It’s important for media and entertainment companies to take a multi-pronged approach to data security, according to Martin Mazor, chief information security officer (CISO) at Entertainment Partners (EP). And taking a multi-pronged approach to data security in an organization’s internal and cloud systems to ensure IT administrators are governed and protected requires leveraging a variety of methodologies.
“One of the things I’ve learned over the years is, particularly in the security world, there’s tons of things going on: all kinds of threats and risks and attacks and everything else,” he said May 17, speaking during a breakout session at HITS Spring: The Hollywood Innovation & Technology Summit.
“But what’s really important?” he asked rhetorically during the session, called “Mission Critical: CISOs’ Endless Quest for Data Security.” The technical session was designed to be a primer on developing and executing an application testing strategy and integrating it into the development lifecycle, according to EP.
Mazor said at the summit: “The number one most important thing is the foundational model …. You’ve got to get the basics right. There’s advanced capabilities, advanced threat dynamics and everything else that goes on in the world of security. But if you don’t have the basics done, you’re not doing it right. So, when we think about security, we want to think about it in a very smart, thoughtful way.”
There are three core areas involved in protecting data, each of which is a key area of focus for EP’s security program, Mazor said, noting he has more than 20 years of experience as a CISO at multiple companies.
The first of those core areas of focus is encryption, he said, adding: “Everybody knows what encryption means and what it does. But how do you do it at an enterprise, in a big volume way? How do you do it from a policy perspective? How do you do it from an integration perspective? It is not simple. Anybody who says you just [plug in] a tool and you’ve got encryption is wrong.”
Meanwhile, “one of the key concerns in the IT world is protecting administrative privileges,” he said, pointing out that companies typically “give the keys to the kingdom to our IT folks.” He added: “Maybe sometimes it’s outsourced or it’s internal.” But companies are granting access to these IT people, so they can do their jobs, and that’s something that must be monitored, he said.
The third key component of EP’s security program is “integrating and testing security in the development lifecycle,” he went on to say.
Volume file-level encryption-provides a “much broader” degree of protection, according to EP, which stresses the importance of protecting all kinds of data, whether structured or unstructured. “Log files are a huge risk” because many of them have “all kinds of data in them,” including passwords, according to the company.
One significant issue that must be considered is that hackers can be in a network for “a couple of months before they do anything” and before security can detect it, Steven Lam, senior information assurance architect at EP, told the summit. Therefore, it’s important to manage abnormal behaviors that can be unseen for such long periods of time, he pointed out.
HITS Spring was produced by the Media & Entertainment Services Alliance (MESA) and the Hollywood IT Society (HITS), in association with Women in Technology: Hollywood (WiTH); the Content Delivery & Security Association (CDSA) and the Smart Content Council. The event was presented by Entertainment Partners, with sponsorship by Expert System, LiveTiles, Microsoft Azure, Ooyala, Veritone, Amazon Web Services, Avanade, Avid, IBM Security, MarkLogic, Aspera, Light Point Security, MicroStrategy, SAS, Scaeva Technologies, Western Digital, Brainstorm, Zaszou IT Consulting and Bob Gold & Associates.
To access the Entertainment Partners presentation, click here.