Have the broadcast newsroom norms changed forever? When countries worldwide entered lockdown, broadcast organizations scrambled to build out support for remote broadcasting—and, despite the bumps in the road, the industry has learned that remote work is more than possible.
There's finally a light at the end of the tunnel, but that doesn't mean things are going back to the way they were. With such a big shift happening in work culture itself, now's the time for broadcasters to consider securing their networks for a remote-capable newsroom. That's where the zero trust security model comes in.
Broadcasters Are at a Crossroads
For decades, virtual private networks, or VPNs, have been the standard for giving remote workers access to an organization's network and applications. That's got to change, says the US National Institute of Standards and Technology (NIST), pointing to the expanded ways users need to access their companies' resources and a shift in attack patterns. In August 2020, NIST warned that VPNs aren't sufficient to secure the complex tangle of multiple internal networks, remote devices, and cloud services that enable a modern remote workforce. And broadcast organizations—with their far-flung teams of staff reporters, stringers, producers, and editors as well as post-production facilities and transmission infrastructure—are complex by nature.
Traditionally, broadcasters have preferred to isolate critical assets physically by keeping them in locked facilities accessed by badged personnel; most used or still use company-maintained hardware for storage and workflows. But many of these processes and procedures aren't best suited to this radically changed environment.
Rather than relying on VPNs, NIST recommends a move to the zero trust security model. If you're in the process of making your operations more secure, consider that Gartner estimates that 60 percent of organizations will have adopted a zero trust security posture by 2023.
VPNs or Zero Trust?
VPNs use a model known as perimeter security. They're like a security guard or physical access control system at the entrance to your building. The idea is that everything inside the perimeter is considered safe. Anyone working outside the network uses the VPN to penetrate the perimeter. The assumption with VPN security is that anyone with the proper login credentials is a good actor—which doesn't account for compromised user credentials or other threats from inside the network perimeter.
This is where a zero trust security strategy can help. Unlike VPNs, a zero trust security approach assumes nothing: everything is considered a potential attack. Only by evaluating multiple factors on a per-access basis can you determine that access is both authentic and authorized.
Rather than giving every remote user the potential to access every part of the network, each person can log in to only the applications and services they are authorized to access in order to do their job. Access can be based on roles or context. For example, a freelance editor could access a media asset management system from her home network, but if she logged in from a coffee shop, she'd need an additional layer of authentication, such as a code texted to her phone.
Zero trust architecture protects against insider and external attacks in ways a VPN can't. Once an employee with bad intentions or a hacker gets onto the network via a VPN, they have the potential to steal data and content. These lateral attacks are difficult to mitigate with only a perimeter strategy. Compare that to a finer-grained zero trust architecture, where access is determined based on multiple data points (for example, identity, role, devices, network and port ranges, etc.)—the need to authenticate for every service highlights errant access attempts much more quickly, blocking out that bad actor before they can take harmful actions.
Decision Points for a Distributed Broadcast Workforce
Aside from security, VPNs aren't always sophisticated enough to manage a highly distributed broadcast workforce and all the freelancers, contractors, and partners that need to collaborate. Bandwidth can be an issue with VPNs for remote work. Media asset management and collaboration tools have increased workflow efficiency, but they also create the need for more bandwidth. If you're supporting all that traffic via VPN, your costs could rise. One way to increase the security of a VPN is to only allow company-provided devices access. However, if you're used to a bring-your-own-device policy, supplying laptops and smartphones could prove pricy.
On the other hand, VPNs might be necessary in the short term—particularly if you need a quick means of expanding your existing infrastructure for remote work. The biggest advantage of maintaining security via VPNs is that you probably already use one or more.
The Zero Trust Journey
Implementing zero trust takes time. It's not a technology like VPNs; it's a model that requires architectural changes—a different way of planning your IT infrastructure, assets, and business workflows. Making the shift involves coordinating with all your software, hardware, and SaaS vendors. This doesn't mean you have to throw out your entire infrastructure and workflow to achieve zero trust as remote broadcasting becomes the new norm. Many of the things that help with a zero trust security posture may already be used in your organization. Adopting a zero trust security model is an iterative process, with each step building on the previous one.
1. Survey your technical architecture
The most critical step is the first: take stock of the core business assets that need to be taken into account with a complete survey of users, devices, services, and data assets. In a zero trust model, it's important to know what your assets are and the aspects of security that should be applied to each.
2. Define an identity policy
For these assets, define who has access and how you'll ensure they are who they claim to be. This is more than just usernames and passwords. How do you identify a friendly device? What about freelancers and bring-your-own devices? What about applications and services that make API calls? The goal here is to develop a policy for identity and authentication—what data points do you need to be confident that an access request is legitimate rather than an attack?
3. Create a strategy for defining good behavior
Define what good health looks like across devices, applications, and user behavior. This may include implementing controls for managing and monitoring the network, devices, and applications, so you know you are running known, valid hardware and software. Use a combination of factors you know and have control over to gain confidence that a request originates from a legitimate source. For example, don't just rely on simple credentials or device MAC addresses, which can be spoofed; combine these with additional factors, such as only using encrypted communications backed by verifiable certificates and enhanced authentication frameworks, such as OAuth. Understand what normal user and application behavior looks like, so that any request via a different path stands out as unusual—for example, would a request from a different network segment during out-of-office hours raise a red flag?
4. Systematically and iteratively re-architect
This is where strategy gives way to execution. With each iteration, add more fine-grained levels of security. Imagine your new business infrastructure like layers of an onion: implement authentication and authorization at each level. Use network segmentation and your new access controls to minimize the potential for lateral exploits. Don't trust the network; assume it is already breached and you have to reduce the potential for damage.
5. Proactive monitor activities in your network
The aim is not to realize a breach has happened when it is too late, but to assume a breach is imminent and you have to limit damage. Deploy devices and applications that support zero trust strategies and integrate into your new security infrastructure. Focus attention on those devices and services that tend to be most targeted, and have your security infrastructure use as many of the previously identified data points as is necessary to be confident in the legitimacy of every access attempt.
Adjusting to the New Security Normal
There are two key aspects to this new security normal. First, the perimeter of your network is no longer a valid security gate. The diversity of ways that users need to access company resources and assets means this approach is too simplistic for the way we work now. Second, assume that you have already been breached. The goal of a zero trust strategy is to deny the attacker from further access while simultaneously allowing legitimate access for verified users so they can do their jobs. This change of perspective is necessary to deal with an evolving threat landscape.
A massive change in working patterns in the last year has highlighted the challenges with remote access and security approaches. The good news is that zero trust has been proven for around a decade. For broadcasters still relying on VPN, maybe it's time for a rethink.