CDSA

TPN’s Schofield Explores Evolution of Content, Information Security

UNIVERSAL CITY, Calif. — Protecting content is an evolving challenge as the entire media ecosystem is quickly migrating to cloud infrastructure, according to Ben Schofield, project manager of the Content Delivery & Security Association (CDSA) and product manager of the Trusted Partner Network (TPN).

Content security and information security have intersected for several years, mostly depending upon how much of an organization’s business and creative workflow or infrastructure is enterprise or cloud-based.

“People are rushing towards cloud” and how they approach the process supply chain is “really important,” Schofield said Dec. 4, during the “The Evolution of Content and Information Security” session that was part of the CDSA Workshop held in conjunction with the Content Protection Summit.

Companies including Discovery and Turner are among those “racing towards the cloud” and there are “some economic advantages that drive people towards it,” he said, noting it’s all “about scale.” However, “during that headlong rush to cloud, you lose some of the established procedures — some of that well-understood perimeter security” in the process, he said.

Looking across the ecosystem, he said, “I think what we’re moving towards — what’s happening in Hollywood at the moment” — is that “all the different silos” — for movies, television, etc. — are “collapsing into a single digital workflow” that’s being used for distribution.

“We’re not a regulated industry today” and “when you get to some of these regulated industries, if you get it wrong you go to prison, and so there’s a big incentive for compliance,” he said.

However, “it’s highly unlikely” that you’re going to be on the set of a Steven Spielberg movie and be able to threaten to shut his set down so he can’t make the movie if there’s a compliance issue, he noted.

For many years, content has been coming through a “controlled environment” at media and entertainment companies’ facilities, he went on to point out. On the digital side, there are similar structures that include a firewall, back office networks and other components, he noted.

“When you move to cloud, there isn’t really much that’s different,” although various functions are no longer on-premise, but somewhere else, he said, adding that “what’s different with cloud … is how sensitive it is to small anomalies.”

Cloud platforms tend to be “physically secure,” he said, noting that at cloud data centers, there tends to not be many signs and they’re “very difficult to get to them.” And then, when you get to the front door, “you’re in an air lock with bulletproof glass and guys with guns,” he said.

“From a physical security [standpoint], there’s no way that any of your own in-house server rooms are anywhere close to that level of security,” he pointed out. “So, you can kind of trust the cloud platform, but it’s not as simple as that,” he said. For one thing, “you’re going to have multiple applications, so you’ve got to make sure that each one of those applications [have] similar level of controls,” he told attendees.

“The real Achilles heel for me — and what you’ve got to watch out for — is the integration code,” he said, adding that “when you get these applications talking to each other, there’s a whole bunch of codes.”

When it comes to supply chains, “businesses will make sure they pass the test” when it comes to their security systems being audited, he said. But what’s important is “how embedded that is within the culture because that is the weak link in the chain,” he said.

With some organizations, “they try to game” the audit — “they get through the audit and then that’s it [until] next year,” he pointed out, adding: “You’ve got to make sure that the people are drinking the Kool-Aid – that they actually are not just taking this as a check-list exercise, but actually are embedding it in their culture.”

After all, he said, while “controls are great…. it’s more about the capabilities, it’s more about the people in the organization.”

During the Q&A, he told attendees: “I’m not saying” that everybody “can do” quantitative risk analysis for assessments, but rather, “I’m saying they should be thinking about it” at the very least when it comes to the media and entertainment sector.