MediaPlatform SaaS and Hybrid SaaS

Deployment Options

MediaPlatform Solutions

MediaPlatform consists of three primary applications: The PrimeTime video portal provides video asset management, VOD transcoding, user management, content security and governance. WebCaster which enables live video streaming, live and on-demand rich media webcasting, presentation creation, event registration, event management and scheduling, webcast editing and archiving. And, MediaPlatform SmartPath which is software that manages distribution profiles for optimizing live streaming, failover, and redundancy.

Pure SaaS Peer Assist Multicasting for Live Video Streaming

MediaPlatform is the only leading enterprise video platform that can deliver a pure SaaS solution for peer assist multicast streaming of live video, that requires no client installs. This breakthrough technology makes it possible to securely reach thousands of employees with high quality video without installing anything behind the firewall.

Peer Assist Multicasting, or P2P Multicasting, is 100% browser based. It requires no client installs, and in many scenarios requires no media server behind the firewall. (We will discuss options for leveraging a media server behind the firewall to peer assist, and/or IP multicast streaming video in the Hybrid SaaS section of this technical brief.)

Peer assist multicasting delivers the media in a dynamically generated peer network topology. Optimal peering performance is accomplished by providing the recommended bandwidth overhead (approximately four times the encoded video stream). With less than this recommended overhead, the time to optimize peering may take longer. Peer assisted multicasting shares video across multiple peer connections creating a dynamic network mesh, so that there is no single point of failure. In this way P2P multicasting is self-healing, and highly resilient.

Pure SaaS Peer Assist Multicasting for Live Video Streaming

P2P multicasting also allows for the configuration of local, logical peer groups to intelligently manage how peers are formed. For example, in this way you can ensure that someone in New York isn’t attempting to peer with someone in Los Angeles.

The benefits of leveraging peer assist multicasting from the cloud include all of the benefits of a SaaS solution in that there is nothing to install or manage, a very low total cost of ownership (TCO), and a very rapid return on investment (ROI). Additional benefits include moving the video streaming traffic off of the wide area network (WAN) and onto the cloud which minimizes network impact, and eliminates the need for additional media servers or network infrastructure to support streaming.

Hybrid SaaS for Live Video Streaming

Hybrid SaaS has all of the benefits of a SaaS solution, in addition to allowing enterprises to leverage a variety of solutions for delivering video across internal networks, and multiple network locations, as well as to external and mobile viewers. In the Hybrid SaaS solution model MediaPlatform provides a live video streaming solution called Multicast Fusion, which combines IP Multicast, Peer Assist Multicast and Unicast from Cloud based CDN’s into a single powerful distribution architecture that can leapfrog network barriers that used to limit the reach of video streaming in the enterprise.

Hybrid SaaS for Live Video Streaming

In the Hybrid SaaS model, one or more media servers are place at one or more network locations within the enterprise. Video streams can initiate from inside the network, or from the cloud, or both. Additionally video streams can reach viewers inside and outside the network via IP Multicast, Peer Assist Multicast, or Unicast from media servers behind the firewall, as well as in the cloud. Finally cloud based CDN’s like Akamai can be leveraged to reach global remote viewer audiences, and mobile devices. This means that live video streams can be initiated from any location, to viewers anywhere. It is massively scalable, and highly secure. A variety of network and security architectures, and technologies can be supported with this model. WAN Optimization, MPLS, VPN, IP Multicast, etc.

Security Considerations

While many enterprises have embraced the cloud, there are still organizations that for a variety of reasons have security concerns that need to be addressed before a cloud solution can be seriously considered. For this reason MediaPlatform offers several types of cloud deployment options, integration with various enterprise single sign on protocols, secure and encrypted video streaming, and support for split tunnel VPN architectures.

Single Tenant SaaS

Single-tenant systems give a user its own database and its own instance of the software application. Placed on its own individual server, or segregated via extensive security controls to create its own virtual server, users of single-tenant systems enjoy the benefits of significant configurability of software, robust functionality, and enhanced security. An on-demand model, single-tenant SaaS is best seen as a “custom fit” solution that many companies should use because their industry, geography or security requirements give them the need for configurability and customization.

It goes without saying that a single-tenant system will have a higher degree of inherent security. Having said that, multi-tenant systems are still secure and the level of security offered by these systems may be adequate for a particular company’s needs.

However, there are industries in which security protocols must not only satisfy the company’s needs, but must satisfy industry, governmental and country protocols. Financial services, an industry under strict observance by regulatory agencies, might be one such industry. Pharmaceuticals might be another. Aerospace, defense, technology and other industries each have their own internal and external security requirements. So the degree of required security will vary based on company, philosophy, geography, and other factors.

In addition to specific industries, different countries have different security protocols that must be met. The EU Safe Harbor Directive on the protection of personal data was designed to prevent accidental information disclosure or loss. Requiring re-certification every 12 months, single-tenant systems often can best satisfy the requirements because of their ability to ensure segregation of personal data.

Virtual Private Cloud

Virtual Private Cloud (VPC) lets you provision a logically isolated section of the Cloud where you can launch resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

You can easily customize the network configuration for your VPC. For example, you can create a public-facing subnet for your web servers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to instances in each subnet.

Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the cloud as an extension of your corporate datacenter.

Split Tunnel VPN

Many of the benefits of a Hybrid SaaS architecture derive from the ability to leverage a distributed cloud architecture to stream video to various remote viewers or network locations, which alleviates the load on the WAN and avoids bottle necks at VPN concentrators. One of the ways to do this is to allow remote network locations to split tunnel, and pull a video stream from a cloud based media server. MediaPlatform supports this architecture, and allows the implementation of Peer Assist multicasting, often without the need to install on-site media servers at these remote locations.

Split tunneling is a computer networking concept which allows a VPN user to access a public network (e.g., the Internet) and a local LAN or WAN at the same time, using the same physical network connection. This connection service is usually facilitated through a program such as a VPN client software application.

The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to MediaPlatform in the cloud to stream video, the connection request goes directly out the gateway provided by the network.

One advantage of using split tunneling is that it alleviates bottlenecks and conserves bandwidth as video traffic does not have to pass through the VPN server.

Another advantage is in the case where a user works at a supplier or partner site and needs access to network resources on both networks throughout the day. Split tunneling prevents the user from having to continually connect and disconnect.

A disadvantage is that when split tunneling is enabled, users bypass gateway level security that might be in place within the company infrastructure. For example, if web or content filtering is in place, this is something usually controlled at a gateway level, not the client PC.

There are many variants of split tunneling that attempt to address this fundamental trust issue. Often when plain split tunneling is enabled, datagrams by default will go out the local network interface’s default gateway. Only datagrams that are destined for IP networks behind the VPN terminator will go through the tunnel. This violates the principle of least privilege if a user does not absolutely require access to the entire Internet.

One variant to consider for solving this problem is Inverse Split Tunneling. By default all datagrams enter the tunnel except those destination IPs explicitly allowed by VPN gateway. The criteria for allowing datagrams to exit the local network interface (outside the tunnel) may vary from vendor to vendor (i.e. port, service, etc.) This keeps control of network gateways to a centralized policy device such as the VPN terminator. This can be augmented by endpoint policy enforcement technologies such as an interface firewall on the endpoint device’s network interface driver, group policy object or anti-malware agent. This is related in many ways to network access control (NAC).

Start improving communications and training at your organization. Contact Us