Published on June 10th, 2020 📆 | 3589 Views ⚑
0The Blurring Line Between Content Security and Information Security
Protecting content is a constantly evolving challenge as the entire media and entertainment ecosystem quickly shifts to cloud infrastructure. Although content security and information security have intersected for many years, the line between them has become increasingly blurred as more of the sector shifts to digital content and the cloud, according to industry experts.
Content security and information security are âconverging together and better cooperation between those two teams needs to occur,â said Christopher Taylor, director of the Media and Entertainment Information Sharing and Analysis Center (ME-ISAC), speaking May 12 at the Cybersecurity & Content Protection Summit (CCPS), held digitally as part of the NAB Show Express experience.Â
âIâve always feltâ that information security (infosec) âteams are there to protect the companyâs intellectual property, and the content is the most important of all the intellectual property the company has,â he noted during the CDSA/Trusted Partner Network (TPN) Update session âA Cultural Revolution: Content Security v. Information Security,â which he moderated. ME-ISAC operates as an initiative within the Content Delivery & Security Association (CDSA).
Therefore, âthis is an important conversation the infosec and the content security teams need to have,â Taylor said.
What Abdul Hakim, DPP program delivery manager, said heâs seeing is that âclearly things are mergingâ now, noting that, âhistorically, content security and information security were considered separate things.â
However, âfundamentally content is data information, so they should be seen in that context,â he said, adding: âThat realization is starting to seep into how ⌠vendors producing products and systems are starting to develop their product⌠As they move to cloud, the controls are emerging and the security features are emerging, addressing that difference in how people treat content and data separately.â
âIn the past,â there has essentially been a âcultural clashâ between content security and information security teams, according to Ben Schofield, CDSA project manager and Trusted Partner Network (TPN) product manager. âThere were the people making the content and there were people supplying the backend systems and the two were totally distinct â it was two different sets of personalities,â he said.
âBut as we move into VFX and CGI, some of those things going on, itâs such a technical field that one would hope that thereâs common ground there,â he noted, adding: âI think that especially with the pressures that are on productions to be more efficient, theyâre highly reliant onâŚthat data.â
When you had film stock and security specialists were protecting DVD masters âthat was completely distinct from information security,â Schofield pointed out. However, âwhen your content is bits and bytes, itâs largely consumed on the cloud, then there shouldnât be any distinction,â he said.â¨
According to media and entertainment security veteran Marc Zorn, when it comes to âeverybody that touches content â every company that touches content, it used to be that we would build our networks and our data centers as âhey we have a corporate side and we have the production sideâ and there was this hard line between them, and we always had to figure out how do we make firewall rules that kind of keep the cold side cold and the hot side hot.â
However, now, with everything moving more toward the virtual space and everybody having a âkind of a blurred role to play,â there is a question about where that perimeter is, Zorn said. âWe donât know anymore. Now we have to kind of build in the way that we look at the whole enterprise as being intellectual property in one form or another,â he added.
The supply chain is, meanwhile, increasingly âwhat weâre reliant upon,â according to Hakim. âSo, not only are we concerned with enterprise and the security of the enterprise, but increasingly we need to be worried about the security of our suppliers as well,â he pointed out, noting the domain that a media organization has to think about now is much broader than it was in years past. As a result, he said, it âbecomes more complex and worrying as well because now how can you be confident that your suppliers are thinking about security in the same way that you are?â
Schofield provided a suggestion: âWe need to do something that makes the production creatives understand the power that they can get if they embrace that infosec approach because I think itâs going to be much more importantâ in the future. After all, âthe world is changing very fast, so some of the old disciplines are going to go away,â he predicted.
âThe interesting discussion isnât about what the futureâs going to be,â Schofield told viewers, adding: âI think we can all make a prediction on that. But itâs how we get that transition â how we aid the reduction of that clashâŚ. They shouldnât be two separate worlds.â
It is important to âdemand that the people that are creating the tools build in the security so that itâs not a separate line item,â Zorn said, adding: âWe donât have to do a tradeoff between the best creative tool and the most secure tool because the folks on a production, theyâre going to fall in line with the best creative tool every timeâŚ. We need to raise the bar on our supply chain to make sure that security is not an afterthought where they develop a tool and then apply security to it. Security has got to be part of their development process as well.â
Zornâs concern, however, is that creatives often want to use the easiest tools, and those are typically the ones that donât have any built-in security, he noted.
âFundamentally, good security needs to be there by default and not something you have to pay extra to get or buy separately,â according to Hakim.
However, if you make the security solution âtoo hard, the creatives will work around itâ and maybe just use a different companyâs solution, Schofield warned. It is kind of like when people are forced to change their passwords all the time, so they just write them all down somewhere, he pointed out.
The key takeaway for Schofield is âitâs an organizational challenge,â he said, adding: âI think, structurally, youâve got to remove the distinction between infosec and the creative technology and youâve got to smash those teams together. And then you donât have that cultural barrier.â
Zorn suggested that security be made one of the things that the tool vendors are competing with each other on âto get the upper hand.â He offered the analogy that ânobody buys a car because they have really cool locks, but if there are two equal cars and one has really good, easy-to-use remote entry, you might actually tip it over in that direction.â
Also, âthe earlier we can build in the security in that whole process, the easier itâs going to be in the long run,â Zorn said. His advice for the industry: âPartner as closely with the people that are creating the content to make their jobs as easy as possible. Build in the security to their world rather than trying to impose security into it.â
Presented by Richey May Technology Solutions, with sponsorship by Akamai, Cyberhaven, Microsoft Azure, SHIFT, Convergent Risks, and the Trusted Partner Network (TPN), the Cybersecurity & Content Protection Summit focused on the latest cybersecurity and content protection challenges studios, broadcasters and vendors alike are facing during the ongoing pandemic.
Produced under the direction of the CDSA Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group, this yearâs Cybersecurity & Content Protection Summit looked ahead at the challenges facing the security community in 2020 and beyond.
To view video of the presentation, click here.
Gloss