HPA Tech Retreat: Evolving Security for Media & Entertainment

An increasing concern over content security was the subject of HBO/WarnerMedia productions and content security head Marc Zorn’s talk on “Why Traditional Information Security Doesn’t Fit in Most of Media & Entertainment.” “Film security was based on physical controls,” he said. “Post production began after photography, and threats were primarily from post onwards.” Once the workflow became digital, he added, threats to digital media looked like IT security, “from an IT security professional’s perspective.”

The MPAA adopted international standards for information security management — ISO 17799/27000 domains — but, “it was more about compliance and didn’t address our problems in production,” said Zorn. “ISO 27000 was adopted to a set of best practices and they began a security audit program at the studios,” he recounted. “We had a compliance regime focused on post production that the big studios imposed on their vendors.”

But the MPAA audit had drawbacks, continued Zorn. “It was primarily physical and based on infrastructure and not really the intellectual property,” he explained. “There was an unreasonable focus on surveillance and obstructive controls and a preoccupation with screeners and Internet piracy. It was based on compliance to a framework, not real risk, which is constantly changing.”

Zorn noted how the film/TV production culture is different from banking or other industries based on creating and fortifying an infrastructure. “We have a dynamic environment with unique technologies and workflows,” he said. “In this world of contiguous workflows and polymedia — it’s no longer multimedia — workflows are digital from development to distribution. IP is created throughout the entire arc, blurring the distinctions between phases. Collaboration begins at development, and technologies are popping up to support contiguous and bi-directional workflows.”

In the old studio model, content creators owned the infrastructure and had local control but weak identity credentials. “As we move towards the cloud, we need strong identity credentials, federated ID control for where and who we collaborate with, and — the most important two words — strong encryption for the Internet. The data has to be protected wherever it is.”

The rise of metadata, he added, “will help us get there.” “Metadata is no longer incidental,” he said. “It’s now intellectual property. it will be an integrated part of what we do, part of every workflow, for documentation to authorization, instructions, logistics, credits, trivia, marketing, copyrights, contract terms, royalties, codecs, photo data, and so on. It will be the glue that holds collaboration in the cloud together.”

Moving forward, Zorn encouraged attendees to “demand security built into all tools, networks, storage and collaboration spaces.” “Don’t use any tool that is not proven to be secure,” he said. “Don’t rely on someone else to manage security for your data — especially cloud. Cloud tools don’t equate to safety. Demand encryption of all data at rest and in transit.”

“Current information security policies and best practices are obsolete,” he concluded. “We are now in collaborative space. Storage location of encoded data will be irrelevant because data must protect itself. Security is enabling innovation and no longer somebody else’s problem.”