The many benefits of the Trusted Partner Network (TPN) industrywide content security initiative were highlighted May 23 by Richey May Technology Solutions, New Wave Entertainment and TPN/Content Delivery & Security Association (CDSA) executives in two separate breakout sessions at the annual HITS Spring event.
TPN, created by the CDSA and Motion Picture Association of America (MPAA), establishes a benchmark of minimum-security preparedness for all vendors, by providing assessments of production, post and distribution operations.
During the session “Maturing your Content Protection Strategy: Lessons Learned from New Wave Entertainment,” Rick Nowak, chief operations officer of that Burbank, Calif.-based company, described New Wave’s journey in content protection and the challenges it’s faced with security assessment especially.
Kicking off the session, JT Gaietto, executive director for the Cybersecurity Practice at Richey May, said “one of the things that stuck out to me” in a recent Verizon report on security breaches was that media and entertainment/information organizations were the “second-largest impacted” companies in 2018, behind public sector/government organizations.
New Wave was one of the first organizations to go through the MPAA’s security assessment audit, Nowak noted. “It was a big deal because we had never had anybody kind of look at our security” before that, he recalled, pointing out the auditor that handled New Wave’s first audit was a company more experienced with assessing larger companies in the banking industry. The assessment was “jarring” and “difficult” for his company, he said, noting it didn’t meet compliance in certain areas. After all, “we’re not Fort Knox [and] we’re not going to be Fort Knox,” he conceded.
The security auditing process was refined over time, he recalled, but noted there was still a challenge companies like his faced. “You can’t put us all in the same crate,” he said, adding: There are certain things … we have to adhere to. But to sit there and make us all into one shape fits all, that didn’t work, and that’s kind of been the hardest problem through all these years.” In other words, a small media company like New Wave shouldn’t be assessed as if it’s Fort Knox.
Of TPN, Nowak said: “I applaud the fact that they’re trying to centralize it and that they’re trying to look at different companies. That’s actually a positive step in the right direction … .” Nowak had “heard rumblings of a centralized system for a while,” he pointed out.
TPN assessment is good for business, according to Nowak. Such an assessment “works as a barometer for you” and your organization, and what you do well and what you need to do better, he noted.
Back when he did the first MPAA audit, most of New Wave’s security was “much more physical-based” than it is now, he said, noting his company at the time still had tape machines and a big vault with lots of tapes. “It was definitely much more physical,” he told attendees. Flash forward, however, and “I have not seen a video tape in five years – maybe longer,” he said. Once upon a time, it was all about a media organization keeping its content safe from other people in the same building, but “that has transformed completely – 180 – to a complete digital” strategy now, he said.
And New Wave’s content security initiatives are not just about content, but also its financial infrastructure, human resources and other parts of its business global footprint, he noted, adding: “Any breach is a breach and you don’t want that.”
New Wave has been investing heavily in its digital infrastructure, including its firewall and machine detection, he went on to say. But he added: “The biggest investment we’re making now is in network configuration and trying to change our content network configuration to meet new demands.”
Keeping content secure among creatives across all the devices they’re working on represents a major challenge, he explained, adding the “biggest problem” is often that “our creative clients do not talk to their content security people, nor do they care” …. until there’s an issue.
During the “Trusted Partner Network: App & Cloud Roadmap” session at the event, the importance of TPN’s centralization was underscored by Ben Stanbury, content security officer at Amazon Studios, TPN CTO and CDSA chairman.
“This is intended to be one central industry content security assessment program,” he said, noting joint venture partners CDSA and MPAA retired their own individual assessment programs to focus on TPN’s.
He also provided a one-year update on how TPN’s site security program has progressed and what’s in store for the next phase, app and cloud security, that addresses core technologies for the future of motion picture/television creation and distribution.
It’s been “operational for eight months now,” according to Stanbury. So far, the TPN initiative has been supported by nearly 30 media and entertainment companies and it’s about to “roll into” the app phase, he said, pointing to a slide showing TPN’s projected timeline. Phase 1, site security, was completed last year, followed by Phase 1.1, vendor training, in March this year, and Phase 1.2, Content Guardians, in April. Phase 1.3, information sharing and the analysis center, is expected to be completed in October, followed by Phase 2.0, app security assessments, and Phase 2.1, cloud security assessments, in December.
One other major “benefits” of TPN, from a data security perspective, is that all assessment data and other important info that organizations want to remain private is protected, Stanbury said, noting “they never leave the platform.”
In addition to centralizing data, the other main goals of TPN were to reduce redundancy and reduce costs, according to Guy Finley, CDSA executive director and CEO of TPN. There had been many duplicate assessments before, with CDSA, MPAA and the studios each using their own assessment programs. Some facilities were being assessed in excess of 10 times a year in the past, he noted.
In another session at the event, “Addressing Content Security for Film and Television Productions,” Lulu Zezza, CDSA co-chair of the Production Security Working Group, provided details on the first Film & Television Production Security Guidelines for protecting film and television productions against cyber and physical theft, which were recently released by CDSA.
The guidelines contain everything every producer and crew member needs to know to secure their intellectual property on-set or on-location. The guidelines were written by a working group of executives from Amazon Studios, Amblin Entertainment, AMC, Bad Robot, BBC, Fox, Paramount, Marvel, Netflix, NBCUniversal, Turner, Walt Disney and Warner Bros., in cooperation with contributing members of the Producers Guild of America (PGA).
The goal was to come up with a “unified set of guidelines that everyone can live with,” Zezza told attendees, noting they include four documents, including the main one that’s about 100 pages long.
An example of one major challenge that’s addressed in the guidelines is the relatively new issue of smartphones and other mobile devices coming onto sets, she noted. As a result of this problem, “you really need to train security to be aware of” phones being brought on sets and to take a more active role, she said.
HITS Spring was presented by Entertainment Partners, with sponsorship by LiveTiles, 5th Kind, Amazon Web Services, Birlasoft, Exactuals, Expert System, MarkLogic, Microsoft Azure, Richey May Technology Solutions, SoftServe, Spark Digital, Avanade, CDSA, Cinelytic, EIDR, MicroStrategy, Signiant, the Trusted Partner Network, human-I-T, and Zaszou IT Consulting.
The event was produced by the Media & Entertainment Services Alliance (MESA) and the Hollywood IT Society (HITS), in association with Women in Technology: Hollywood (WiTH); CDSA; and the Smart Content Council.