Sharing visual media is essential to the success of your business. With the rise of digital content consumption, ensuring that your media is secure, optimized, and properly managed can protect your brand’s reputation and financial stability. Cloudinary, a comprehensive media management solution, offers features to address these security concerns.
This blog post addresses three main concerns regarding media security – billing, reputation and IP security, and confidentiality and data privacy – and how Cloudinary can help mitigate these issues.
Cloudinary developed metrics to understand the value of its service, which translates to the monthly bill. We want to ensure that it is your business that reaps this value, so the bills are appropriate.
Cloudinary Delivery Report helps you identify suspected bandwidth abuse. You can then go ahead and protect your bandwidth consumption using Cloudinary Access Control List (ACL) to set a flexible mix of deny and allow rules for clients’ User-Agents, IP addresses, Referrers, and Countries. This feature is available through Cloudinary Support.
Another option for bandwidth abuse is through Cloudinary’s remote assets fetching feature, which allows you to enjoy optimization and delivery of files hosted outside of Cloudinary. Make sure you enable it for trusted domains only so it won’t be abused.
User-generated content (UGC) is great for increasing user engagement, but to avoid abusing it, you should carefully define an upload preset:
- Allowed formats. Specify the media formats relevant to the expected media.
- Incoming transformations. Apply maximum resolution (e.g., c_limit,w_3000 will scale down any media wider than 3,000 pixels) and advanced format (e.g., JPEG XL for images or WEBM for videos) for incoming media.
By default, you must sign all media files delivered with add-on transformations. If you allow unsigned add-on transformations, then users can use them as they wish.
Similar to add-ons, transformations can be consumed when delivering. Transformations are much cheaper than add-ons and aren’t restricted by default. Cloudinary has a feature that allows restricting transformations by signature, like add-ons. However, it’s mostly used for reputation management (see below); it’s uncommon to see cost-related abuse of transformations.
Once you publish an asset on the web, it can be used by anyone in any proper and improper way. However, there are measures you can take to protect your digital assets even after they’re available globally.
C2PA is an emerging standard to combat fake visuals. You can now prove to your audience (and yourself) the exact processing of a given image from photoshoot through editing and post-production to delivery. When using compliant cameras and software, the image will contain a cryptographical log of actions that can be verified.
Watermarking is a traditional way to prove the authenticity and ownership of documents. It is being used in e-commerce, art, news media, and more. Here are several options:
- Tiled watermark. Tile (fl_tiled) your watermark with transparency (o_10) all over the protected image.
- Tainted watermark. Use the anti-removal effect to randomly distort the overlay, making it difficult to remove your watermark.
- Hidden watermark. Blend in an (almost) transparent blue overlay.
You can reveal it by removing the green and red, and desaturating the remaining pixels.
The above techniques must be accompanied by a measure to protect the original image, so one would not be able to simply delete the watermarks by removing the transformations from the URL.
To achieve this, we need to:
- Upload assets as private so the original asset can’t be requested (unless using the API secret to sign the request).
- Prevent unapproved transformations using Cloudinary’s strict transformations mode. Note that this is an environment-level flag and limits the way you can use on-the-fly transformations for all assets in your environment.
To learn more about this method to protect your watermarks, read our blog post.
User-generated content is essential to building engagement, but you should ensure all uploaded media is legitimate. Leverage Cloudinary’s state-of-the-art AI moderation to make sure you comply with state laws and corporate guidelines for suitable content delivered from your company’s account.
- The OCR text extraction add-on validates proper language and/or blur text for privacy purposes.
- Google and Amazon AI add-ons detect improper visual content in uploaded images and videos, according to specific categories (e.g., alcohol, weapons, etc.).
This method was already mentioned to prevent bandwidth abuse. It can also be useful when certain countries or bots repeatedly violate your brand guidelines or IP.
Whether it’s your future plans or your users’ private data, you want to control what you share and with whom.
Images and videos can be uploaded as private to restrict access to the original unoptimized asset and its full metadata (EXIF), which can include PII or your business’s internal metadata. You can create a signature (time-limited or permanent) and share the original with a signed URL.
To protect derivatives of a private asset, enable strict transformations on your environment. See the previous section Prevent Requests for Unwatermarked Assets.
Some assets can be shared only with the intended audience, or under embargo/expiry limitations. This use case is supported with restricted assets, where the assets can be served only with a token or cookie (premium feature) that was generated by your application according to the required criteria of time, folder, transformation, and more.
In this blog post, we covered the common security risks that Cloudinary’s customers are facing and how Cloudinary’s features can mitigate those risks while ensuring your visual media is delivered flawlessly. Whether it’s ensuring content authenticity or moderating UGC, Cloudinary can help you practice better media security on the web. Contact us today.
