The Blurring Line Between Content Security and Information Security


Protecting content is a constantly evolving challenge as the entire media and entertainment ecosystem quickly shifts to cloud infrastructure. Although content security and information security have intersected for many years, the line between them has become increasingly blurred as more of the sector shifts to digital content and the cloud, according to industry experts.

Content security and information security are “converging together and better cooperation between those two teams needs to occur,” said Christopher Taylor, director of the Media and Entertainment Information Sharing and Analysis Center (ME-ISAC), speaking May 12 at the Cybersecurity & Content Protection Summit (CCPS), held digitally as part of the NAB Show Express experience. 

“I’ve always felt” that information security (infosec) “teams are there to protect the company’s intellectual property, and the content is the most important of all the intellectual property the company has,” he noted during the CDSA/Trusted Partner Network (TPN) Update session “A Cultural Revolution: Content Security v. Information Security,” which he moderated. ME-ISAC operates as an initiative within the Content Delivery & Security Association (CDSA).

Therefore, “this is an important conversation the infosec and the content security teams need to have,” Taylor said.

What Abdul Hakim, DPP program delivery manager, said he’s seeing is that “clearly things are merging” now, noting that, “historically, content security and information security were considered separate things.”

However, “fundamentally content is data information, so they should be seen in that context,” he said, adding: “That realization is starting to seep into how … vendors producing products and systems are starting to develop their product… As they move to cloud, the controls are emerging and the security features are emerging, addressing that difference in how people treat content and data separately.”

“In the past,” there has essentially been a “cultural clash” between content security and information security teams, according to Ben Schofield, CDSA project manager and Trusted Partner Network (TPN) product manager. “There were the people making the content and there were people supplying the backend systems and the two were totally distinct — it was two different sets of personalities,” he said.

“But as we move into VFX and CGI, some of those things going on, it’s such a technical field that one would hope that there’s common ground there,” he noted, adding: “I think that especially with the pressures that are on productions to be more efficient, they’re highly reliant on…that data.”

When you had film stock and security specialists were protecting DVD masters “that was completely distinct from information security,” Schofield pointed out. However, “when your content is bits and bytes, it’s largely consumed on the cloud, then there shouldn’t be any distinction,” he said.

According to media and entertainment security veteran Marc Zorn, when it comes to “everybody that touches content – every company that touches content, it used to be that we would build our networks and our data centers as ‘hey we have a corporate side and we have the production side’ and there was this hard line between them, and we always had to figure out how do we make firewall rules that kind of keep the cold side cold and the hot side hot.”

However, now, with everything moving more toward the virtual space and everybody having a “kind of a blurred role to play,” there is a question about where that perimeter is, Zorn said. “We don’t know anymore. Now we have to kind of build in the way that we look at the whole enterprise as being intellectual property in one form or another,” he added.

The supply chain is, meanwhile, increasingly “what we’re reliant upon,” according to Hakim. “So, not only are we concerned with enterprise and the security of the enterprise, but increasingly we need to be worried about the security of our suppliers as well,” he pointed out, noting the domain that a media organization has to think about now is much broader than it was in years past. As a result, he said, it “becomes more complex and worrying as well because now how can you be confident that your suppliers are thinking about security in the same way that you are?”

Schofield provided a suggestion: “We need to do something that makes the production creatives understand the power that they can get if they embrace that infosec approach because I think it’s going to be much more important” in the future. After all, “the world is changing very fast, so some of the old disciplines are going to go away,” he predicted.

“The interesting discussion isn’t about what the future’s going to be,” Schofield told viewers, adding: “I think we can all make a prediction on that. But it’s how we get that transition – how we aid the reduction of that clash…. They shouldn’t be two separate worlds.”

It is important to “demand that the people that are creating the tools build in the security so that it’s not a separate line item,” Zorn said, adding: “We don’t have to do a tradeoff between the best creative tool and the most secure tool because the folks on a production, they’re going to fall in line with the best creative tool every time…. We need to raise the bar on our supply chain to make sure that security is not an afterthought where they develop a tool and then apply security to it. Security has got to be part of their development process as well.”

Zorn’s concern, however, is that creatives often want to use the easiest tools, and those are typically the ones that don’t have any built-in security, he noted.

“Fundamentally, good security needs to be there by default and not something you have to pay extra to get or buy separately,” according to Hakim.

However, if you make the security solution “too hard, the creatives will work around it” and maybe just use a different company’s solution, Schofield warned. It is kind of like when people are forced to change their passwords all the time, so they just write them all down somewhere, he pointed out.

The key takeaway for Schofield is “it’s an organizational challenge,” he said, adding: “I think, structurally, you’ve got to remove the distinction between infosec and the creative technology and you’ve got to smash those teams together. And then you don’t have that cultural barrier.”

Zorn suggested that security be made one of the things that the tool vendors are competing with each other on “to get the upper hand.” He offered the analogy that “nobody buys a car because they have really cool locks, but if there are two equal cars and one has really good, easy-to-use remote entry, you might actually tip it over in that direction.”

Also, “the earlier we can build in the security in that whole process, the easier it’s going to be in the long run,” Zorn said. His advice for the industry: “Partner as closely with the people that are creating the content to make their jobs as easy as possible. Build in the security to their world rather than trying to impose security into it.”

Presented by Richey May Technology Solutions, with sponsorship by Akamai, Cyberhaven, Microsoft Azure, SHIFT, Convergent Risks, and the Trusted Partner Network (TPN), the Cybersecurity & Content Protection Summit focused on the latest cybersecurity and content protection challenges studios, broadcasters and vendors alike are facing during the ongoing pandemic.

Produced under the direction of the CDSA Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group, this year’s Cybersecurity & Content Protection Summit looked ahead at the challenges facing the security community in 2020 and beyond.

To view video of the presentation, click here.