M&E Journal: Keeping Production Data Safe


Jeff Impey, SyncOnSet

The complex, fast-paced workflow and sensitive nature of film production present unique security challenges never faced by many traditional organizations. Film production requires hiring hundreds of freelance crew (which may or may not have a history of working together) and an entire ecosystem of vendors incredibly quickly.

As the backbone, scripts need to be efficiently distributed to crew members to allow them to begin their creative process and orchestrate all logistics. Notes, photos, and video are constantly shared in this highly collaborative production environment. To do this effectively, crews use a myriad of disparate (approved and unapproved) solutions: personal cameras and smartphones, file storage apps, email, digital-dailies systems, spreadsheets, shared documents, homegrown database programs, production software, consumer/social apps–and the list goes on. Without these tools, managing the complexity would be impossible. But it can be challenging to efficiently assess the risks and benefits these many different tools pose to the production and studio.

SyncOnSet, as the industry-standard continuity and inventory software for production design departments, has undergone separate security assessments by all major film studios. Since SyncOnSet is the first cloud-based software for the specific workflow it solves, with the only alternative being a three-ring binder, studios have had to assess the benefits of “cloud vs. on-premise,” “digital vs. analog,” and evaluate the alternatives for an unfamiliar workflow.

While most SyncOnSet end-users are crew (costume supervisors, make-up artists, set decorators and the like), we view our relationship with studios as a partnership to bring the best of both worlds: efficient and secure solutions. Together we continue to develop new content protection and data security procedures that make production data significantly safer than previous alternatives.

Stereotypically, we think of cyber security as protection against criminal hackers hoping to make huge profits from your data. But keeping data safe and reducing business risks is an important combination of (1) data security (protection from external attacks), (2) content protection (governance and control over privileged access), and (3) data retention (redundant data, data re-entry, and business risks without backups). All three are essential to the overall safety of your data. For instance, keeping data 100 percent safe from external hackers may not eliminate business risks if the only copy of the data was stored on a failed hard-drive. So we’ll look at all three elements of keeping data safe, highlighting real examples of each within the context of physical production.

Data security (The devil you know…)

Crew come from a wide range of previous projects with different relationships, tools, and procedures. At the start of production, it’s important to have clear protocol and a point of contact responsible for security approval that all crew are made of aware of. Too often, we’ve seen confusion by crew on who to ask for approval and confusion between a budget approval and a security approval. We’ve even experienced crew members fearful of asking for approval—a dangerous behavior that can lead to a lack of transparency from the start. Better the devil you know than the devil you don’t.

Productions are bound to discover new tools that have yet to be evaluated. When evaluating, the first step is understanding the business purpose of the application. Studios may become aware of a software tool after it is already in use by crew, or the review process may not be fully completed by the time a production expects to start using the application.

So if the tool were to fail the evaluation, what are the implications of immediately preventing its use? Is the crew left with no option but to continue to use the application? Is the crew left with even worse options, security-wise? Or, if there are good alternatives, how do you transition the crew onto the preferred tool? To answer these important questions, it is essential to fully understand why, when, and by whom the application is used.

Once the business purpose is identified, clear compliance requirements can streamline the review process and give software vendors guidelines on how to remediate any issues quickly. Initial reviews are often conducted in high-pressure situations, with crew usage put on hold until completion. The most successful implementations begin as a partnership between the studio and vendor and include a designated point person to coordinate between the vendor, the crew, relevant business units, and the security teams tasked with evaluating the software. This point person can take a holistic view while evaluating the software to understand its likelihood to increase or decrease business risks. By having a complete view, they can also determine whether larger partnerships and integrations can be helpful to effectively manage user access control and prevent data duplication to disparate systems.

Content protection (Advanced three-ring binder?)

There is a cognitive dissonance when it comes to thinking about keeping content stored in physical form safe, versus keeping digital records safe. Little thought is given to the content protection of a production binder (threering binders that crew use to store photos and production notes). Crew-written notes in a notebook don’t usually fall under the purview of a studio technology group.

While a three-ring binder may not be accessed by an external hacker in a different country, there are huge limitations to physical pen and paper in terms of content protection. You can’t set a three-ring binder to be read-only, you can’t see a log of every person who has seen that three-ring binder, and you can’t set permissions on which individuals can see certain pages. An advanced three-ring binder content protection system would be a sticky note that says “KEEP OUT.”

Let’s take a look at several examples that highlight the true risks and limitations of content stored in physical form. On shoot days involving extra cast and background characters, additional “day players” will be hired for the day. In the costume department, “day players” are required to take hundreds of continuity photos and notes. Without a digital solution, these notes will be written in binders and the photos often taken on personal mobile devices. Not only can this become a logistical nightmare to compile all the notes and photos, but at the end of the day there is no way to revoke access. Production is left with little control over those photos. How do you know if they’re shared with unauthorized outsiders?

We’ve also witnessed more alarming procedures by crew members who do not have a digital alternative. For projects that have not adopted SyncOnSet, it has been surprisingly common practice for crew members to print sensitive costume fitting photos or continuity photos at a local print shop. For major tentpole feature films ($100M+ budget), this is a significant gap in content protection.

In another extreme example, a crew member was fired in the middle of production. This person, upset with losing their job, stole the entire production binder, leaving the remaining crew with no roadmap for continuity or record of work already complete. With a digital, cloud-based system, a crew member can’t simply walk off with the only copy of critical production data.

As new technologies are implemented to digitize what was once on paper, novel security innovations are leading to greater protection of studio content. For one major studio’s highest budget tentpole film ever, there were concerns over crew and day-player access to pre-release costume and set photos. SyncOnSet and the studio partnered to develop watermarking on all continuity and set photos taken by crew members, a new level of content protection that could never be possible in a three-ring binder.

Data retention (The dog ate my homework!)

The importance of data redundancy is unfortunately often overlooked until a tragic loss is experienced first-hand. On several occasions, productions have adopted SyncOnSet only after such catastrophic occasions. One particularly significant loss involved the crash of a Filemaker-based program used to track purchases within the costume department. This desktop-based software was responsible for managing over $3 million in purchases for the costume department. When it crashed, it set the team back days and much of the information simply could never be recovered or recreated. With so much at stake, productions should not allow the dog to eat their homework.

The benefit of cloud solutions is the ability to protect against hardware failure by utilizing multiple physically separate data centers in parallel. For example, using a provider like Amazon Web Services, data can easily be backed up to multiple secure data centers in each region as well as distributed across geographically separate regions. In addition, large enterprise cloud providers offer high availability, redundancy, business continuity, disaster recovery, and incident management far greater than single industry- specific providers.

The Holy Grail: Perfect security

While perfect security will never be fully realized, significant improvements can (and are) being made with the collaboration of studios, software vendors, and production teams. At the end of the day, everyone has the same goal of making a successful film and mitigating risks along the way. So when evaluating systems and determining how to keep data safe, it’s important to take a holistic approach.

Click here to translate this article
Click here to download the complete .PDF version of this article
Click here to download the entire Spring 2016 M&E Journal