CDSA

Applying a zero trust intellectual property (IP) protection methodology to data access and sharing can help safeguard a media and entertainment company’s most vital assets and ensure they don’t accidentally or deliberately walk out the door, according to Dave Matthews, technical solutions manager at archTIS, an Australia-based provider of information security software solutions.

A leaked script, clip or game design could be disastrous to the success of any M&E project.

Although today’s collaboration tools have made it easier than ever to exchange ideas and information, they have also made it all too easy for deliberate and accidental data leakage to happen.

NC Protect, archTIS’ solution, is an advanced information protection platform that “applies zero trust data access and dynamic security collaboration,” Matthews said Dec. 16 at the Content Protection Summit (CPS) event, during the IP Protection breakout session “Using Zero Trust to Protect Intellectual Property in M&E.”

A Breach’s High Potential Cost

“According to multiple sources, globally, IP theft costs organizations in excess of a trillion U.S. dollars per year,” Matthews said. “And that’s just the monetary loss. We could also be talking about trust, reputation, jobs, future contract opportunities. These often take a hit” also, he added.

He pointed as an example of a major security incident to the 2014 Sony Pictures breach that included corporate login info for social media accounts, internal emails, executive earnings data, personal earnings info of employees, and aliases that actors including Natalie Portman and Tom Hanks used to stay at hotels.

“That hack itself, on its own, cost Sony over $170 million U.S. dollars,” he said. Another incident around the same time as that breach involved the BBC TV show Doctor Who and the script for the first full episode starring Peter Capaldi as the title character, he noted.

More recently, there was a breach of the trailer for Spider-Man: No Way Home that revealed movie plot twists and showed unfinished special effects, he said, adding that other sectors have been impacted by breaches also.

COVID’s Impact

Pointing to the findings of a recent report conducted a few months ago, Matthews said: “We found that before the pandemic, 57 percent of respondents reported that less than a quarter of their employees worked remotely. But, today, 57 percent of respondents say that three quarters of their staff are now working from home.”

Currently, “benefits of working from home do clearly outweigh the risk for most organizations,” he said.

But he said: “We’re still dealing with these ever-present COVID variants. They’re changing the way we work from season to season, and globally we’re seeing the vaccine rollout is moving very slowly.”

“Despite the transition to remote working, 79 percent of those that were surveyed responded that they are concerned or very concerned about the risks of working from home,” he pointed out. Yet 90% of the organizations that took part in the study “responded that they’re likely or very likely to maintain a remote workforce post-pandemic,” he said.

Applications of the most concern to respondents were file sharing (68% of respondents), web applications (47%), video conferencing software (45%) and messaging apps (35%), which he said were all “keeping them up at night.”

However, without those applications, working from home just wouldn’t be possible, he said.

Top security challenges that respondents identified were: user awareness and training, Wi-Fi security, sets of data leaving the perimeter, the use of personal devices and an increased security risk overall, he noted.

Many people, after all, are still not aware of the importance of securing their own Wi-Fi, he said.

“We’re also dealing with human error, [which] may be negligence and accidental data loss or it could be intentional – not the data leak itself but the data breach,” he pointed out.

Some people have stated they circumvented security controls because it was easier to get their work done that way, he noted.

Some examples of accidental data loss are: wrong recipients receiving an email, unintended disclosure, a forgotten document being left on a train and the unauthorized disclosure of sensitive data.

Zero Trust

Many organizations are “still relying on user training, reactive event monitoring and perimeter-based security” to combat the new “threat factor: trusted employees with a legitimate access to applications and systems,” Matthews went on to say.

Although “all of these technologies serve an important purpose, they don’t protect against many of the concerns identified in the survey, specifically sensitive data security, data handling and simple human error,” he told attendees and those viewing virtually online.

“To effectively protect against these risks, a new approach is going to be needed,” he said.

“Zero trust does provide an interesting solution” and is based on the strategy that nothing should be trusted inside or outside an organization’s security perimeter, he noted. You have to “verify everyone and everything trying to connect to [an organization’s] systems at the point of consumption before granting access,” he added.

The “traditional approach to zero trust has been through role based access control” (RBAC), where you restrict a person’s access based on that person’s role within an organization, he noted.

The newest method is attribute-based access control (ABAC) and is built around the combination of user, environmental and resource attributes, he said.

The Benefits of NC Protect

When using his company’s NC Protect solution, Matthews said only two questions need to be answered: Who should have access to data? And what users should be able to do with it once they have access.

Key NC Protect capabilities include:

• It provides dynamic, real-time data-centric protection.
• It limits access based on both user and file context.
• It controls file usage and sharing rights.
• It uses existing MIP sensitivity labels.
• It adds personalized security watermarks.
• It forces secure read-only viewing.
• It time limits access to data.
• It builds smart information barriers between workgroups, contractors, etc.

Matthews went on to explain how NC Protect enforces zero trust, adding his company’s solution is quick to deploy, simple to use  and scalable. It will also “integrate with existing systems” so previous security system investments aren’t wasted, he added.

To download the presentation, click here.

To view the full presentation, click here.

The Content Protection Summit was open to remote attendees worldwide using MESA’s recently introduced metaverse environment, the Rendez.Vu-powered MESAverse, an interactive 3D-world that allows for hybrid live and virtual events.

The event was produced by MESA, presented by IBM Security and Synamedia, sponsored by Convergent Risks, Richey May Technology Solutions, PacketFabric, archTIS, Code42, INTRUSION, NAGRA, StoneTurn and Vision Media.