Security (Awareness)

In modern workflows it is often unfeasible or uneconomic to completely operate in private network environments or within the perimeter of a single organization.

Today, people are using their own devices (e.g. smartphones, laptops) for communication, external freelancers and 3rd party post-production facilities need copies of content, cloud-based project management platforms are used to discuss and review editorial content.

Security Requirements

Media productions have special requirements on the **security** and **reliability** of their infrastructure which need to be addressed when operating on general purpose IT systems and over public computer networks.

Security considers the protection of **secrecy**, **integrity** and **availability** of content (scripts, work schedules, budgets, media files, edit lists, etc) and communication (emails, messages, etc). Reliability on the other hand is concerned with the design, assessment and monitoring of your IT infrastructure (networks, computers, storage volumes, etc.) in order to guarantee uninterrupted operation of your business.

It's important to understand that security is not absolute. In fact it is a state of your data that evolves over time with actions you perform (changing access permissions, copying data between volumes, connecting your laptop with an unknown wireless network), and also external events (vendors release software updates, new attacks on your software are disclosed). A system that is secure today may become insecure next month. Hence, retaining security requires a regular process including of software updates, user training and strategic reviews.

What can possibly go wrong?

Your data security is only as good as the weakest part of your infrastructure, which to the greates extend is the human factor. Top reasons for security breaches are (1) human ignorance & lazyness, (2) operator errors, (3) software bugs and (4) equipment failure.

A good loss-prevention strategy is to follow the 3-2-1 rule: always keep three copies of your data on two different storage media and make sure one copy is off-site.

Loss: Loss makes data unavailable. Data can get lost when equipment fails, software crashes, human operators inadvertedly delete files or when malware on your computer deletes files. To combat loss you can build a layer of resilience (have pre-configured stand-by hardware), replicate data (mirror data between multiple storages and databases) and keep backups (copy data to cold storage, but make sure you can read back that data anytime you need it).

Theft: Theft may make data unavailable when you're not protected against data loss, but what's more important is that your data's secrecy is at risk. You cannot easily prevent theft of equipment shipped or used in the field, but you can make extracting data from stolen equipment and remotely stealing data from networked computers harder. The key is to make it either unattractive or expensive to steal data. One way is to visibly taint or watermark data or otherwise decrease its quality (e.g. partitioning metadata and content or downscaling media files). Another way is encrypting the vast amount of data so you would only have to protect the much smaller decryption keys. Encryption is tricky because it's value is only as good as the way in which you keep the keys secret. That's why keys should never be sent over the same channel as the encrypted data or stored on the same volume.

Disclosure: Theft alone may only put a copy of your data under other people's control, but it may leave their intentions unclear. A related yet distinct threat is that your data is disclosed, either publicly (media content, embarrassing communications), to authorities (tax-related and financial documents) or competitors to your business (strategic business documents). Disclosure is negative for your business' public image and it may become very expensive, especially when your business is legally bound by contracts. Disclosure often happens through insiders, so a useful strategy overlaps and extends the strategy suggested for preventing theft. Key point here is to make it hard, even for insiders, to access data at full quality and to exfiltrate sensitive data. It's important to compartmentalize access, so, for example, an accountant's computer cannot access the media production department's data. All professional software allows to define and enforce strict security policies, but it's up to you to use such features in your workflows.

Disruption: Equipment failures, theft or other malicious activities may lead to situations where your business is not operational because you cannot access data or communication. This may just loose you time while you still need to pay for expenses, but it may also let you miss deadlines for delivering results to a client or sending business documents to authorities. To prevent disruption it's necessary to have backups of your data, but also of all the configurations, settings, credentials (e.g. passwords and license keys) and software packages you need to access the data. You can limit your downtime when you keep an already installed and configured computer around, but still then you need to account for the time it takes to restore data from a backup. To get a reasonable expecation of your recovery time you need to regularly test your recovery procedure. Doing this for the first time, you may realise that essential data or information is missing from the backup or the restore does not work as expected. Clearly document your recovery procedure and keep a printout in a safe place.

Author: Alexander Eichhorn