Cyber Security - A DAM Issue

After visiting the recent Henry Stewart DAM (Digital Asset Management) conference in New York, Gary Olson asked some very difficult questions of Cloud vendors regarding security. Their responses may surprise you.

The term DAM has become a little ubiquitous, sort of like AI and Blockchain and is used as a descriptor for a lot of different technologies and services. This event focuses on the asset management needs for the enterprise, a much broader spectrum than the broadcast and production industries. There are a greater number of DAM vendors and products serving the enterprise community than we see at broadcast industry events and the enterprise community looks at asset management with a different perspective. There was an outgrowth of document management.

As mixed media and multiple types of content (text, spreadsheet, PDF, presentations, images & video) became commonplace and all-digital, there is a need to manage it all with permission and protection. Some of the challenges are similar, tracking and managing digital content or archiving digital content. However, there are considerable differences in the types of content and how it is digitally born, these encompasses creation, acquisition, production and distribution. In enterprise, version control and sharing are at a different level based on the types of content shared and collaboration, i.e. text docs, presentations, spreadsheets, etc. The assets are transported between users, across multiple storage environments and the content is often embedded in multiple asset types. This is a bit like how b-roll footage is used as elements in post- production!

Cyber Security

Getting back to the conference, one of my primary reasons for attending this event was to see how the enterprise DAM folks were handling cyber security and threat protection. The majority of vendors were claiming either a cloud or hybrid offerings. Not so different than the broadcast vendors. It’s getting very cloudy and everyone thinks that solves all the issues – NOT!

I did my own little informal poll on how the vendors were addressing security. The typical first response I received was “it’s not really an issue because we are in the cloud and browser accessed”. This is a misnomer. While we all want to believe the cloud providers are doing an excellent job in security, we forget that getting to the cloud or from the cloud from an endpoint (PC, Tablet or phone) is typically over an open Internet connection. One of the more interesting aspects of going to the cloud is the breaching of the “walled garden” attitude in managing security.

Vulnerability Questions

Browsers are very vulnerable connections and expose the endpoint to threats and breach. An asset is acquired or created on the endpoint, possibly interacting with removable media or attached storage or heaven forbid – downloaded from another web service. It’s a good thing the enterprise runs network and endpoint threat protection, and most likely web scanning for any online services or products. So my question was “if the DAM is browser accessible” does the threat product, that is the device protecting the browser and assets, need to be disabled or are there exceptions? And does that expose the endpoint to other threats?

That typically caused a head scratch and a response like “ Hmm, hadn’t thought about that”. The next response was also” I need to speak to our team and get back to you”. I found that a little encouraging. There were at least two vendors that had initiatives working to address this.

Cyber threats are not only against file-based content but also against streaming or live content that uses networks. They’re all targets and susceptible which impacts contribution, distribution and live events. There is an increasing number of “live” cloud services appearing, this adds a new layer of complexity.

Interoperability Questions

I am on a cyber task force for a live sports organization where we are discussing best practices that can be implemented during live events and won’t have any performance impact or introduce latency to the live event. We have been having some interesting discussions with vendors asking how “interoperable” their products are with common threat vendor products, that is, the software products that protect browsers and media assets. The responses have been a little mixed with regard to whether their product will allow threat products to “co-habit” and operate on their products, or if it’s on the roadmap for future versions. All the vendors acknowledge that most, if not all of their clients are asking the same questions.

One interesting note was during one of the vendor calls. It was revealed that a number of broadcasters insisted that their endpoint threat product be installed on a device that is typically found in live events, and that it should have been implemented and operational for about a year. The vendors’ senior tech was unaware that their product had already been field tested and worked with the threat protection. This was after the task force was being told by the tech that his company had this on their roadmap, but no threat products had been validated. OOPs!!

Bring In Cyber Experts

One of the things continuing to baffle me is the apparent unwillingness, or reluctance, by the entire broadcast industry to reach out to the threat protection industry and bring them into the conversation. The enterprise vendors are actually the same. If everyone agrees cyber protection is important, then how about bringing in the experts, explain the concerns and requirements and give them a chance to offer solutions.

The performance challenges are not unique to the media industry. The financial industry has many of the same performance and security issues. I would be very surprised if they were not interested in getting involved in the conversation. We had a similar experience with the network and computer vendors and got that worked out reasonably OK.

Getting back to the DAM cyber threat issue. Considering the number of trade organizations and committees focusing on new standards, technologies and services, shouldn’t the same effort be put into protecting the operating environment we work in and the valuable assets we create? 

Editor’s Note: Gary Olson has a book on IP technology, “Planning and Designing the IP Broadcast Facility – A New Puzzle to Solve”, which is available at bookstores and online.

Let us know what you think…

Log-in or Register for free to post comments…

You might also like...

5G And Live Production

This past summer the NBA did a little experimenting using 5G and mobile phones to cover their summer league. This is not User Generated Content (UGC) by any means. It also was not an off the shelf deployment of 5G…

Cyber Security Is An All Industry Issue

Cyber security impacts everyone and every industry. One unifying comment from cyber security experts is the bad guys are mostly winning. The good guys are fighting the good fight and we each need to do our part. One of the…

What Is The Role Of NMOS In ST2110 Adoption?

At the recent IBC conference, vendors were showing ST2110 compatible products. The IP pavilion was there to demonstrate how it all works nicely together, all interoperable, etc. There were sessions to introduce and provide the information and knowledge to implement…

User Generated Content Or Reporting In Real Time

We all understand what it means when someone says a video went viral. It typically means a person used a mobile device to record an event and posted it to any number of social media websites. How does that have…

Nine Pitfalls Of Relying On FTP To Move Large Media Files

Broadcasters are continuing to adopt and take advantage of IT working practices as they transition to file-based workflows. However, some seemingly effective solutions are outdated, have not kept pace with advances in computing power, and are unable to efficiently transfer…