Remote workflows ensure business continuity, but they can also introduce new vulnerabilities for post-production security, a critical line of defense protecting valuable proprietary media, networked resources, and fragile industry reputations. Existing security practices are, for the most part, designed for on-premises work environments and maintained and monitored by a few trained IT professionals. However, those standards aren't always enough to keep up with rapidly evolving remote workflows.
New ways of working expose new vulnerabilities through the multitude of interconnected networks, devices, locations, applications, and cloud services they require to function. This also puts the responsibility for post-production security onto every single untrained end user working from their potentially unsecured home network.
How can teams keep valuable networks and proprietary media secure? It boils down to deeper post-production security education and an attentive approach to how cybersecurity looks different in remote access environments.
On-Prem vs. Remote Post-Production Workflows
On-premises security relies largely on physical security protocols, not all of which can automatically be replicated in a remote workflow.
Traditionally, post facilities maintained tight security by air-gapping systems from the outside world and restricting direct access to devices with locked doors and secure user logins. This physical legacy means that for most facilities, whatever remote access security measures they had in place were not a priority. As Jack Edney, the director of operations for the independent post house The Farm, noted in a 2020 interview with IBC, "The Farm can control everything within its physical perimeter, but once content ventures outside of that it is, by nature, insecure."
Basic precautions, such as multifactor authentication, are easily accessible. Most virtual private networks (VPNs)—widely relied on to connect remote collaborators to on-premises networks—function like a simple perimeter fence around the facility's existing network, allowing remote access to anyone with the right username and password. But even with these tools, a bad actor may steal genuine credentials through an email phishing attack, or the VPN could be misconfigured, unpatched, or vulnerable to an exploit; given the opportunity, an attacker can log in and waltz through the entire network unchecked.
According to the Motion Picture Association's (MPA) security best practices documentation, "all point-to-point (e.g., VPN, private fiber, etc.) connections within the organization through which content travels should be documented and reviewed for usage and business validity at least every six months, three months recommended."
Action: Any post facility operating an existing VPN in its remote access workflow should regularly ensure that:
- The VPN's security credentials and encryption meet industry standards (the MPA recommends AES-256).
- The VPN is configured correctly and disables all unnecessary ports and protocols.
- All connected users are running the latest software updates and patches.
- Multifactor authentication is deployed to all user accounts, which should each be limited to a single authorized user rather than all of those in a certain role.
But with the industry shifting toward more and more remote collaboration, are VPNs really the more secure way forward? A better approach, known as zero trust, assumes a far more cautious and considered approach to user access and authentication.
Shift to a Zero Trust Security Paradigm
A zero trust security paradigm essentially reverses the VPN's perimeter-based methodology: rather than trusting users with everything once they're inside, the system only gives users access to what they need. Every remote user's account authority is limited to just the systems and media resources they require to perform their job. This ensures that they, or someone hijacking their login, cannot access other critical media or networked resources.
Zero trust security protocols also deepen insight into what proves a user's identity. Rather than asking for just a correct user name and password, it may include elements such as:
- Device identification
- Network address
- Port ranges
A zero trust approach also considers network monitoring and response. Automated network monitoring should alert system administrators to any red flags in user logins or network activity, triggering an established procedure for responding and escalating situations to facility managers.
Action: To begin the shift to zero trust security, consider just some of the steps required to move to this paradigm:
- Survey your technical architecture and inventory existing networks, devices, cloud services, media storage, and users.
- Define an identity policy to authenticate authorized users.
- Define "normal network activity" and what it means to monitor for "bad" behavior.
- Systematically and iteratively rearchitect your post-production security as business function allows.
- Proactively monitor and respond to network activity.
If a complete shift to zero trust just isn't feasible, consider going back to some cybersecurity basics: threat assessments and security awareness training will always be critical. They address a notorious cybersecurity issue that flashy tech or methodologies just can't—the imperfect human users behind the screen.
Conduct Regular Threat Assessments (Before the Next Breach)
Regularly assessing the state of your organization isn't just helpful when you go to revamp your entire security approach; it's also great for fine-tuning and finding gaps in your cybersecurity practices. Attackers only need to find those gaps once. If your most valuable media is stolen, how do you discern what happened, who was involved, and how to stop it from happening again?
The benefit of an assessment like this—and, even better, doing so before an attack—is that your cybersecurity and remote access protection will constantly improve, alerting you to your weakest links. Every organization has to make trade-offs between business expense, operational flexibility, and level of security. Threat assessments allow for more strategic choices about where to deploy your resources.
Industry-approved assessors from the Trusted Partner Network allow both post-production facilities and their customers to validate that they meet required security standards. Particularly when securing media, implementing a chain of custody log for file transfers, access, and deletion will help to identify the source of any leaks or inadvertent access.
Subtle measures such as visible watermarking and invisible file fingerprinting also deter screen capturing or theft and provide valuable forensic information if needed. In the mass move to working from home, measures like these are even more critical to safeguarding remote workflows.
Action: Conduct regular threat assessments and vulnerability scans, ensuring that:
- Media is suitably encrypted in local and remote storage locations and during file transfers.
- Chain of custody logs exist for media management and transfers.
- Media is visibly and invisibly watermarked.
- Freelancers and employees understand screen sharing security best practices.
Prioritize End User Security Awareness and Education
The IT department within a traditional on-premises post-production facility typically had only one office network to secure and monitor—maybe two or three at most. Now, the long-term shift to distributed remote workflows means managing, maintaining, and monitoring potentially thousands of unsecured remote networks accessed by dozens of devices. The more deeply that end users understand cybersecurity and remote access best practices, the less vulnerable the entire ecosystem is. Cybersecurity education is critical across every staff member and freelancer.
Embracing industry standards, such as those produced by the MPA, can help establish a baseline of post-production security best practices for everyone to adhere to. These hefty documents might seem daunting in their detail and scope, but they provide a road map for rapidly improving cybersecurity and remote access capabilities.
Employees need regular education on fundamental cybersecurity best practices, such as not opening suspicious email attachments, clicking on malicious links, or going to untrustworthy websites. Go beyond a simple email from IT—explore ways to gameify security training and keep workshops engaging for remote staff with real-world scenarios.
Action: Conduct regular security awareness training with all end users. Meanwhile, ensure remote workspaces are adequately protected:
- Secure every home router and invest in firewall and antivirus software for remote devices.
- Use a modern, encrypted VPN for remote access.
- Partition home networks to reduce the "threat surface" of unnecessary devices and users tangentially connected to the post-production facility's network. For example, instruct employees to use their work devices on a separate network that connects remotely to on-prem environments; that way, they stay distinct from personal devices, such as Internet of Things (IoT) devices that are vulnerable to cyberattacks.
- Remotely manage software patches and upgrades and third-party software installations on end user machines.
Combine Human and Tech Elements into a Holistic Security Culture
No system is entirely secure from cyberattacks, but each line of defense adds up. Post facilities must make strategic decisions about where to deploy their limited resources to best improve their security, whether it's through a cutting-edge piece of tech or time-tested security practices.
A holistic culture of security brought on by a zero trust approach is a good North Star to work toward. The investment put into the journey will no doubt take time and effort, but improving security is always less costly in the long run than the potential loss of business after a hack.
On this journey, simple tools and foundational security strategies go a long way. Correctly configured VPNs, multifactor authentication, separating home and work networks and devices, and developing logging and monitoring capabilities such as file chain of custody logs can all help make your networks more secure.
As both the first and last line of defense, the end users who move within these remote workflows are still the most impactful element of post-production security. With the right tools and knowledge supporting them, post professionals with an eye toward cybersecurity can protect themselves and others in this new, remote-friendly world.
More Like This
Experiencing Cloud-Based Post-Production Solutions: A Customer Roundtable
Three early adopters of cloud-based video production share their experiences and their predictions for the future.
To Be On Set or Not to Be On Set? For Editors, It's an Important Question
When it comes to working on or off set, video editors and other filmmakers require flexibility for a slew of reasons. Technology now offers this freedom.
Breaking Down the "Hidden Costs" of Media Storage
For post-production organizations, media storage is the foundation of your business—and it's critical that your post house has a rock-solid foundation.
Get the e-book
© 2021 Avid Technology, Inc. All rights reserved. Avid, the Avid logo, Avid Everywhere, iNEWS, Interplay, ISIS, AirSpeed, MediaCentral, Media Composer, Avid NEXIS, Pro Tools, and Sibelius are trademarks or registered trademarks of Avid Technology, Inc. or its subsidiaries in the United States and/or other countries. The Interplay name is used with the permission of the Interplay Entertainment Corp. which bears no responsibility for Avid products. All other trademarks are the property of their respective owners. Product features, specifications, system requirements and availability are subject to change without notice.