APCPS: Convergent Panel Explores Challenges of Cloud, App Security
Operating in a hybrid or cloud native environment with third-party components involves many moving parts, and achieving the best security posture can be challenging – especially if your organization is providing a web application as part of the service, according to Convergent Risks.
“There’s been many more cloud” and Software-as-a-Service (SaaS) applications that have “come on the market in the last couple of years, and each has their own unique setup,” Mathew Gilliat-Smith, EVP of security consultancy Convergent Risks, said April 23 at the Anti-Piracy and Content Protection Summit in Las Vegas, during the panel session “Cloud and Application Security for the Studios.”
“There’s lots of different configurations … and security can be quite challenging,” Gilliat-Smith said during the session, which featured various industry representatives who are living the journey.
“I think that the real reason” why it’s so challenging is “because you have to kind of configure for each scenario,” he said.
“Once you’ve built an application, security falls into two parts,” he noted. “The first part is following the best practice. And the second part is testing. And you can’t really do one without the other because there’ll be unknown vulnerabilities that occur.”
He used a seatbelt analogy to help explain it: “So you can drive from L.A. to New York without a seatbelt and you’ll get there and be fine, no issues. [But] best practice says wear a seatbelt and, to the manufacturer, set an alarm so if the seatbelt isn’t worn, it buzzes so that if you do have an issue, then you’re going to survive more likely.”
Shifting to cloud and application, he said: “The sorts of things that typically don’t work very well [are] sometimes that people don’t have vulnerability and management tools in place.”
Additionally, there’s “no formal training so the people who are actually running these applications aren’t formally trained,” he pointed out.
Convergent Risks has been doing security assessments for several years, along with site assessments with the studios, and then the Trusted Partner Network (TPN) came along and started doing those assessments, he noted.
Meanwhile, “obviously, there has been a drive to migrate to cloud, and therefore we’ve been doing the application and cloud assessments for the last couple of years,” he said, noting TPN announced an extension of its program to include cloud applications.
Members of the panel session “have been through assessments with us,” he said and asked them to discuss their experiences and the kinds of trends they’ve been seeing.
Tridib Chakravarty, CEO and president of unstructured data management specialist StorageDNA, noted that his company offers data management solutions which cover backup, archive, multi-site and data sharing collaboration, and is now “integrating cloud into all of that.”
Rick Soto, SVP, global IT and security at media services company Pixelogic, noted that his company handles localization, dubbing, mastering and digital cinema services, adding he oversees a lot of the content protection within the organization, both in-house as well as with its partners.
Vlado Struhar, product manager of QTAKE advanced video assist software at developer IN2CORE, pointed out that QTAKE is a special application for filmmakers, noting his original profession was film director.
“QTAKE was born out of my necessity to have some kind of a tool to use on set as a decoder playback but also for many other aspects of on-set control,” he told viewers.
The software is helping to “transform [the] regular video village into the remote video village,” he said, explaining: “With our application, you can stream the video from set to remote locations or even access clips and metadata [and] collaborate on clips.”
Gilliat-Smith asked Struhar how his company makes sure that people are not pretending to be someone by sharing passwords.
Struhar responded that his company requires ID and for the user to be authenticated, adding: “Filmmakers are not used to it, so of course there’s a pushback. But there’s no other way to ensure that you’re streaming to [the] correct target.” At the same time, his company tries to make the platform as friendly as possible.
Once the user logs in on a mobile device, they get a “key” for authorization and “we allow you to watch content on that device,” Struhar said. Then, “if you want to authorize a second device, you can do that as well but … login is required,” he explained.
While big Hollywood studios require these steps, QTAKE is also used by “many independent productions where this security level is not required,” Struhar said, adding: “We have the whole security built on layers. So every production gets to choose their level and they can say, ‘okay, we are mandating two-factor authentication because this is a huge blockbuster movie,’” for example.
Even if such security is not mandated, the user can opt to be “security conscious” and make it more secure by, for example, turning on “two-factor authentication,” he said.
Also on the panel was Jason Deadrich, CTO of media fulfillment services provider Vision Media.
The 2022 Anti-Piracy and Content Protection Summit was presented by Richey May Technology Solutions, with sponsorship by Convergent Risks, NAGRA, Verimatix, BuyDRM, EZDRM and Vision Media. Produced by MESA, in association with the Content Delivery and Security Association (CDSA), the media partner for the show was Piracy Monitor.
To learn more about CDSA visit: https://CDSAonline.org