Media Supply Chain and Security
In our previous blog post, we looked at remote work within media production and the media supply chain. In this blog post, we are looking at security within the media supply chain. We discuss learnings from previous security breaches within the industry and how we can minimize risk when it comes to human interaction with the systems.
Back in 2014, the hacking of Sony Pictures re-focused the minds of many media professionals and prompted media organizations to re-evaluate their security protocols. As well as huge amounts of personal data, the hackers made copies of unreleased productions and future projects – even now it’s still unclear exactly how long the hackers had access to Sony’s systems, or how much data was stolen.
At the time, a lot of organizations were citing securing as a reason for their reluctance to move any part of their operations to the cloud, but this event highlighted the vulnerability of “on-premises” systems.
The Sony event shook the industry, and in 2017, the reportedly even bigger hacking of HBO made news headlines. At the time, however, this was somewhat overshadowed by the leak, two days ahead of its first official airing, of an episode of the hit show “Game of Thrones”.
The leak was actually unrelated to the HBO hack. Instead, four employees of Prime Focus Technologies, a media management company and partner of Star India, who had the local distribution rights for Game of Thrones, were arrested and charged in relation to the leak.
From this series of events, there were a number of learnings:
It shifted the perception of how secure public cloud might be vs. our own on-premises infrastructure. Prior to these events, surveys often showed that security was a top reason why organizations were not utilizing cloud infrastructure. However, it is only logical that any vendor that generates revenue from selling CPU and storage to many large customers is going to invest heavily in the security of their clients’ data – probably more so than any of the clients could or would do individually. While many organizations were already moving towards cloud infrastructure or using managed services, there was a notable acceleration in this trend around that time.
Security isn’t just about preventing theft of data or assets. In the Sony Pictures example, the hackers also disabled access to data that they had not actually stolen and held the organization for a ransom. As such, security is as much about ensuring continued access to data and assets.
The choice of a vendor and technology partner has a significant impact on the security element. Vendors are given legitimate access to systems, therefore any potential weakness in terms of security on their end is now a potential weakness to the organization. In complex multi-vendor environments, auditing the security of vendors (especially retrospectively) can be extremely challenging. This is why ensuring that an auditing step is part of any future vendor selection process has become essential.
No matter how secure you are technologically, humans are nearly always the weakest link in any security system, be that accidentally or with malice.
What does Media Supply Chain mean, why do I need one, and how do I implement one? Get answers to your questions in our free eBook.
Beyond essential training, in terms of specifying and design our media supply chain and the technology that supports it, there are some things we can do to mitigate or minimise risk when it comes to human interaction with the systems.
User Access Control (UAC) is an obvious component – ensuring that staff and suppliers only have access to the media and systems that are required to do to complete their tasks. How we implement such systems can also be important. For example, most media supply chains have multiple systems, and the more user credentials required, the more likely they are to use or repeat simple or easily guessed passwords (or worse, write them down) – something that can be overcome by implementing SSO (Single Sign On) across the system. Extremely categorized and access-controlled media will also ensure that users don’t accidentally share content they shouldn’t or indeed fall into temptation.
Protecting against malicious internal attacks, such as the Game of Thrones leak, can be much harder – though it’s worth noting that, at the time, Prime Focus, having quickly acknowledged blame, were actually praised for both their rapid response following the leak, and having sufficient audit trails in their systems and processes that they were able to immediately identify the guilty parties.
Keeping employees happy, and preventing malicious acts, is not exactly related to the media supply chain, but corporate responsibility has a connection to both, which is what we’ll look at in our next and final blog post in our series. Stay tuned for blog post six, about corporate responsibility.
Part 1 ... Standardization
Part 2 ... Metadata
Part 3 ... Rights & Monetization
Part 4 ... Remote Working
Part 5 ... Security
Part 6 ... Corporate Responsibility