NOVEMBER 16, 2023

Cybersecurity for broadcasters is a key focus for Avid

Security-9 1862x1040

Cybersecurity for broadcasters, especially those creating news content, faces a double whammy. The rise in remote and cloud workflows means that security must now be applied on-premises, in the field, and at home. Then there’s the increase in cyber breaches, ransomware, and other attacks, making security even more complex and critical. Avid places a paramount focus on security to protect its customers and employees, and community. To shed light on industry trends, and Avid’s vital work in this area, Shailendra Mathur, Vice President of Architecture and Technology, and Yuriy Litvak, Director of Information Security, share their expertise.

“The rapid growth of the content creator community and the growing decentralization of the workforce presents an escalating challenge encountered by all security teams, particularly in light of the pandemic,” Litvak says. “The ability to provide secure channels for organizations to collaborate is critical to supporting timely delivery of content to consumers.”

Security for news content vs. other media forms

Basic security mechanisms must be in place regardless of whether an organization is a post house, a news group, or other media company. But the needs of news organizations differ from others. News, by definition, is distributed, collaborative, happens fast, in real-time, making remote cybersecurity for broadcasters even more critical than in other media segments.

“There cannot be too many constraints on the workflow, so the security constraints have to adapt to the workflow,” Mathur explains. “You can’t ask a journalist to work only inside a facility. You have to have mechanisms where they can securely bring content in from wherever they are.”

Also unique to news is the ability to authenticate news and detect fake news. According to Mathur, it’s an accepted paradigm that it’s now easier to authenticate a reliable news source than to verify whether or not it is fake.

“There have been methods of establishing provenance using invisible watermarking in our products and workflows that are available through some of our technology partners,” Mathur says. There is a need to establish provenance and authenticity of content other than video and audio, e.g. text-based stories and scripts.”

To that end media industry vendors established the Coalition for Content Provenance and Authenticity (C2PA), to create a mechanism to validate content.  Avid is in the process of joining this coalition.

“The impact of news on the everyday choices of individuals, institutions, and governments is profound. With the proliferation of content by an increasing array of influencers, ensuring the authenticity, validity, and fact-checking of the news we consume has become a challenge,” Litvak says. “Elevating the security of content to preserve its confidentiality, integrity, and availability stands as a crucial priority for news organizations. Upholding these aspects is not only about protection and reinforcing relationships with advertisers, and maintaining a strong foothold in the market, but also about fostering trust with the public.”

Increasing threat of cyberattacks

Leading global news organizations continue to pay close attention to information on emerging cyber security threats. They are incorporating standards published by government organizations like NIST (National Institute of Standards and Technology) and CISA (Cybersecurity and Infrastructure Security Agency) and NGOs like CSA (Cloud Security Alliance) and MPAA. Additional regulations from SEC and FTC are also bringing new scrutiny to cyber security programs of public companies, making the focus sharper.

"Cyberattacks are a worry for everybody, not just news organizations, although they are a bit more vulnerable than post- production facilities because of their remote workflows,” Mathur comments. “The top one has been ransomware. We have unfortunately seen post and news broadcast enterprises affected. Apart from prevention tools, these enterprises are also putting in recovery mechanisms using our products such as MediaCentral | Sync to back up their asset and content for disaster recovery purposes.”

Approaches to security

Several distinct security approaches help media companies protect their assets.

“Different companies have taken different approaches,” Mathur says. “Some security compliance standards we and our customers like to use, follow the maturity-based model using checklists and best practices. While we must make every part of our operations and products mature when it comes to cyber-security threats, the risk-based approach allows us to prioritize the efforts.”

A maturity-based model refers to a framework or system that assesses the level of maturity or advancement of an organization's security practices. It helps organizations evaluate their current security posture and identify areas for improvement, set goals, track progress in all of their operations.

A risk-based approach implements security measures based on an assessment of potential risks and vulnerabilities. It involves identifying and analyzing potential threats, evaluating the likelihood and impact of those threats, and then implementing security measures that are proportionate to the level of risk. It helps media organizations prioritize security efforts and allocate resources effectively to protect assets and information.

The risk-based approach uses threat modeling to identify and assess potential threats and vulnerabilities that could impact the security of media content. It involves analyzing assets, systems, and processes and identifying potential threats and their impact. This helps in developing appropriate security measures and strategies to mitigate threats and protect media content.

Avid security by design measures

Avid employs a security by design concept involving Secure Software Development Life Cycle (SSDLC) which means that security measures are incorporated into the design and development of new media workflows, systems, and processes from the start. This allows for the application of industry best practices throughout the entire process and proactive detection and remediation of security issues. Security is also embedded into Avid’s Product Life Cycle Management (PLCM) process, establishing check gates in each phase to keep security in focus.

Avid utilizes industry-leading tools to continuously test products for possible vulnerabilities throughout development. If vulnerabilities are discovered, Avid has several mechanisms in place.

“Security is baked into our program management with responsibility for performing threat modeling and before shipping validation,” Mathur says. “They are standard tools used during development for vetting security vulnerabilities in code, but also for configuration management, and for open-source vulnerabilities.”

Operating system security updates for Windows and Mac OS are monitored with different levels of urgent responses for updating software. If it’s a high security vulnerability, then the response is quick. If the risk can be tolerated, then an update happens with the next software release.

When customers detect vulnerabilities in their environment, Avid takes action.  Avid posts a regular security bulletin informing customers of any changes due to new vulnerabilities that may have been discovered in its products or independent operating systems. In some urgent cases when a worldwide security event happens, Avid customer support (CS) teams actively communicate the impact of the vulnerabilities to customers. The security bulletin is maintained on Avid’s website and can be accessed here: https://avid.secure.force.com/pkb/articles/en_US/troubleshooting/en239659

“Being one of the leading vendors in their segment, Avid has a responsibility to ensure that our products are built with security embedded and by design,” Litvak says. “The same goes for our organization, which in the last four years has grown its cyber security posture and maturity as part of an established information security program covering both enterprise and product security.”

Protecting content today

Media organizations are implementing a variety of security tools and processes with new options being introduced.  

  • The use of traditional network security like VPNs rose in popularity during COVID as more people went remote and continues today
  • Encryption converts data into a coded form that can only be accessed with a decryption key
  • Well controlled identity management and access controls provide granular access to systems and content.
  • Multi-factor authentication goes beyond traditional password control to increase verification of identities. Single-Sign-On makes it convenient to reuse authentication across multiple systems and applications.
  • Watermarking embeds unique identifiers into media files to identify unauthorized distribution or piracy sources
  • Zero trust architecture assumes no user or device should be trusted by default, regardless of location or network connection. It requires strict identity verification and continuous monitoring of all users and devices accessing a network or system, to prevent unauthorized access and reduce data breach risk
  • Secure storage and backup using secure servers or cloud storage solutions. Regular backups are also performed to prevent data loss
  • Network security measures, such as firewalls, intrusion detection systems, and secure VPN connections
  • Employee training and awareness to educate employees about security best practices and potential threats, and create a security-conscious company culture

Sharing responsibility 

Cybersecurity for broadcasters is a shared responsibility because it involves multiple stakeholders, including media organizations, content creators, and technology providers. Each one has a role in ensuring media workflow and content security.

The cloud offers significant advantages for solving long standing information security challenges. In an on-premises environment, organizations likely have unmet responsibilities and limited resources available to invest in security, which creates an environment where attackers can exploit vulnerabilities at all layers.

Security imagery 1

Attribution: https://learn.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility

The diagram above is from a Microsoft Azure article. This diagram shows the contrast between a traditional situation where the customer owns the infrastructure compared with infrastructure provided by a cloud provider. In the traditional approach many security responsibilities are unmet due to limited resources. In the cloud-enabled approach, you are able to shift day-to-day security responsibilities to your cloud provider and reallocate your resources.

In the cloud-enabled approach, you can also leverage cloud-based security capabilities for more effectiveness and use cloud intelligence to improve threat detection and response time. By shifting responsibilities to the cloud provider, organizations can increase security coverage, allowing reallocation of security resources and budget to other business priorities.

“Back to the team game concept,” Litvak says. “You are only as strong as your weakest link. Working along a set of common standards, like NIST, MPAA, EBU, etc., allows broadcasters and vendors to speak the same language when it comes to security.”

In a white paper on Shared Responsibility for Cloud Computing authored by Microsoft, similar to many other cloud providers, the shared responsibility model shown below illustrates what aspects of security are owned by customers, and which by cloud providers.

Security imagery 2

Attribution: https://azure.microsoft.com/en-gb/resources/shared-responsibility-for-cloud-computing/

“What such a model leaves out is the role of independent software vendors (ISVs) like Avid who provide SaaS products or Managed Services to the end customer,” Mathur explains.

The diagram, below, created by Mathur and presented at media security events, now includes the security responsibility of the SaaS product provider and contrasts their responsibility with that of the infrastructure provider and end customer.

Security imagery 3

“In an on-premises datacenter, you own almost the whole stack. The broadcaster is responsible for the security of equipment used on site. As you move to the cloud some responsibilities transfer to the SaaS, or managed services provider like Avid. Avid in turn leases the infrastructure from the cloud vendor. Security now becomes a a three-way responsibility,” Mathur explains. “In addition to cloud adoption, adopting SaaS-based products provides further advantage to end-customers in reducing responsibility, but also the risk burden,” Mathur explains. “This is due to the ISV SaaS providers taking on several aspects of security risk mitigation responsibility of the application layer, with the backing of cloud providers.”

Security imagery 4

News Production Solutions

Discover More

MediaCentral – the backbone of our news and media solutions

Find out more
  • © 2024