NAB 2017: ISE Talks Threatscaping; Box Looks at Cloud Security


LAS VEGAS — Ted Harrington, executive partner for Independent Security Evaluators, used his time at the Content Delivery and Security Association (CDSA) Cybersecurity and Content Protection Pavilion April 24, during the NAB Show, to talk “threatscaping,” a term that got a few chuckles from those in attendance.

But it’s no laughing matter: many media and entertainment companies are applying a uniform security model to their business today, without making any distinctions between different content creation functions. In short, they’re not threatscaping their various workflows.

“It centers around the idea that uniform security models are not effective when you consider the unique characteristics of different workflows,” Harrington said of the term. He said media and entertainment companies should examine their workflows, not as to how they will result in the best business outcome, but rather looking at it from the perspective of an attacker: how can it be exploited, what weaknesses exist?

The different lifecycles of a piece of content — from previz to home entertainment distribution — present different challenges when it comes to workflow threats, and you can’t approach the threats associated with the distribution of dailies the same way you would the threats associated with theatrical distribution, said Eli Mezei, senior consultant with Independent Security Evaluators.

Part of what content companies must be cognizant of is the vendors they’re working with, the quality control steps associated with the various workflows, and the various needs associated with pay TV vs. theatrical vs. physical disc distribution.

“Every single one of those boxes has their own independent workflows, independent approval process, independent QC process,” Mezei said. Replicators need different workflow threat assessments than a theatrical distributor, he stressed.

Both Harrington and Mezei suggested that part of what can be improved on in better securing content workflows is better communication between content owners and vendors.

Meanwhile, also at the Cybersecurity and Content Protection Pavilion, Crispen Maung, VP of compliance for Box, shared his thoughts on how advances in cloud computing have helped increase efficiency and elasticity — creating new business models — while also forcing security professionals to confront new cybersecurity risks that didn’t exist before.

“When cloud computing first came about, there was no forethought about security at that time, it was all about the features involved,” he said.

That obviously has changed today, and data protection has become more complex, with Box approIMG_1647aching data protection in two main ways: data security, fundamentally protecting the data involved, and making sure organizations have the right protections in place to deter threats; and data privacy, addressing that when content and its associated metadata is uploaded into a cloud environment, it’s treated with the upmost care.

“How is an organization using the metadata associated with the content uploaded into the cloud? Cloud providers must have the right protections in place to ensure data privacy and data security,” Maung said. “The right controls must be in place to make sure nothing inappropriate is done with that data.”