Cyber Security - A DAM Issue
After visiting the recent Henry Stewart DAM (Digital Asset Management) conference in New York, Gary Olson asked some very difficult questions of Cloud vendors regarding security. Their responses may surprise you.
The term DAM has become a little ubiquitous, sort of like AI and Blockchain and is used as a descriptor for a lot of different technologies and services. This event focuses on the asset management needs for the enterprise, a much broader spectrum than the broadcast and production industries. There are a greater number of DAM vendors and products serving the enterprise community than we see at broadcast industry events and the enterprise community looks at asset management with a different perspective. There was an outgrowth of document management.
As mixed media and multiple types of content (text, spreadsheet, PDF, presentations, images & video) became commonplace and all-digital, there is a need to manage it all with permission and protection. Some of the challenges are similar, tracking and managing digital content or archiving digital content. However, there are considerable differences in the types of content and how it is digitally born, these encompasses creation, acquisition, production and distribution. In enterprise, version control and sharing are at a different level based on the types of content shared and collaboration, i.e. text docs, presentations, spreadsheets, etc. The assets are transported between users, across multiple storage environments and the content is often embedded in multiple asset types. This is a bit like how b-roll footage is used as elements in post- production!
Cyber Security
Getting back to the conference, one of my primary reasons for attending this event was to see how the enterprise DAM folks were handling cyber security and threat protection. The majority of vendors were claiming either a cloud or hybrid offerings. Not so different than the broadcast vendors. It’s getting very cloudy and everyone thinks that solves all the issues – NOT!
I did my own little informal poll on how the vendors were addressing security. The typical first response I received was “it’s not really an issue because we are in the cloud and browser accessed”. This is a misnomer. While we all want to believe the cloud providers are doing an excellent job in security, we forget that getting to the cloud or from the cloud from an endpoint (PC, Tablet or phone) is typically over an open Internet connection. One of the more interesting aspects of going to the cloud is the breaching of the “walled garden” attitude in managing security.
Vulnerability Questions
Browsers are very vulnerable connections and expose the endpoint to threats and breach. An asset is acquired or created on the endpoint, possibly interacting with removable media or attached storage or heaven forbid – downloaded from another web service. It’s a good thing the enterprise runs network and endpoint threat protection, and most likely web scanning for any online services or products. So my question was “if the DAM is browser accessible” does the threat product, that is the device protecting the browser and assets, need to be disabled or are there exceptions? And does that expose the endpoint to other threats?
That typically caused a head scratch and a response like “ Hmm, hadn’t thought about that”. The next response was also” I need to speak to our team and get back to you”. I found that a little encouraging. There were at least two vendors that had initiatives working to address this.
Cyber threats are not only against file-based content but also against streaming or live content that uses networks. They’re all targets and susceptible which impacts contribution, distribution and live events. There is an increasing number of “live” cloud services appearing, this adds a new layer of complexity.
Interoperability Questions
I am on a cyber task force for a live sports organization where we are discussing best practices that can be implemented during live events and won’t have any performance impact or introduce latency to the live event. We have been having some interesting discussions with vendors asking how “interoperable” their products are with common threat vendor products, that is, the software products that protect browsers and media assets. The responses have been a little mixed with regard to whether their product will allow threat products to “co-habit” and operate on their products, or if it’s on the roadmap for future versions. All the vendors acknowledge that most, if not all of their clients are asking the same questions.
One interesting note was during one of the vendor calls. It was revealed that a number of broadcasters insisted that their endpoint threat product be installed on a device that is typically found in live events, and that it should have been implemented and operational for about a year. The vendors’ senior tech was unaware that their product had already been field tested and worked with the threat protection. This was after the task force was being told by the tech that his company had this on their roadmap, but no threat products had been validated. OOPs!!
Bring In Cyber Experts
One of the things continuing to baffle me is the apparent unwillingness, or reluctance, by the entire broadcast industry to reach out to the threat protection industry and bring them into the conversation. The enterprise vendors are actually the same. If everyone agrees cyber protection is important, then how about bringing in the experts, explain the concerns and requirements and give them a chance to offer solutions.
The performance challenges are not unique to the media industry. The financial industry has many of the same performance and security issues. I would be very surprised if they were not interested in getting involved in the conversation. We had a similar experience with the network and computer vendors and got that worked out reasonably OK.
Getting back to the DAM cyber threat issue. Considering the number of trade organizations and committees focusing on new standards, technologies and services, shouldn’t the same effort be put into protecting the operating environment we work in and the valuable assets we create?
Editor’s Note: Gary Olson has a book on IP technology, “Planning and Designing the IP Broadcast Facility – A New Puzzle to Solve”, which is available at bookstores and online.
You might also like...
IP Security For Broadcasters: Part 1 - Psychology Of Security
As engineers and technologists, it’s easy to become bogged down in the technical solutions that maintain high levels of computer security, but the first port of call in designing any secure system should be to consider the user and t…
Demands On Production With HDR & WCG
The adoption of HDR requires adjustments in workflow that place different requirements on both people and technology, especially when multiple formats are required simultaneously.
If It Ain’t Broke Still Fix It: Part 2 - Security
The old broadcasting adage: ‘if it ain’t broke don’t fix it’ is no longer relevant and potentially highly dangerous, especially when we consider the security implications of not updating software and operating systems.
Standards: Part 21 - The MPEG, AES & Other Containers
Here we discuss how raw essence data needs to be serialized so it can be stored in media container files. We also describe the various media container file formats and their evolution.
NDI For Broadcast: Part 3 – Bridging The Gap
This third and for now, final part of our mini-series exploring NDI and its place in broadcast infrastructure moves on to a trio of tools released with NDI 5.0 which are all aimed at facilitating remote and collaborative workflows; NDI Audio,…