Share

What is the Isolation Feature Set

The isolation feature set combines our Cloud Hosted Platform with client-managed AWS resources to provide a solution that satisfies the most stringent security and privacy requirements. Clients retain control of their sensitive content without having to host Flow Production Tracking on their infrastructure.

Leveraging the isolation feature set has the following advantages over the Standard offering:

  • Media Isolation by hosting of assets and attachments in a client-owned S3 Bucket
  • Media Traffic Isolation from the public internet
  • Media Replication allowing you to replicate media in one additional AWS Region
  • Access to fully managed Flow Production Tracking Cloud Services
  • Automatic and continuous version upgrades
  • Ephemeral compute + in-memory segration between clients

In a nutshell, this means that with the isolation features, your Flow Production Tracking site and the data related to it cannot be reached by anyone outside of your studio network.

The isolation feature set is a solution that requires less upkeep, as well as less IT/System Administrator knowledge and skills, than hosting Flow Production Tracking on-premise. The list of advantages compared to on-premise includes, but is not limited to:

  • No Flow Production Tracking specific knowledge required
  • No manual Flow Production Tracking updates required
  • Very low level of maintenance required for the AWS components

asterisk Content

Media isolation feature

Media Isolation allows your studio to keep the ownership and control of the media and attachments that you upload to Flow Production Tracking. With Media Isolation, all the content that you upload to Flow Production Tracking can be store in your studio private S3 bucket. Access to the media is provided to the Flow Production Tracking service only, using AWS AssumeRole keyless Security Token Service. Your studio remains in control of the assets and the access to the assets, access that you can revoke at will.

Traffic isolation feature

Media traffic isolation feature can be enabled to prevent your media traffic from being routed on the public internet, limiting it to the AWS backbone and your studio network. The traffic between Flow Production Tracking Services and your studio stays in closed network, never going outside AWS or your Studio network.

With the Media Traffic Isolation feature activated, the media will only leave your studio infrastructure once to get transcoded.

Media Replication

Flow Production Tracking is compatible with the S3 Cross-Region replication feature, allowing your users located in different regions to read from the region closer to them in order to reduce latency and increase throughput. Replication to one region is currently supported.

Eligibility

The Isolation feature set is available to clients with an active Flow Production Tracking subscription. See Getting Started for more details about how to active the different features. The activation of the isolation feature set is not instantaneous, and requires manual setup involving your AWS account.

What the Isolation Feature Set is not

The isolation feature set is not a completely isolated solution. Both the compute services and the database services are shared amongst clients, and managed by Flow Production Tracking. From a hardware standpoint, the isolation features does not guarantee complete physical isolation. However, Flow Production Tracking services are guaranteeing isolation at the memory level. Processes are never reused to answer requests from different clients during their lifetime. Client metadata is stored in different databases. Client media is individually stored on S3.

High Level Architecture

tier1-arch

The Flow Production Tracking cloud service can be decoupled at a high level in 3 parts:

Compute Stack: The part of the Flow Production Tracking Service that handles client requests and serves data to the client.

Data Stack: Metadata storage (databases).

Media Storage: Where the client's attachments, media, and assets are stored. Flow Production Tracking uses AWS S3 to store client content.

Please read Securing Studio IP in AWS: Cloud-based VFX Project Management with Autodesk Flow Production Tracking for more details about the architecture.

Ephemeral compute and memory isolation

Even if clients share the same infrastructure, Flow Production Tracking guarantees a complete memory isolation, both in transit and at rest, of client data. This makes Flow Production Tracking less prone to data leaking due to architecture flaws or software vulnerabilities exploiting memory, like buffer overflow.

Ephemeral transcoding

tier1-transcoding

Everytime media is uploaded to Flow Production Tracking, the transcoding service is invoked to create a web friendly versions of your assets. That process happens only once, after the initial upload. The media is directly uploaded from the client to S3, from where it is fetched by the Flow Production Tracking Transcoding Service. Each transcoding job is handled by a single container, which is killed after that unique job. The only place the media temporarily lives is in the container memory. The Flow Production Tracking Transcoding service doesn't store permanently a copy of your media.

Was this information helpful?