CDSA

Securing media and entertainment companies’ content — whether it’s a new movie or any of a company’s confidential stored data — remains important, but challenging, as piracy and hacking continue to proliferate, according to executives at Fortium Technologies and Independent Security Evaluators.

Speaking Dec. 7 during a presentation at the eighth annual CDSA Content Protection Summit (CPS), Fortium CEO Mathew Gilliat-Smith pointed out that the post-production stage of a movie or TV show, when editing is being done, continues to be an “extremely vulnerable” point for such content. It’s there, after all, that content is often stolen or accidentally leaked, he said.

Although the movie or show may be unfinished, the video content is often in final form and any leaks can have serious consequences for both the content owner and any supply chain partners involved.

“High-profile leaks” don’t happen a lot, but when leaks of big movies and TV show premieres happen they often lead to huge headlines and can be expensive, Gilliat-Smith said. Accidental sharing of content is typically where the leaks happen, he said, pointing out that Fortium provides security solutions that include anti-ripping for Oscar movie screeners and digital file protection for films in post-production.

Concerns by content companies about putting security software like Fortium’s MediaSeal in place typically include how much time, extra work and cost will be involved, he said. But he said MediaSeal can be set up easily in just a couple of hours at relatively little cost. Another concern is that implementing security software could be “very disruptive,” but he said that’s just not true and basically just comes down to adding the step of entering a password for the authorized people who need access to the content.

Gilliat-Smith of Fortium also highlighted the benefits of file or folder encryption schemes like MediaSeal, over full-disk encryption: “Full disk encryption doesn’t lend itself well to individualised DRM and control on a per application/user basis; it’s not much use in busy, collaborative post-production workflows. Security wise, if the disk encryption key is unlocked all files can be opened in all applications lending itself to remote siphoning of content in the case of a remote hack.” There are many different methods available to keep data secure and it ultimately depends on the situation and workflows.

In an earlier presentation, Erik Weaver, global director of M&E market development at Western Digital’s HGST subsidiary, asked Independent Security Evaluators CEO Stephen Bono what the most important thing is when considering a security solution.

Bono replied that it’s “context,” adding that one must truly understand “the context or the threat model” involving a particular device that’s being used for storage. “So, if we’re talking about physical storage, you want to know who has access to that storage, where it is, what’s on it, [and] who are you afraid of getting access to it,” he said. “Context is so important because if you don’t really understand why you’re doing a particular security measure, you could be wasting resources big time on that.”

Bono went on to say: “The differences between cloud storage and physical storage are enormous. There are so many different attack scenarios and use cases that by just assuming encryption is the way to go, you may pigeonhole yourself and wind up working on security for a solution that doesn’t actually help you out in the long run against your particular adversary.”

But Bono said encryption is “one of the few things that is effective 100 percent of the time – or 99.999% of the time – in the appropriate use case.” It will work if used correctly, he said, noting that, in comparison, other types of security tend to have more vulnerabilities. If data is stored on physical devices that people are carrying around, “encryption is a must,” he said.

However, he warned that if a company focuses on encryption only, it “might only be effective in 10 percent of the cases that you care about.” For example, in the case of physical storage, encryption is good if you expect to lose a drive or think somebody might physically steal something — “but it’s not going to prevent malware from reading that disc,” he said. When it comes to the cloud, meanwhile, encryption doesn’t always make a whole lot of sense, unless the user doesn’t trust the data center being used and its employees, he told the Summit.

Not all encryption is the same either. “When you encrypt your laptop or your cellphone you might find that there’s very different quality in the encryption that’s used,” Bono said, adding that “full-disc encryption is what you want” because it “takes everything – every bit on that device or on that drive is encrypted.” On the other hand, file-level and folder-level encryption schemes just don’t work as well, he said.

All security generally entails confidentiality, integrity and availability (making sure data remains accessible to authorized parties as they need it), he also said. “Confidentiality is what you’re most familiar with,” he said, pointing to the need for encryption to prevent unauthorized people from accessing data.

But integrity is “often overlooked,” he said, noting the importance for authorized parties to verify that the content on a storage device is indeed what it’s supposed to be and has not been modified in some way – be it “accidentally or maliciously.”

At the end of the day, companies and individuals who want to protect their content need to select some form of security. “It’s not very difficult these days to launch attacks,” Bono said. It’s probably not hard to find one’s devices containing sensitive data and steal that info, and those attacks are happening more and more now, he said.

Bono went on: “Getting access to your home computer is as easy as sometimes purchasing malware online and coercing or tricking you into downloading it and running it somehow. So, you don’t have to be an experienced hacker to do a lot of the things to get access.”

In a recent test, his company looked at 13 wireless routers to gauge the state of the industry. Citing the results, he said: “Out of 13, all 13 of them were easily smashed to pieces security-wise. It was horrific. There was built-in back doors to these things that I don’t think the companies knew about, where in the code it would say ‘this is the back door.’” That drew laughs from the audience.

“Most consumer products are just riddled with vulnerabilities and a lot of enterprise products too, but the consumer-grade ones have a different level of carelessness,” he warned.