Establishing Clear Cloud Security Postures

Now that cloud-based content creation and delivery have become nearly ubiquitous across the media landscape, it’s crucial for media companies to understand that the development of a proper security posture is central to enabling successful cloud-based workflows. In a very general sense, the news is largely good on this front as “the cloud is typically more secure than on premises systems,” emphasizes Simon Eldridge, Chief Product Officer at SDVI Corp., a Bay Area-headquartered company that specializes in helping media companies transition their operations into the cloud.

“If you remember the high-profile media hack of 2014, those were on-premises systems that were hacked and had their data exfiltrated,” Eldridge explains. “That no doubt accelerated the industry’s move to the cloud because you start to realize that there is much greater leeway for hackers in terms of finding back doors that you might have in your on-premises network. People realized there is a better way to do security than try to build it [security systems] by yourself when you are a media company. It became clear that the cloud is more secure in that sense.”

Eldridge elaborates, however, that these days it is quite normal for media companies to “take ownership” over making sure that cloud-based networks are secure and to be “increasingly comfortable” with the protocols and procedures necessary to maintain secure networks—most of which generally have come to the media world directly out of the IT universe. They will generally, for example, maintain a so-called InfoSec team focused exclusively on security concerns for any cloud platforms, software tools, vendors, and any other elements they need to weave into their networks, or at least have a Chief Security Officer (CSO) in command of the security process.

Indeed, the proper vetting and evaluation of potential vendors to make sure their technologies are built with proper security considerations in mind and will fit seamlessly into a media company’s security requirements is a crucial step, Eldridge suggests.

“The people who buy our company’s platform or others are generally a company’s engineers and the operations department, but once they make a choice, they hand everything over to their InfoSec team,” he relates. “The InfoSec team will do a security review to make sure the tools are up to their standards. Most big media organizations these days have an InfoSec team that is extremely cloud savvy. What they ask for varies dramatically depending on how complex your needs are. Some will have extensive questionnaires that vendors have to fill out to make sure their technology meets their specific standards. Many will require that a vendor undergo independent accreditation, like a SOC 2/Type 2 audit, for example. SOC 2 is essentially an audit of all operational practices, including your security posture, in particular. If your organization is SOC-2 audited, you can generally then provide that report to most customers you do business with and say, ‘here is a description of our security posture.’ That generally answers about 99 percent of their questions, and it is perfect for SAAS [third-party software] companies.

“The industry has long pursued security validation in the absence of any kind of generic security standard, and for the most part, customers will accept a SOC-2 report as a proper summary of your security posture. That has become more common as part of the procurement process when dealing with vendors. This is now a security best-practices type of thing for almost all major media companies that move their businesses to the cloud.”

The issue of vendor security is so important that in 2018 the Motion Picture Association (MPA) created its Trusted Partner Network (TPN) program—essentially an initiative dedicated to cloud security for the entertainment industry. The TPN project is focused on establishing best practices and minimum benchmarks that should be required of any vendors doing business with major studios and is also building a global registry of so-called “trusted partner” vendors to help content creators make more informed decisions about the security capabilities of the vendors they are considering partnering with.

“TPN was originally conceived as a how-do-I-manage-the-security-of-content in an on-premises environment project,” Eldridge states. “Who can have keycard access and all those kinds of things. But they are now developing an auditing program for cloud-based tools used for media work. The idea—and don’t forget this is backed by the major studios—is that if a vendor goes through the TPN process and becomes an approved TPN vendor, then users can use that as a reference to figure out if the platform they select is safe or not.”

Other initiatives are out there, as well, most notably the EBU’s cyber-security recommendation for media vendors known as EBU R143. Other organizations, such as the World Broadcasting Unions (WBU) have recently been offering their own recommendations for dealing with media vendors, software, and services, largely built on the aforementioned work done by the EBU, Digital Production Partnership (DPP), and others.

However, technically speaking, none of these initiatives rise to the level of an “official” cybersecurity standard for the media industry, but then again, Eldridge does not feel there is a pressing need for such an official standard beyond evolving the ongoing work on best practices. That’s because, to a large degree, he feels that “security for the media and entertainment industry is not that much different than security needs in the cloud for any other major industry,” and thus, mature solutions and strategies already exist—people just need to learn about them and how best to implement them for their particular needs. 

“Yes, we are dealing with valuable content [in the entertainment industry] and so we need best practices, of course, but you can argue that many other industries are also dealing with valuable content, like the medical industry, for instance,” he explains. “In my view, the core tenants of security in the cloud are generic regardless of industry. All of them need to deal with how users and passwords are authenticated on a network and all those kinds of things. There are already very good user management tools out there like [Microsoft’s] Active Directory, OKTA, PING, and others, for instance. If you use those properly, you have complete control over who has access to what. That is important to the media industry but is not specific to the media industry.

“The same is true regarding encryption. Are you going to encrypt your content when it is at rest or when it is in transit? Are you going to make sure that all API [Application Programming Interface] traffic or UI [User Interface] traffic is HTTPS [Hypertext Transfer Protocol Secure] or SSL [Secure Sockets Layer] secured? All of that is generic for how the rest of the world does it, even down to how organizations store content and provide access to it. These are all best practices for doing business in the cloud, and we have strong options available to us.”

Still, the issue of media-specific security has become an increasingly important topic in the entertainment industry. At the recently completed NAB New York show, for instance, a two-day Cybersecurity for Broadcasters Retreat was held for engineers, IT and security executives, and broadcast technology vendors to debate and discuss various security challenges. Key topics included how to audit security practices, best practices for securing networks, how to protect asset repositories and pipelines, how best to collaborate with IT security professionals, how to respond to security breaches, and much more. Eldridge points out such an event, and others like it happening across the industry, are indicative of the need to “have these conversations” in the media world for the purpose of properly educating everyone.

In fact, Eldridge feels that the areas of communication and education about existing options and solutions for cloud security are the specific areas where the media industry needs to ramp up its game moving forward.

“The big issue is improving the ability to communicate what your security posture is and improving the end user’s ability to know who is well architected from a security perspective and who isn’t,” Eldridge explains. “Improving in this area would help the entire community. After all, we are still sort of in a hybrid world where you have both cloud-native solutions and legacy solutions that people are trying to ‘cloudify.’ That does create confusion from an end user’s perspective. For instance, they might not understand whether an application was a Windows application that was eventually ported to the cloud or whether it was specifically designed around security best practices. A bit more clarity there would help everybody.”

To that end, Eldridge argues that organizations like MPA, EBU, SMPTE, and others “do not necessarily need to define what a standard is for cybersecurity as much as they need to help teach the industry about how we can leverage existing standards and best practices and make sure the people we deal with have the proper accreditations. The idea of a growing knowledge base of what are the security postures for various organizations and companies would be really useful, and it would also streamline things by preventing vendors from having to verify their posture for every end user—they could just do it once.”