HPA Tech Retreat: Security Threats, Strategies for Film and TV

Motion Picture Solutions CTO Laurence Claydon addressed issues of security during the HPA Tech Retreat, not always the most interesting issue to a crowd of film and TV technologists. Claydon’s experience comes from more than 20 years of content localization, and working in digital cinema for Technicolor, Deluxe and others. “This is based on those workflows,” he said, “but some of it is those principles can be applied to any workflow.” Advances in technology have increased the risks of piracy, even before the advent of videotape, he noted.

Most industry security standards are based on access, said Claydon, adding that 2011 was a turning point when the tsunami in Japan put HDCAM SR tape out of commission, pushing TV/film productions into file-based workflows. “There was a rapid uptake of electronic file transfer toolsets,” he said. “File-based delivery overtook physical delivery. Bandwidth cost and speed also improved, making the switch easier.”

security_software_computer_screen

Electronic file delivery is efficient, but there are security risks. “Content may be copied and sent out one-to-many,” he said. “All it takes is a few clicks to make that happen. Also security based passwords are regularly shared, and this is probably one of the biggest security holes.”

Claydon discussed the difference between environmental security and content security. Environmental security assumes content is protected in a non-hostile environment, meaning that if the environment is secured, the content will be secure. Measures include everything from CCTV and guard dogs to staff training and staff background checks. Content security assumes the environment is hostile, and protection is therefore provided for the content itself.

There is also a balance of speed versus security: day-and-date theatrical release is in itself an anti-piracy measure. But tight deadlines lead to cutting corners, increasing risk. Both late delivery and content theft equal loss of box office and revenue, so both need to be respected equally.

Content owners need to define risk. “If it’s a 4GB QuickTime, it’s high risk, but if I’m talking about a 12TB 4K DCDM, it’s lower risk,” Claydon said. Piracy risks are associated with localization, since versioning might require 50+ different languages, which means there are 100+ pre-release copies floating around. “Subtitle files are still commonly sent via email and that’s another enormous risk factor,” he added.

Claydon also identifies content data transfer as especially risky, mainly because people share credentials. “The notifications contain the URL, username, password and are cc’ed and forwarded and replied to many,” he said. “Email usage policies prohibit the sharing of passwords but no one reads the policy or follows it.”

His company handles that by immediately escalating any sharing of passwords. “We treat it like a hack and contact all parties,” he said. “We request a password change and that it is communicated out-of-band (i.e, via Privnote). Then it’s back to business.”

In a 9-month period, dealing with studios, post houses and companies, reports Claydon, they “almost obliterated the practice of people sending passwords by email.” Further mitigation is encryption-at-rest, which he believes is “necessary for an extra measure of security.” Requirements for an efficient workflow are 128-bit minimum/256-bit preferable AES encryption, he said, adding that it be media agnostic, operating system agnostic and application agnostic, with secure key management.

“Toolsets for this now exist and are in development,” he concluded.