: https://learn.microsoft.com/en-us/azure/media-services/previous/media-services-dotnet-upload-files#upload-files-using-net-sdk-extensions.
See, the "Storage side encryption" table for more information: https://learn.microsoft.com/en-us/azure/media-services/previous/media-services-rest-storage-encryption#considerations
Please, let us know if you have other questions.
Related
I’m looking for some advice with regards GDPR and firebase, I’ve looked online and apparently firebase is GDPR compliant as it stores data securely during transit and the firebase servers themselves are encrypted. So if that’s the case would I even need to encrypt personal data locally before sending it to firebase?
Currently I’m encrypting all personal data but the issue is that I want to have an autocomplete function that searches for customers as the user types. Now this wouldn’t work currently as a search for ‘sha’ would not find ‘shaun’ because shaun is currently encrypted. So I’m wondering whether I even need to encrypt customer details at all as firebase is encrypted itself. The only issue is that me as a database admin can see everyone’s details in the database but surely that’s the case with all database admins in most apps as you can query the data in there to your hearts content and see everything about everyone?
As long as you are not sharing this data for any purposes outside of the apps terms and conditions this should be ok shouldn't it?
So a few things first , when you encrypt data at the DB level , any usage of that data at the application layer has to go through a level of decryption .
So in the example that you outline the autocomplete feature ideally will be served by an API and the API at the back-end will take the encrypted data through the decryption process to keep it in memory and return to the client appropriately.
Also it is not OK to assume that admin cannot go rouge , most of the data breaches and leeks happen from internal source. So it is better to keep the PII as encrypted in the DB.
I've looked at a few places, Including this post and the firebase panel
Is there no way to use these api's to secure these endpoints using an api key you create per client who uses your cloud functions?
I'm able to block every one putting a restriction on the Browser key, but I would like to create a new api key, and use that as a way to authenticate my endpoint for various clients.
Creating a new api key, and using that as a parameter in my query doesn't work (don't now if I'm doing anything wrong)
Is there a way to do this?
Option 1: handle authentication within the function
https://github.com/firebase/functions-samples/tree/master/authorized-https-endpoint
Adapt above to use clients/keys stored in firestore
Option 2: Use an an API Gateway
Google Cloud Endpoints (no direct support for functions yet, need to implement a proxy)
Apigee (higher cost, perhaps more than you need)
Azure API Management (lower entry cost + easy to implement as a facade for services hosted outside Azure)
there are more..
The above gateways are probably best for your use case in that the first two would let you keep everything within Google, albeit with more complexity/cost -- hopefully Endpoints will get support for functions soon. Azure would mean having part of your architecture outside Google, but looks like an easy way to achieve what your after (api key per client for your google cloud / firebase functions)
Here's a good walkthrough of implementing Azure API Management:
https://koukia.ca/a-microservices-implementation-journey-part-4-9c19a16385e9
Not to achieve what you are after, as far as firebase and GCP is concerned your clients is your specific business problem.
One way you could tackle this (with the little information that is provided);
You need somewhere to store a list of clients + their API key (I would use firestore)
For the endpoints you want to secure with a client-specific API key you can include a check to confirm the header exists and also exists in your firestore client record.
Considerations:
Depending on your expected traffic loads and the the number of firestore reads you'll be adding, you might want to double check this kind of solution will work for your budget.
Is the API-key type solution the only option you must go for? You Could probably get pretty far using the https://github.com/firebase/firebaseui-web and doing user checks in your function with no extra DB read required. If you go down this path most of the user signup/ emails / account creation logic is ready to go.
https://firebase.google.com/docs/auth/web/password-auth#before_you_begin
Curious to see what some other firebase users suggest.
Can Google Widevine be used to protect content of any type or it is just for videos? I can't find any implementation guide lines to utilize it
From what I saw so far, it is supposed to be for audio and video. Widevine web does not talk about anything else.
In theory, Widevine should work for any type of content because it is just a key management and some cryptographic operations on buffer of encrypted data. In practice you are limited by the API exposed by the platform - they will not give you low level access to decryption functionality to pass in custom data. For example EME in browser or MediaDrm on Android, are expected to be used with audio and video content.
I am currently using IBM Softlayer Object Storage. I'm wondering whether there is some encryption at rest (as a service) option? For example, does Softlayer manage encryption keys in some way (the way AWS does for instance with I AM), or does it provide an easy way to automatically encrypt what is uploaded through the Object Storage API?
What I know there is not such way to automatically encrypt the data uploaded, you need to encrypt your data prior to upload it.
Just in case you can look for documentation which could help you here: http://sldn.softlayer.com/reference/objectstorageapi
Regards
Not a good question for SO, but for education's sake there is a new public cloud IBM Object Storage that is based on Cleversafe, and all data is encrypted at rest by default.
I'm developing a Web Application (based on Google Maps API V3).
Whenever an user clicks on a map, a marker is placed on that point and
an "human readable" address is resolved (by the geocoding service). In
this way I can put in an infowindow, attached to that marker, the
corresponding address.
The question is: Can I resolve just one time that address and store it
on an external DB? Is this practice compliant with your terms of
service?
Regards
The relevant section of the TOS is
10.1.3 Restrictions against Data Export or Copying.
(b) No Pre-Fetching, Caching, or Storage of Content. You must not pre-fetch, cache, or store any Content, except that you may store: (i) limited amounts of Content for the purpose of improving the performance of your Maps API Implementation if you do so temporarily, securely, and in a manner that does not permit use of the Content outside of the Service; and (ii) any content identifier or key that the Maps APIs Documentation specifically permits you to store. For example, you must not use the Content to create an independent database of “places.”
This precludes the use of reverse geocoding.
no, this is forbidden by the terms of use by google.
we would have done it your way in another project, but we had to change because of the terms of use.