Content security and the role of a media services provider

This blog was initially published on TVBEurope

Cybersecurity should be a top priority for all media industry players. We’ve seen many cyber attacks that have affected lots of different areas, including professional and personal data, politics and people’s private lives. This is why a lot of governments and major industry players have now built strong cyber command organisations to handle potential threats. This is also critical in terms of content and the media services sector.

Many content owners are grouping themselves by region or activity to coordinate anti-piracy efforts. They are governing the security requirements for any form of content management based on strict standards addressing all aspects of security, organisation and management, physical and digital
security and with increasing reliance on certification.

Whereas in the past headend platforms were isolated, the threat model has evolved with the arrival of internet-based services, with the multiplicity of platform interconnections and widespread use of commonly used software and network tools. Premium content online enforcement programmes and new forms of security service programmes are put in place to combat the increase in content redistribution threats and video piracy.

Globecast, as a major media industry player, has put security at the heart of its global strategy. We’ve broken this down into seven key areas. The first is understanding customer context, usage and key security requirements. Understanding our customers’ security requirements and levels of expectation in terms of security features or solution robustness is the foundation for all other steps. This is usually handled by dedicated workshops/meetings addressing all aspects of security between security
experts. It’s also of primary importance to address at this level the key assets and their intrinsic security requirements.

Next is a systematic approach with continuous improvement. Security is a constantly evolving scenario with no company able to provide absolute guarantees. A risk analysis, based on approved methodologies (NIST, EBIOS-RM), is conducted for any new product or service from the design phase to solution delivery in order to identify all relevant risks and put in place technical security measures and procedures within a security plan.

Of key importance is the detection of any flaw or vulnerability and the establishment of reliable and realistic remediation plans, including regular security reviews and audits, vulnerability scanning and third-party penetration testing.

Then there’s skills and people empowerment. With security comes the necessary training and awareness sessions for our staff, and repetition is key. We need to repeat targeted communications and to have focused, practical sessions. Security is always closely linked with operational excellence.

In terms of accountability, we need to have a clear view of the accountability of actions. Any access to company IT and network resources relies on a unique identification and authentication process in order to ensure the traceability of operations. The use of generic accounts is therefore prohibited, and sensitive equipment is protected by Privileged Access Management techniques, ensuring that only authorised individuals can access IT-sensitive resources based on their profiles.

We very clearly establish security zones. These are secure network areas defined to provide a clear separation between different perimeters of trust inside information systems, thanks to DMZ-controlled zones (data exchange between internal and external networks), VLAN techniques or the use of dedicated appliances.

Robustness, critical component redundancy and business continuity plans (BCP)/disaster recovery plans are also crucial. Working on solution robustness is key to securing a system and its hardware elements, OS and software applications. Clear separation of technical environments (testing/
pre-prod/prod) and removal of unused software or by default parameters is a way to reduce the “attack surface”. Business continuity plans, together with disaster recovery, are established on the basis of risk analysis identifying the critical processes of the different activities from the point of view of security and with business priorities. The Covid-19 crisis has made the topic of BCPs far more of a reality. From the outset, Globecast adapted its continuity and recovery plans to provide service continuity to
all customers without any interruption of service or impact on operations. Several sites can remotely and immediately operate a customer’s services including varying levels of team isolation. Security governance ensures that these plans are regularly tested.

Lastly, it’s vital to challenge and regularly test security plans. People empowerment can include internal and third-party reviews, addressing all potential vulnerabilities and verifying security protocols. In addition to penetration testing or vulnerability scans, a security watch through the various Cyber CERTs (Computer Emergency Response Teams) analyse potential vulnerabilities, addressing the appropriate preventive or corrective security measures with the relevant IT and operations teams.
The different remediation plans are clearly defined and tracked.