CDSA

M&E Day: Convergent Risks Stresses Need for End-to-End Security

It’s important that media and entertainment organisations’ security initiatives keep pace with the needs of today’s distributed workforce and collaborative workflows, according to Convergent Risks.

As we emerge from the 2020 pandemic lockdown, the M&E supply chain is adapting to a distributed workforce through the use of collaborative workflows, software-as-a-service (SaaS)-based applications and the cloud. And what was a temporary solution may now become permanent. Therefore, security needs to keep pace with this dynamic environment where continuous monitoring is key to maintaining ongoing assurance preventing businesses being exposed.

“Over the last four months, it has been all about remote working, with a bit of an uncertain future — and everybody’s adjusted to the new working practices,” Mathew Gilliat-Smith, EVP at Convergent Risks, said July 2 during the security breakout session “End to End Security for a Distributed Workforce at the Global Media & Entertainment Day event presented live, virtually, from London.

“After an initial rush to figure out how to do this, I think people have been pleasantly surprised by how well everyone’s adapted,” he told viewers, adding: “For some, they don’t want to change and others are definitely getting cabin fever and they want to get back into the mix.”

“Normally, we would be flying our assessors to every corner of the globe. But, since lockdown, we’ve been doing a lot of screen time and doing a lot of remote” Trusted Partner Network (TPN) assessments,” he pointed out, noting his company conducts a large number of TPN assessments around the world.

He went on to analyse how working practices are changing. For one thing, there is the increased use of Virtual Private Networks (VPNs), which presents its own unique set of challenges. As an example, he said, “handling high-res content is not advisable over VPN because it takes up so much bandwidth.” There’s also been “horror stories about large bills coming in” as a result of VPNs and, “also, you have latency” issues, he noted, adding: “VPN doesn’t really facilitate effective collaboration” either.

One takeaway is that “temporary fixes do need more permanent solutions,” he told viewers.

There is also the need to consider next-generation tools to better enable a distributed workforce, he noted, adding “some of the collaborative applications that are out there [are] helping us to transition to a distributed workforce.” There are three that Convergent Risks has been working on: a collaborative scripting tool, cloud-based synchronization and dubbing apps for remote editing, he said.

Dave Loveland, cloud security architect at Convergent Risks, went on to explain how organizations can embrace SaaS solutions securely. First, an organisation should try to establish if the service is secure by default – for example, by seeing if it is certified by the Cloud Security Alliance (CSA) and follows the Motion Picture Association (MPA) best practices assessment also, he said.

Also check to see if the service offers Continuous Security Monitoring and alerting, independent security testing, good security incident management and remote visualization solutions on-prem or via the hybrid cloud, he suggested, adding you can also check to see if there are measures in place to prevent data leakage.

Key security considerations organisations should make include: Permitting authorized devices only, making sure you subscribe to the vendor’s security advisory service “so if they have any vulnerabilities you get notified,” change the default password for the management console, add multi-factor authentication, and disable access to local devices including USB, he noted.

When relying on remote workstation solutions leveraging the cloud, organisations should be aware of the Desktop-as-a-Service (DaaS) shared responsibility model because you will be responsible for security of the cloud environment and security of the virtual workstation, he said, adding: “It’s not secure out of the box.”

In summary, he said: (1) “Next-generation tools offer real benefits to vendors. (2) “Security is not necessarily there by default.” (3) “It’s important to get assurance that you’ve configured it correctly to avoid common security problems.” (4) “Remember to decommission any temporary solutions that you had in place.” (5) Make sure your team is aware of its obligation for distributed working.

The fourth annual M&E Day event, presented by the Media & Entertainment Services Alliance (MESA), featured mainstage panels and more than 15 breakout sessions, covering the latest it data, cloud, IT and security across the media and entertainment technology ecosystem.

The event was presented by Caringo, with sponsorship by Convergent Risks, Cyberhaven, Richey May Technology Solutions, RSG Media, Signiant, Whip Media Group, Zendesk, Tape Ark, Sony New Media Solutions, 5th Kind, ATMECS, Eluvio, Tamr, the Audio Business Continuity Alliance (ABCA), the Entertainment Identifier Registry (EIDR) and The Trusted Partner Network (TPN).