The pandemic has seen a shift to remote working for many production and post-production companies and visual effects facilities. What does this mean for cybersecurity? In the second article in this series, Groundwire Security CEO James Bourne explains how to minimise risk in remote working and distributed workflows.
During the initial stages of the pandemic in 2020 and during the various lockdowns of 2021, I polled several facilities that I had previously worked with regarding how they had responded to COVID-19. It was abundantly clear that most facilities were underprepared.
The critical area of deficiency from a cybersecurity standpoint was that facilities did not have workable business continuity plans that catered for a pandemic. Facilities fell into three categories:
- Business as Usual. These facilities already had a virtual workforce and/or remote working technologies in place, plus a mature cybersecurity response allowing the business to continue to operate normally.
- Underprepared. These facilities took a few months to adapt to new remote working. This typically involved a steep investment in infrastructure and systems to “pay their way out”.
- Vulnerable. These facilities had operating environments and/or budgets that didn’t allow remote working in the short term. Many of these facilities shut down or ceased operating temporarily. Some literally told employees to take equipment home to continue working and then devised distributed/remote workflows.
The intervening 18-months have seen the following:
- There has been a reduced reliance on the physical, centralised facility model and corresponding workflows
- Remote working has become normalised
- There has been an acceleration in the adoption of B2B and B2C SaaS and cloud-based solutions to assist in filling workflow gaps
- We have seen the migration of workflows to infrastructure deployed in the data centre or on cloud services such as AWS and Azure
- There has been rapid adoption of content owner sanctioned distributed workflows that include the use of remote reviews and SaaS-based project and asset tracking.
These new workflows create new cybersecurity risks and challenges that need to be addressed, understood, and treated.
Secure remote working
So how do you secure remote work environments? Content owners have provided remote working guidelines and the Motion Picture Association (MPA) is preparing an update to the Content Security Best Practices (CSBP). As a facility owner or production manager, you need to be fully aware of the risks associated with remote working and develop an approach to safeguard content. Here’s what you should consider doing:
- Clearly define what remote working is permitted and how that work occurs. Seek guidance from your clients as they will help you define those requirements
- Ensure the business has the necessary cybersecurity and production completion insurances in place
- Appoint a security team to oversee remote working. This team will be responsible for defining policy and procedure, and rolling out infrastructure and systems to meet those remote working needs. This team will need to develop an education program and agreements between the facility and the employees working remotely. Your business is going to have to develop an incident response plan to respond to content theft or loss and have procedures in place to ensure those events are reported promptly to your clients
- Define precisely where content is permitted to reside and how long it can reside at a remote location. Content should never be stored in anything other than fully sanctioned storage repositories that are owned, secured, controlled, and operated by your facility
- Consider and define the physical remote working security requirements. What are the minimum remote working standard /expectations that your business is willing to accept? Some facilities use work hubs in preference to permitting work from home (WfH). This allows smaller groups of employees to work together in a collaborative environment that ensures consistent physical and digital security. Alternately, your facility may require the WfH area to be fully segregated from the rest of the employee’s residence. This is to ensure on-screen content cannot be easily viewed and audio cannot be overheard
- Determine how the WfH device (e.g. laptop or workstation) is to be managed. Carefully consider whether personally owned devices are appropriate. Devices should be locked and with minimal administrative privileges to avoid unauthorised software installation. Consider digital watermarking software. If VPN is in use, ensure multifactor authentication (MFA) is used. Alternately, consider the use of virtual desktop environment (VDI) to avoid having content stored on the local WfH device. Ultimately, your facility will need to have complete control of and visibility into the work being carried out on the WfH device.
Pipeline security
You need to examine how your pipeline is constructed and secured. Tools and techniques designed for traditional monolithic pipeline operations may not work or scale well in a remote working environment. Specifically:
- Consider carefully where production content and assets reside. Choose production and asset management platforms such as ShotGrid and ftrack Studio that support “isolation feature sets”. This will minimise the possibility of unauthorised content access and content leak or loss
- Define precisely who has access to systems and under what circumstances. Ensure you have auditable authentication systems and/or identify and access management (IAM) systems in place. These systems should enforce encryption and strong credentials including MFA
- Ensure you have mechanisms in place to verify the identity of your remote workers –who is really using the keyboard, tablet, and mouse? For example, newer laptops offer logins via built-in facial recognition or consider other verification techniques such as Windows Hello, which utilise PIN codes and biometrics instead of traditional usernames and passwords
- Carefully control the SaaS sprawl. It’s easy to sign up for a myriad of Internet-based services and then lose track of who has access and why the service was set up in the first place. Work towards a standardised and managed usage model that incorporates granular employee access rights
- Ensure you fully disclose to your clients where their content will reside. Disclose all SaaS and cloud systems that your facility uses to store, process and handle content. Ensure those platforms have been audited/approved by the content owner or other industry bodies such as the CDSA and TPN. Seek permission from your clients to use those systems at the outset of your project rather than being forced to retrofit a client preferred pipeline / toolset / workflow late in the piece
- Understand your obligations regarding data sovereignty. Whilel that offshore remote render platform might tick all the right boxes – will your client allow their intellectual property (IP) to be stored in a region with weak/non-existent IP protections?
- Ensure your environments are performant, dependable and reliable. Your on-premises storage system will have a known performance quotient. There’s no guarantee that the same performance can be replicated in a cloud environment. Further, performance is irrelevant if the service cannot be reached due to poor communication options and lacklustre uptime
- Be fully aware of your data breach escalation obligations who to inform from a regulatory and contractual perspective. Many facilities in Australia don’t realise that they must report data breaches that involve personally identifiable information to the Office of the Australian Information Commissioner (OIAC). Further, SaaS and cloud-based services are not immune to data breach and data loss. Ensure you complete your due diligence before committing to any platform or service and that you have a robust data backup and recovery plan
Be aware of the risks
You need to be hyper-vigilant regarding assessing risk when utilising remote working and SaaS/cloud services. Specifically:
- Cost Control. The regulation and control of cost in cloud environments is challenging. It’s easy to scale, but that comes at a cost, whether additional per-seat licensing or CPU hours. Further, these costs can persist well beyond the production lifecycle. Ensure you fully understand the cost model in advance. You may also need to factor in the possible loss of creativity and innovation because of cost containment in pay as you go environments
- Content Access. The controlled access to content and ensuring a chain of custody on disparate work at home environments, cloud and SaaS platforms is paramount
- Disaster Recovery. Ensure you have workable disaster recovery plans in place to accommodate the loss of access to systems during critical delivery points in your project. For example, you might be delivering today, but AWS, and implicitly, ShotGrid is offline – what is your “Plan B”?
- Technical Resources. Cloud and SaaS platforms may require you to hire employees with specialised technical skills. These skills are in demand and may be difficult to procure. Don’t assume you will be able to hire DevOps and SecOps staff in a timely manner to build, manage and operate your platform
Managing risk
To help our customers reduce risk, Dell Technologies constantly references industry best practice architectures and initiatives. As individuals we manage risk daily. For example, when we drive a car or flying in a plane. When it comes to your business, understanding and mitigating risk may take a backseat to relentless production demand, compressed schedules, and tight budgets. Many of these challenges have become more pronounced due to the stressors induced by the pandemic. Risk has expanded from the confines of your facility or studio to the home environment of each remote worker.
The use of SaaS and public cloud services present more risk. Production hubs or remote shoots come with their own associated hazards due to transient and impermanent systems and configurations. Short term thinking may lead to poor technology and governance decisions that may result in a broader attack surface.
So how do you best identify and plan for potentially risky business activities or events? The best way forward is to first define your workflows, including any geo-distributed elements. Then assess risk based on scenarios with negative outcomes and incorporating the type, likelihood and impact of a specific event occurring. Your environment may limit your options, but there are steps you can take to understand and treat risk:
- Understand the amount of risk that your organisation is willing to accept in the pursuit of its strategic objectives
- Ensure you have risk frameworks and standards that focus equally on human, policy, and procedural components as well as IT systems
- Confirm that any vendor, supplier, or individual working for you adheres to your security requirements
- Understand the minimum viable data set people or systems should be able to access to complete your production
- Determine whether VDI should be used to avoid storing data locally
- Incorporate necessary insurances into your overall strategy as a method of risk transference
- Consider solutions that incorporate flexible consumption models if your project demands are uncertain or hard to define. Dell Technologies APEX is one example of a fully managed service that scales based on your project needs and is designed to minimise project overcapitalisation and cybersecurity risks
Alex Timbs, Dell Technologies Business Development and Alliances Manager – Media and Entertainment
Read the first article in our cybersecurity series, ‘GRC: Cybersecurity governance, risk and compliance’, here.