By Jérôme Athias, Chief Information Security Officer, Dalet
Media companies are connecting across more platforms, services, and networks all the time and securing content or broadcast/streaming data has never been more important… and more difficult.
Gartner’s report, “7 Top Trends in Cybersecurity for 2022,” predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.
That means you don't just need good security practices, but security done better than the most damaging cyberthreat making its way towards you.
We're going to need a whole new approach to security at the corporate network boundary, and at Dalet we embrace the principle of Zero Trust as the best path forward.
Under a Zero Trust framework, nothing is considered safe. Every incoming signal or connection is by default untrustworthy until it's rigorously tested through various security checks to ensure legitimacy or authority to connect.
The assets produced by the media sector have always been highly sensitive, subject to very strict public release dates or IP legislation. But here's what's changed: more of us are working remotely than ever. Gartner states that currently, 60% of knowledge workers are remote, and at least 18% will not return to the office. These changes in the way we work, together with greater use of public cloud, highly connected supply chains and use of cyber-physical systems have exposed new and challenging attack “surfaces.” Simply put, the multiple platforms and devices we use to connect with workplaces only give the bad guys more ways in.
These bad actors have changed too. Cybercrime is about organized data gathering rather than just underground bragging rights. They're coordinated, efficient, and getting harder to stop at the border of your organization.
As an industry, we have to work hard to keep up and need to ensure that every input or connection request complies with internal security policies, that they're running on reputable platforms or that authorized agents are using them. Otherwise, every VPN, smartphone operating system, marketing platform account or video call client is a potential threat vector.
The Zero Trust strategy
Under a Zero Trust security framework, nothing is considered safe. As a new signal or connection comes in from outside your network or organization, it’s initially blocked by default. It's then interrogated based on any possible data point you can program for – identity, location, the operating system or security profile of the device, the workload the input requests and more.
After scrutinizing every resource, any changes in configuration and network or traffic activity are continually logged, monitored, and rigorously questioned for anything suspicious.
There's also a continual standard of access based on least privilege. That means the user is given the minimum resources or access needed to do their job and no more. If they need it, any further access request is subject to the same interrogation.
Both device/access architecture and management have to evolve to adhere to Zero Trust principles, and that will involve training, awareness and the ushering in of a new security culture. Methods like password-less access and physical devices like security keys are going to become more important.
The Zero Trust practice
Imagine an editor receives an email from her production manager or the VFX supervisor asking for access to a sensitive file and happily complies.
What she doesn't know is that a specialized group has done the social engineering – figuring out who she is and a boss or senior company officer she's likely to respond to. Another has done the corporate hacking into the company's email server and sent the request from her boss' email.
Another group has written the malware to install on the network when she emails the link or credentials back, and yet another harvests her networks for sensitive information it can hold to ransom.
In a traditional network – where the editor has sent the link using approved credentials – the server would simply grant access. Under a Zero Trust model, the device used by the hacker, its location and the workload usually performed after such a request aren't known to the network even though the login credentials were cleared, so access is immediately blocked and the attempt logged.
But it's about far more than stealing sensitive files. Imagine you're a broadcaster streaming content that's interrupted or taken down through a distributed denial of service (DDoS) attack by a hacker group with a political or misinformation agenda. When online services combine live betting with real-time sport events, the liability alone could be crippling if your network or stream goes dark.
At Dalet, security has always been a cornerstone of everything we do. We consider it like the brakes of a car. You need to stay on the road and keep up the pace, and security isn't there to block that but help achieve it by spotting dangers and letting you circumnavigate them quickly and efficiently. Thus, security needs a three-pronged approach:
- People - Your own staff, as well as customers, need to have awareness and need to receive security training.
- Processes - To better respond to incidents, you need to improve processes constantly
- Technology - As technology has increasingly shifted from on-premise to cloud and external systems and providers, security must remain the most critical part of the transition.
The media business is truly global with countless different legal jurisdictions. And because data privacy law differs in each territory, different users have different regulatory requirements.
But as well as evolving along with local standards and regulations wherever they are, you need to make a practice of applying the strictest regulatory frameworks you work with (including your own).
Zero Trust is securing your borders no matter what cloud services, internet of things (IoT) or bring your own device (BYOD) policies are used to interact with your organization.
You can't take any risks with valuable media assets, but you have to expand your access rights to more players and collaborators than ever. Zero Trust provides the balance between the two you're going to need in the near future.
- Business Models
- Supply Chain
- Digital Transformation
- Rights & Legal
- Data Privacy & Management
- Security (e.g. Cyber, Encryption, Conditional Access etc)