In the world of media, the cloud is opening new possibilities to support remote work and connect distributed teams. But with security a major consideration for all productions, what are the best strategies to employ to ensure your content stays safe?
In the episode, we debunk some of the myths about cloud security and challenge the premise that on-premises security is always a better option.
Listen to Hear:
- The issues to consider when deploying media workflows in the cloud
- The importance of shared responsibility between the cloud provider and the customer when it comes to security
- Strategies to consider when faced with a security breach
Our Guests This Episode
Alexandra Borchardt, Lead Author, EBU News Report
For the last 25 years, Joel has been on the razor’s edge of enterprise IT and security. He originally joined Microsoft in 1997 after having served as a Technical Editor for Windows NT Magazine, where he authored more than 100 articles and product reviews, contributed to several books, and annoyed many hardware and software vendors. While at Microsoft, Joel has managed product lines ranging from BackOffice to ISA Server, mobile services, and—more recently—security & compliance initiatives in the Azure engineering team. Also during this time, Joel wrote numerous white papers on topics such as data protection, network security, secure management, architecture fundamentals, and policies and processes. His focus now is on the Digital Media & Entertainment industry, its compliance objectives (such as security certifications), and privacy needs in the public cloud. Joel has been on the CDSA Board of Directors since 2016, was the [cloud] Technical Advisor for “Bobbleheads: The Movie” (2020, Universal Pictures), and is a frequent presenter at industry conferences.
Strategies like assumed breach, penetration testing, regular logging, and threat detection—those become your best allies in an ongoing security strategy. -Joel Sloss, Microsoft Azure
Mentioned in This Episode
Making the Media S1E15: Do You Trust Me?
Find out how Project Origin is working to authenticate content
Craig Wilson: Hi, and welcome once more to the Making the Media podcast. I'm Craig Wilson, and I'm delighted you've joined me for the latest episode.
If you work in the media, you'd need to have been hiding under the most enormous rock in the world not to have noticed the incredible expansion in interest in the use of the cloud. From over the top distribution, to archiving, to full-on solutions for editing and storage such as Avid | Edit On Demand, to remote working, to disaster recovery and business continuity, transferring workflows from on premises to the cloud is an ongoing hot topic in the industry. But one thing is clear: While the cloud as a workflow enabler has the potential to be transformative, security remains paramount. It was always the case with workflows in your building, but is even more contentious when considering the cloud.
To tackle these issues, I spoke with Joel Sloss, Senior Program Manager with one of the world's largest cloud platforms, Microsoft Azure. Joel has spent more than 25 years on the cusp of enterprise IT and security and is now focused on the digital media and entertainment industry, its compliance objectives, and privacy needs in the public cloud. I began by asking him when he meets with customers interested in deploying in the cloud, what were their biggest concerns around security?
Joel Sloss: I would say that there’s a couple of different vectors that people are concerned about. One is obviously protection of content while it's in the cloud and while it's being worked on, and the other is a bit more of a mechanical issue of how did they get their content; whether it's just dailies or live streaming to production staff or, you know, how to handle content once it’s in the cloud. You know, that tends to be the major worries.
Since we're talking about security here, then obviously, what happens to that data as it's being manipulated? Because, you know, the pre-production leaks are probably among the most damaging. And so that's where you really need to focus on locking down your environment, having access controls, having encryption…
CW: So, there's a list of things, clearly, that people are concerned about. How do you go then go about working with them to allay those kinds of concerns? What are the kinds of steps that Microsoft can make so say to a customer: “Look. Yes, there are challenges here, but everything you want to do is achievable and can be done.”
JS: Yeah, probably one of the first things I hear is “can I trust it.” Trust tends to be the biggest thing that people are concerned about. When content stays within their four walls—whether it's on a local storage array like an Avid NEXIS, people feel a lot more comfortable because they feel that there is this crunchy perimeter around it that's going to prevent unauthorized access or theft or damage.
But moving to the cloud, suddenly it's in an environment that the studio or the production no longer controls. So, you know, where we start from within Azure is building trust from the platform up, and then, you know, that trust comes in not just how do people feel about a cloud deployment, but what is visible and what's tangible to show that their security requirements or are being met. And then we do that through fundamental ways that Azure itself has been built; layering on top of that, security services like Azure Defender or encryption. You know, even with software storage solutions like Avid NEXIS in Azure—giving you visibility into how that's managed, how it gets accessed, what levels of protection are on it, whether it's Apple’s, or identity controls, or basic encryption.
And then, we show the guidance. We show the automation and the tools that our production can use that’ll protect their content end to end. Whether it's, showing through the tools how you can have a VPN, or an express route link that's going to protect content as it's in transit to the isolated subscription environment that you configure and that you deploy your tools in, so that the user, whether that's in a studio environment or production or an individual artist, always has the visibility into how data is being used and what's going on as far as what's that isolation and how is it being protected end to end.
CW: You raise a couple of interesting points there, Joel, that I think would be good to explore a little bit. The first one is: It's clear from what you've said there that this is something which is a shared responsibility. It's something for which the customer has to have a responsibility, and obviously the cloud provider has to have a responsibility for as well.
So where do those kinds of boundaries lie? Because I guess you have to be pretty clear about where those boundaries actually sit.
JS: Yeah, shared responsibility is probably one of the hardest things for customers to come to grips with. You know, 'cause again, let's go back to where film production came from. It's a camera, it's a memory card, it’s a storage array that's sitting in your office sometimes. And it’s easier when you can wrap your arms around it, and then you know you can feel responsibility and accountability, and you know who you hand that content off to.
So, there's this confusion in, you know, when I'm putting data into somebody else’s facility that, “Oh! Azure's, got all these certifications? That's great. I don't have to do anything.” And that's really not the case.
Shared responsibility means that the same kinds of things that you do for your own local data and the protection of your of your environment, you still have to do in the cloud. Your subscription, your tenant definitely has a lot built into it, ranging from the physical security of a data center, through data handling mechanisms that exist within individual servers and storage arrays, so those are the kinds of things that you don't have to worry about because that responsibility is ours. But when it comes to your tenant, your private storage space, these are things where you still have to do the same things that you would in your own IT stack. You've got to set controls on it; you have to deal with encryption; you have to deal with monitoring and logging and alerting to know who's doing what, when, how, where. And I think that that tends to be forgotten because it's complex.
In a lot of cases on a smaller production, they don't have somebody who has that expertise. So, understanding that crossover is really, really, important, and it's not a set it and forget it type of model.
CW: Yeah, and I think the other thing to pick up on is, again, something that you said, where, I've spoken to a lot of customers as well. They raised the kind of concerns that you've kind of outlined there, and there is something that they feel that if something is on premise, you know, as you say, you can wrap your arms around it, you've got a degree of control around it. But in reality, someone could walk into a server room with a thumb drive, plug it into a machine, export media out of it, walk out the door. And also, in terms of the pandemic, people have been using the sneakernet to shift drives around to get stuff around, as well.
So, I think, to an extent, and if you would agree with this, that there's perhaps a false sense of security about how secure things are in an on-premises environment. And perhaps they’re overly concerned about what can happen in the cloud. Because, to my mind, if the cloud providers don't have security, they don't have a business, because it's so fundamental to what goes on. So, I'm interested in your views on that.
JS: Yeah, there are so many opposing viewpoints and belief systems in place. It's a little bit like the old battles between Windows and Linux about what's actually more secure and how much control is there over the code, and people thinking that because Linux is open source and you can do whatever you want with it, you know, there's more people working on the security. And, you know, certainly in those days, it couldn't be further from the truth. So, you know, what we see happening is that assumption of protection again when you have physical possession of that asset—whether it's physical or data. But, if anything, this pandemic has set people back a few years because you had the physical control over machines and cameras and cards and drives and, you know, I think the industry was coming to terms with making those security mechanisms stronger—as simple as encrypting a drive.
But now, with everybody working from home, like you said, people are just going back to driving it over to their colleague’s house and handing something off OneDrive rather than putting it into a secure storage volume that is sitting at the studio. And now we're having to drive this forward in a more considered way of having that architecture in mind and understanding going into it, what role security plays.
The mentality of having something on a physical device… it doesn't really apply in the cloud and the assumption that you have a physical device being secure was never true in the first place, because, like you said, somebody can just walk out with your drive. Somebody could pick up a whole one of those LaCie stacks, or they could grab a laptop at an airport and have your entire project. But using secure storage with that secure enterprise mentality… it brings that control back.
CW: Is it about threat reduction or elimination? And I guess also it’s like a moving field that all the time.
JS: Yeah, it definitely starts with defense and mitigation because there’s the threats that you understand of somebody picking up your drive and walking away from it. But, you know, there’s only so much even that defense can do. You know, you have a lock on the door, but the moment you open that door, what if somebody runs in and… you don't actually have a lock on the door on a physical set, and so somebody can walk in and take it.
The analog of that still exists in the cloud, so if we go back to your previous question about “Is something trustworthy? Is something safe once you put it into somebody else’s storage environment?” The defense becomes part of a strategy that does include mitigation, and something that probably gets overlooked and demolished, and that's your assume breach profile. Because even in your IT environment, you can't be guaranteed that there is nobody else listening in. We see that with all the ransomware attacks and breaches and content leaks even from trusted individuals within a company—whether it's purposeful or accidental.
So you can't take any one of these concepts in isolation and assume that it's really going to, you know, give you what you need. Defense in depth dictates that there is reduction defense, there is identification of threats… there's a whole life cycle that takes you from understanding to defending, to mitigating, to dealing with a breach and recovering from it. And it's those later stages that’re going to protect your business.
You look at the big ransomware attacks right now—when you get hit, you feel like totally game over. But if you have good strategies in place before then so that if you have detection, you have policies and systems in place that kick into gear when something happens, and some of those systems and those mechanisms come way before a breach. Do you have backups? Same thing applies in a media environment as in a bank or utilities company. If you've got daily backups and you test those backups so you understand that the date has good data that's going to your offsite storage, whether that's the cloud or physical facility, then, when you get hit, at most, you might lose a day's work. If you're doing multiple incremental backups during the day and you’re only having to wind back to images or to data that had been recorded 12 hours ago, 24 hours ago, and so your mitigation strategy then goes into a recovery strategy.
“Minimize the blast radius” as you know, is what they call it, so that you can get back up and running quickly. You haven't lost a lot of work. And that certainly helps with things like ransomware. But theft of data is obviously a little bit more difficult to deal with, because if you've got a persistent threat, somebody is slowly leaking all of your content out the door and you don't really notice that it's happening, that's where strategies like assume breach, penetration testing, regular logging, and threat detection—those become your best allies in an ongoing security strategy.
CW: Yeah, I mean, trust is such an important aspect of this, and actually something we've spoken to a number of different people about on the podcast. One thing I wanted to ask about is, is cloud security for media any different to cloud security for other industries, or is it essentially the same?
JS: You know, everybody feels like they're special, and that “My content is more important than anybody else’s… There's more money riding on it,” you know. And certainly in M&E, there's billions of dollars at stake. I remember there were studies being quoted a few years back, but on a tentpole release, a pre-production leak—especially of the whole title—you know, could be $60-70 million hits to the box office. Now, with streaming, I don't know how much that's accurate anymore. I'm not an expert on market analysis when it comes to theatrical release, but there is an assumption, I think, that one industry has more valuable data or better protection than another.
I think the challenge really that M&E suffers from is maturity. Relative to things like government or finance or health care, where, because lives are on the line, they have to be on the cutting edge of security, strategy, and innovation. M&E he tends to, you know, take a slightly longer view. It takes longer to adopt technologies, particularly at the enterprise level, and then the microcosm of spinning productions up very quickly and then spinning it back down six months later… it does make it more complex to maintain security because environments aren't stable.
So I would say that yes, you know M&E has challenges that some other industries don't. But the way that you protect yourself—that's the same. It doesn't matter what kind of data you're dealing with. And media can learn a lot from the way these other industries do things and can use automation and tailor it to you the kind of workflow that that's being used, whether it's editorial or visual FX or more common post-production processes. Your security is going to come from how do you understand your data, and its importance, and what are you doing to protect? Rather than having this global view of “Am I more special than anybody else?”
CW: When it comes to working with, say, multinational organizations—because clearly there are very large organizations that are deployed globally and probably want to take advantage of the cloud because of some of the benefits that it can bring to those kind of organizations—do people often raise concerns as well, though, about actually where the material is in terms of the different data centers and how it's being shared around? How do you deal with things like that?
JS: Well, it's interesting in data handling today, in ways that really weren't there five and certainly ten years ago. Privacy standards that exist internationally do throw some roadblocks because a production doesn't deal with just camera data. You've got all of your HR materials and billing, and day-to-day operational data that a small or large company has to deal with that… if you're dealing with PII for crew and then for talent, and you're in another country, that data is going to have residency requirements. It's going to have privacy requirements. So, now you've got the sensitivity of, if there's something that's identifiable to an individual, it has to stay in country. So, do you have a data center there that you can use? In a lot of cases, especially with Azure, we do have data centers in all the right places. But if you then transfer that content to somewhere else in the world, it may be stuff that you're not even allowed to put on the wire, and code exfiltrated from its resident location.
CW: So, one thing, obviously, over the course of the last couple of years, I know within Avid, we've seen it get a huge explosion of people wanting to explore the use of the cloud. For lots of reasons—people working from home, distributed teams, and all of those kinds of things. So I'm interested in your own view, Joel, of what you've seen over the course of the last 18 months or so from Microsoft about people looking to try to get into these kind of cloud environments. Have you seen a big explosion of interest in it?
JS: Absolutely and it's almost hard to keep up with. Take an example of Teams—as soon as everybody was stuck at home, the requirements and the capacity need just exploded and it took a little while. For M&E, I think to deal with that may be longer than some other industries because enterprise environments… they tend to already have that infrastructure and that capability in place. They just didn't have a scale. Because people could work from the road, people could dial-in from home if they were sick, something like that. But you didn't have everybody now dialing in and trying to do this at the same time.
Media did not have the infrastructure to do that. So, there was this mad scramble of figuring out how to get access to physical facilities. If your edit bay was at the studio location, now you can't go in there and use that. How do you set a VPN from somebody's home into the corporate or the studio environment in order to get that data? How do you start transferring back and forth if now, you've got to install Media Composer on your local workstation at home, but all of your stuff is on an Avid NEXIS sitting at the production office?
Initially, people weren't concerned about cloud, they were just like “Oh my God. How do I keep doing my job?” Then, as things started to calm down and they started learning about. “OK there are some other tools that that we can use.” Then the interesting cloud started to change from. “Well, can I store my stuff there? Can I trust it? Well I have to trust it, because this is the only way I'm going to be able to get my job done.” To “How can we be efficient and productive doing this? Can everybody get access to it?” And so the conversation started the shift of “Can I do actual production in the cloud? Do I have the color depth and the integrity and fidelity of the data—is my workstation experience going to be sufficient? And just like with video calling, the consumption of that capability exploded almost overnight with the need of being able to do remote desktop, not now to a physical workstation at the studio, but to a virtual workstation being hosted in the cloud. And we went from people just not even thinking about doing that, to now, this is their lifeblood of being able to exist is having access to the computer power and storage that they can share, because now people really are scattered around the world.
I worked on a project over the last couple of years with a studio called Threshold Entertainment on a movie called Bobble Heads where it really was global contribution. Artists were in Nepal, they were in LA, they were sharing data through an Azure Data Center, they were doing their rendering in Azure, sharing editorial files back and forth within Azure storage, instead of trying to mail drives or some things through email or on a consumer share. And because that technology already existed, it was just a matter of adapting to it to give now capabilities to remote artists that just didn't exist before, and certainly people weren't really thinking of before. So your basic question of did interest and uptake suddenly change? Absolutely. It was a motion that existed before that then just got kicked into hyperdrive.
CW: There's a lot of things to think about and consider, there's no doubt about that. So, as you know, there's one question I ask everyone in the podcast, so I will ask it to you. What is it when you look at the landscape, if anything, that keeps you up at night?
JS: Maybe convincing people to do the right thing. You can lead a horse to water, but you can't make it drink. And we can provide all the security tools and guidance and we can provide the platform and we can even sit down and show somebody how to do it, but maintaining it, that's the hardest part.
It's hard for us, as advisors, and it's certainly hard for you as a vendor or as a partner or as an artist. What I hear over and over again is “Your production budget is constrained? What's the first thing that that gets cut from the bottom line? Security.” Because it's complex, people don't understand it. So, yeah, if every user doesn't consider it and take it seriously—even if it's just a strong password—then everything falls apart because that's your weak link. And if your users aren't trustworthy (and I'm not going to say that they're not,) then the production needs to take advantage of the tools that will do it for you. If people can't remember their passwords and they’re writing it down on sticky notes, get rid of the password. Implement multifactor authentication so that they can put their thumb on their iPhone and log in that way. It's things like that, that the technology can enable now, that are going to be your best friend in this new remote production world.
CW: Thanks to Joel for joining me, but what do you think? Let me know. You can always get in touch on social on both Twitter and Instagram. My username is @CraigAW1969, or email us, the address is Makingthemedia@avid.com.
Check out the show notes for more information about how France TV moves some of their workflows to the cloud with Avid | Edit On Demand, and some of the aspects to consider when looking at the balance between on-prem and cloud deployments.
That's all for this episode. Thanks to our producer, Matt Diggs, shout-out to our social producer Wim Van den Broeck, but most of all, thanks to you for taking the time to listen. And if you like what you heard, why not post a review, and share the podcast with your own networks? I'm Craig Wilson. Join me next time for more Making the Media.