Secure remote access to the newsroom has long been possible, but rarely has it been convenient or easy. However, that was before COVID-19.
The pandemic has had a transformative effect on broadcasting. As lockdown announcements first began filtering out, editors, producers, and facilities managers had to make quick decisions about which newsroom production tasks could withstand a transition to the home office.
Talk to senior technicians in the industry, and it becomes clear that some organizations found this transition easier than others. But, almost without exception, they recognized that it was feasible to move newsroom production remote. As Mohamed Fares, Head of Broadcast Technology at Qatar TV, told Avid's Making the Media podcast, "If COVID taught us anything, it's that we can accomplish a lot of the work that we do on-site by being off-site and just giving most of our people remote access."
As the pandemic begins to recede, it's inevitable that broadcasters will review which aspects have worked well and which still need to be improved. In the wake of rising cyberattacks, it's probable that guaranteeing remote access security will be priority number one.
The trade-off between convenience and security has existed for some time. Yet as new working circumstances emerge from the pandemic and more people work remotely while accessing on-prem systems, there's no longer room for one or the other—both security and convenience must be prioritized.
Security Is a Shared Responsibility
Going into an assessment of secure remote access, it's vital to remember that there is no room for complacency at any stage of the workflow. After all, as Microsoft Senior Program Manager Joel Sloss remarked in Avid's Security Best Practices for Cloud News Production webinar, "The moment you say you are impenetrable is the moment you have already been hacked."
Security is never the sole preserve of one department. It's always a shared responsibility. A good first step, then, is to ensure that the lines of communication between IT and production departments are strong and well-defined. Bringing people together to determine an approach where everyone feels comfortable will bring advantages in the long run, although it's still wise to expect one or two bumps in the road.
"There's always this conflict between us as the broadcast technology department and the IT people who have a traditional IT foundation," said Fares. "We're trying to give our users more usability, access to more functionality from home . . . trying to make it more seamless. And then you have the IT folks who are specialized in security saying, 'Listen guys, we need to find a more elegant way to get things done, because there are these security concerns.'"
It's important to note that a secure remote access connection itself does not automatically make everything else secure. The products you are connecting to also need to have built-in security features from the start. Putting in place a collaborative framework makes it easier to implement such security by design principles. With this approach, organizations devise and formalize infrastructural development in such a way that security is embedded into every facet of system design and delivery. With an exponential rise in remote access contributions on the horizon, any infrastructure developed now without these principles may invite problems later on.
Security by design—an approach Avid follows for all of its products—also makes adjusting to changes in production infrastructure more seamless. At present, many newsroom production systems are hosted on-premises—but use of the cloud is on the rise. In the not-too-distant future, it's likely that many organizations will operate a hybrid model, combining the benefits of on-premises and cloud-based platforms. In turn, the need to be clear on where responsibility resides for different aspects of the workflow is only going to become more acute.
With the cloud, for instance, it's essential to be sure where the responsibility of the service provider begins and ends. "[The customer] needs to know what it can count on from the provider perspective, and what they are responsible for [themselves]. There is nothing worse than that gap of, 'We think you've got it,'" remarked Avid Chief Information Security Officer Dmitriy Sokolovskiy during the Security Best Practices webinar.
The Pragmatic Approach
Moving from strictly limited system access to wider accessibility is going to raise concerns for any broadcaster. There is a lot to be said in favor of a gradual, phased rollout like the one undertaken by Qatar TV over the course of 2020.
As Fares recalled during the Making the Media podcast, the first version was "extremely restrictive—users weren't able to do much because there were too many security constraints. Then we started working with our information security department to make sure that the solution was secure, but at the same time was a bit more flexible, [ensuring that] it provided more end-user functionality from home."
Adopting this kind of approach not only ensures that everyone stays onboard with the new methods, it also makes it easier to identify potential problems and guarantee that the necessary safeguards and redundancies are in place. A pragmatic implementation yields capacity to ensure that remote team members are developing good habits, from password behaviors to local security settings and beyond.
Bear in mind that there will always be difficult decisions about what is and isn't an acceptable risk. In an increasingly complex cybersecurity environment, these conversations are bound to become even more challenging. As Sokolovskiy points out, "risk assessments and threat modeling" are critical but are not necessarily about "closing every gap—instead, it's about the gaps that can be closed in the most cost-effective way."
Planning for Recovery
The tremendous flexibility that news teams have experienced over the last 18 or so months means that there will be no going back to regimented on-site working practices. Almost universally, though, there is going to be an impetus to shore up the new approaches and make sure they are resistant against all threats—however simple or complex. As difficult as it might be to think about, every team needs a plan of action in case the worst happens.
As Sloss remarked during the recent webinar, organizations need "layers and layers of not just technology but policies and processes that will protect you when things go sideways. Then, if ultimately something does go wrong, you have to know how you are going to recover and how [a recurrence] can be prevented in the future."