Larry O’Connor, Founder and CEO, Other World Computing
John Tkaczewski, Co-Founder and President, FileCatalyst
Mathew Gilliat-Smith, CEO, Fortium Technologies
Pierson Clair, Senior Director, Cyber Security & Investigations, Kroll
Michael Kammes, Director of Technology, Key Code Media
James DeRuvo, Editor-in-Chief, DoddleNEWS
Male Voiceover: The Digital Production Buzz is brought to you by KeyPro Flow, media asset management software, designed to meet the needs of work groups at an affordable price.
Larry Jordan: Tonight on the Buzz, we are looking at data security. As more of our business and media assets move online, what can we do to protect them? Tonight, we talk with the experts to learn more.
Larry Jordan: We start with Larry O’Connor, the founder and CEO of OWC. Larry has strong opinions on the cloud and how to keep our files secure. You’ll definitely want to hear his opinion, especially about encryption.
Larry Jordan: John Tkaczewski is the co-founder and CEO of FileCatalyst. They specialize in keeping files secure when they are in transit, moving from one server to the next. He shares his thoughts on making sure your files transfer quickly and safely.
Larry Jordan: Michael Gilliat-Smith is the CEO of Fortium Technology. They make Media Seal, which protects files during production and post, using high speed encryption. Tonight, he explains what their technology does and how it is used.
Larry Jordan: Pierson Clair is the senior director for cyber security and investigations for Kroll. Pierson investigates enterprise level data breaches and tonight shares his ideas on what we can do to keep our computers and media secure.
Larry Jordan: Michael Kammes, director of technology for Key Code Media looks at real world techniques we can use to improve our security. Sometimes common sense is more important than high tech.
Larry Jordan: All this, plus James DeRuvo with this week’s of DoddleNEWS update. The Buzz starts now.
Announcer: Since the dawn of digital filmmaking, Authoritative: One show serves worldwide network of media professionals. Current: Uniting industry experts. Production: Filmmakers. Post-production: And content creators around the planet. Distribution: From the media capital of the world, in Los Angeles, California, the Digital Production Buzz goes live now.
Larry Jordan: Welcome to the Digital Production Buzz; the world’s longest running podcast for the creative content industry, covering media production, post-production and marketing around the world.
Larry Jordan: Hi, my name is Larry Jordan. Last night my wife sent me a text, a co-worker clicked on an email supposedly from DELL informing her that her computer had a problem. The problem wasn’t her computer, but that the email wasn’t from DELL, it was from a hacker who stole her credentials and then stole all her data. These data theft stories are becoming all too common, and for those of us in the media industry, when you combine the need to keep unreleased media secret, while moving more of our business online, all without any kind of dedicated IT staff to help us navigate the minefield of network security, well this creates a perfect storm, resulting in data theft and loss.
Larry Jordan: When it comes to digital media, security looks at files two ways. Files at rest and in motion. Files at rest are stored on a server, or hard disk. Files in motion are in transit from one server to another. The security needs of each of these is different and we’ll talk about both of these tonight. There is hope however as you’ll discover on tonight’s show. Most hacks are not caused by ultra sophisticated tech bad guys, but stupid thinking on our part. Sometimes it’s complacence, sometimes a lack of knowledge, and sometimes just not verifying the link we’re about to click. Tonight, you’ll learn a variety of techniques that you can use to keep your data secure.
Larry Jordan: By the way, before we start, I want to update one of our interviews. I talked with John Tkaczewski two days ago. This morning, FileCatalyst announced that NBC Olympics, a division of the NBC Sports Group, selected FileCatalyst to transfer event footage at accelerated speeds as well as facilitate remote production workflows for their production of the 23rd Olympic Winter Games in South Korea. This is very exciting news, and I congratulate John on their selection.
Larry Jordan: Now it’s time for our DoddleNEWS update with James DeRuvo. Hello James.
James DeRuvo: Happy Thursday Larry.
Larry Jordan: And a wonderful Thursday to you, it is good to hear your voice again.
James DeRuvo: And likewise.
Larry Jordan: What have you got for us?
James DeRuvo: It seems that we can’t go a week without a new camera announcement. Everybody has to put out a camera, and Arri has announced yet another addition to their Alexa line, the Alexa LF. It comes with a full 4.6K sensor that fits somewhere in between the Alexa 65 and the Alexa XXTW. It’s got a native resolution of 4.6K at 2.39:1, or 4K at 16:9 shooting ARRIRAW in Open Gate mode. 14 stops of dynamic range, and it also comes with eight neutral density filters that you can manually insert and it’ll give you frame rates of up to 150 frames per second.
Larry Jordan: Well what do you see as Arri’s strategy with this camera?
James DeRuvo: I just think they’re rounding out the Alexa line, adding a beefier sensor to a smaller camera with a lighter footprint. If I had to guess, I’d say that this is designed for those shooting documentaries out in the field that’ll give them a lighter camera that’ll enable them to shoot better images, so they’ll get more bang for their buck.
Larry Jordan: Alright, that’s the newest camera from Arri. What’s next?
James DeRuvo: Blackmagic updated their hardware and software twice this week.
Larry Jordan: Twice?
James DeRuvo: They’ve got firmware updates with bug fixes and support for the new URSA broadcast camera, plus RAW import from Sony’s CineAlta line and the Panasonic VariCam cameras get better metadata translation. DaVinci Resolve also got improved support for Dolby this week. Multi camera viewer performance has been improved, and there’s faster ProRes encoding, and they have streamline support for their new Fairlight audio application. It’s a huge amount of updates in these two firmware improvements.
Larry Jordan: Well James, two updates in one week is a pretty fast response.
James DeRuvo: Indeed. And they were planned updates as well. Many of the new features were the result of user feedback. Blackmagic is that kind of company that just loves to listen to their core clientele to make their products better. Hardware or software, it just doesn’t matter. They want a good idea wherever they find it.
Larry Jordan: OK Blackmagic Designs got two new updates, both hardware and software. That brings us to our third story, which is?
James DeRuvo: Break out your mobile phone because Moment Lenses is having a short film competition. It’s called the Moment Invitational Film Festival and they’ve invited ten high profile YouTube creatives to showcase a lot of their work but they’re holding a competition to find the 11th filmmaker to be featured in this first annual invitational film festival. Those interested need to submit a three minute short film, shot on your mobile phone, with the theme of suspense, and the winner will get a share of over $75,000 in gear, cash, and prizes and an all expense paid trip to New York to be featured at the film festival.
Larry Jordan: Well James, what do you see as the significance of a film festival that’s geared toward mobile phone users?
James DeRuvo: Mobile filmmaking is really hitting the mainstream with filmmakers these days. Even Steven Soderbergh just wrapped his latest feature that he shot on the iPhone 7, and even Oscars are taking notice. So with a filmmaking contest like this, it’s pretty clear that nobody has any excuses any more to going out and making something. As Ansel Adams once said, the best camera is the one you have with you.
Larry Jordan: Ah, those are very true words. Alright, that’s Arri, Blackmagic Design and Moment Lenses. What other stories are you following this week?
James DeRuvo: Other stories we’re following include DJI’s next Mavic drone may have a huge one inch sensor. Facebook sees an opportunity to poach several content creators during YouTube’s Adpocalypse, and the Disney Fox deal may be in a little trouble with the Feds.
Larry Jordan: Where can we go on the web to read these and all the rest of your stories?
James DeRuvo: All these stories and more can be found at doddlenews.com.
Larry Jordan: James DeRuvo is the Editor in Chief of Doddlenews.com and joins us every week with a DoddleNEWS update. Thanks James, talk to you next Thursday.
James DeRuvo: See you next week.
Larry Jordan: When you can’t find your media, you need a media asset management solution, KeyFlow Pro. This simple but powerful software is designed specifically to help you organize, track and find your media. Whether you work alone or part of a group, its intuitive user interface helps you easily store, sort, search, play, annotate and share your media using team based shared libraries over a network. Its wide range of features are all at a very affordable price, and with the new 1.8.3 update, rescanning is up to ten times faster. Plus, KeyFlow Pro is integrated with Mac OS notifications, enabling you to collaborate faster and smarter all in real time. KeyFlow Pro is available in the Mac app store, or get a 30 day free trial at Keyflowpro.com. KeyFlow Pro, simple, elegant, and surprisingly affordable.
Larry Jordan: Larry O’Connor founded Other World Computing which is also called OWC in 1988. Their website which you may know better, is Macsales.com. OWC is both a reseller and a developer supporting all things Mac for gosh, a long time. Hello Larry, welcome back.
Larry O’Connor: Hey, thanks for having me back Larry.
Larry Jordan: So Larry, tonight we’re talking about security for our media files, both locally and on the web. It seems like every day brings news of yet another data breach or a hack. What are your thoughts about keeping our media secure?
Larry O’Connor: You know, you have encryption of course on your Mac, there are options there and we’re doing a lot on our own side to bring software … little bit later this year to take advantage of Apple’s latest 10.13 encryption of APFS. But in general, quite honestly, I really believe in keeping things near and dear and close. Encryption and anything you do … data that restricts access to it is great for security until years go by and a different scenario emerges where … the person created the … encryption set the password, had a harbor key is no longer to be found, and that media potentially is locked out for all future purposes.
Larry O’Connor: Keeping important things, there are things that be put on the cloud and things that quite frankly I think should really stay on drives for transport.
Larry Jordan: Well one of the conversations we’re going to have a little bit later in the show is with Michael Gilliat-Smith who works for a company called Fortium Technology, and they’ve developed an encryption technology which can be taken off as well as applied, so we’ll hear more about that in just a minute. But I want to come back to your concept of keep things local. Increasingly we’re seeing both in Avid and in Premiere the idea of collaborative editing where a team of people are working on a project. How can we support team editing if we don’t put our media out for the team to be able to access it?
Larry O’Connor: Not so much putting it out for the team to access it, you certainly have local collaborative editing. Now if you’re talking about people being able to edit around the world, now you’re talking about cloud services, certainly you don’t have the local resources around typically to support that kind of distance. But then going back to the basics, or back to base really, it’s going to come down to how important is that source material? What is the value of that source material? When it’s on the cloud, you just run into all sorts of different risks that you don’t have when it’s locally controlled data. Really going back to the basics, it’s been extremely rare in all the years that media’s been created where you’ve heard of a stolen hard drive or worse, a lost drive that somebody’s recovered and suddenly there’s a new bit of content that wasn’t released yet being circulated online. With data that’s available or stored on the cloud, it’s a little bit different story.
Larry Jordan: Well let’s go into that just a little bit. Do you think we can safely store media in the cloud? Or should we avoid the cloud for media altogether?
Larry O’Connor: Again it depends on what the purpose is. Would I put actual unedited source of anything on the cloud, probably not. Would I put something up that’s for a production release that’s not yet been published, that’s being ready for master? I think sitting on a hard drive is a better way to go. Would I send data over the internet on a secure network to a media house? Oh absolutely positively. But trusting the cloud as a distribution point I think has already proven to be risky, with a couple of high profile thefts just in the last year or so.
Larry Jordan: Well then, if our goal is to have collaborative editing, let’s just pretend that’s the case, and if we’re ruling out the cloud, then how do we share media amongst the team?
Larry O’Connor: Well if you’re talking about collaborative editing, I guess I’ll take a step back. Certainly, I can understand large groups and people spread around the world, you’ve got a different scenario, but how many folks turn to collaborative editing that truly have teams that are not localized?
Larry Jordan: In other words, most editing teams are going to be working out of the same physical space?
Larry O’Connor: Seem to see a lot of that. Not to say that they’re an exception, but the majority of the customers we talk to, those teams are pretty tightly based. Now you may have somebody doing a VR special effects, different kind of post production work that’s honestly not really the other cut side, but how many teams are truly separated by business where they’re not working together in a facility where they can control that data first hand?
Larry Jordan: What are your thoughts on transferring data? Let’s say that the production team is on site somewhere outside the studio, and the editors are back in the home office doing editing. How do we get the files from where they originate to where they’re being edited?
Larry O’Connor: Well once again bandwidth I would argue is still a pretty big factor there, and there are solutions to buy multiple 4G when 5G comes along, multiple 5G together. Now it’s going to come down to expense. How fast and how important is it to transmit that data? I have no problem with transmitting data over the internet from one point to another point. I think that can be done very securely. Putting it in the cloud for download though is a different matter altogether. Of course, going back to it’s always worked historically putting data onto a fast drive that can be shipped, is another pretty well nearly foolproof solution.
Larry Jordan: That’s a very true point. You can move ten terabytes over FedEx a whole lot faster than you can transfer it on the web.
Larry O’Connor: Absolutely and not to plug our new ThunderBlade but the new ThunderBlade which is our … Viper it’s up to eight terabytes, you can transfer roughly one terabyte per ten minutes to this product so eight terabytes in a little bit over an hour. You can duplicate drive to drive and it’s very easy to ship that to a destination for exceptionally fast transfer off, or even use it if the destination is editing it or keeping a backup on site. Or have another one transferred.
Larry Jordan: Well that’s a good point. Before we run out of time, tell me about some of your newest storage products, especially for high speed. What have you got?
Larry O’Connor: Certainly. The ThunderBlade which came out of the Viper project, that’s a highly portable flash array. This has seen data rates of up to 2000 megabytes a second, in realistic sustained write speeds, 24 to 2500 megabytes a second. When you take a look at today’s data needs, we’re talking to people who generate anywhere from 500 gigabytes to a terabyte of data per hour, shooting in 4K or 8K 120 has become apparently a very popular format on demand, Netflix for one. That kind of data generation and a product like the ThunderBlade allows one very quick onsite duplication and then the ability, even on the same day to turn those video shoots around, get them out of the door and to their destination. I can’t imagine how long that would take if you’re depending on uploads. In perfect conditions wherever you are, that’s a heck of a long upload time, transfer time to get that from point A to B.
Larry Jordan: Now this new device is called the ThunderBlade?
Larry O’Connor: Yes sir.
Larry Jordan: It’s got how much capacity to it?
Larry O’Connor: Up to eight terabytes.
Larry Jordan: And it’s shipping now?
Larry O’Connor: It is shipping. The … version just began shipping. The eight terabyte model begins shipping mid next week.
Larry Jordan: Oh, and have you announced a price? Well you have, because it’s shipping. What’s it cost?
Larry O’Connor: The eight terabyte is $4,999 which is honestly an incredible price for that much high speed flash. The … model is $2,999.
Larry Jordan: $2,999 and for people that want more information about these and other OWC products, where can they go on the web?
Larry O’Connor: Always a pleasure Larry.
Larry Jordan: Take care, bye bye.
Larry Jordan: FileCatalyst was founded in 2000 to create ways to improve and secure file transfers. John Tkaczewski is the co-founder and the president, hello John, welcome back.
John Tkaczewski: It’s nice to be back. Hi Larry.
Larry Jordan: Give me a quick description of what FileCatalyst does.
John Tkaczewski: FileCatalyst is a software application that optimizes, simplifies and secures large file delivery over the internet.
Larry Jordan: There’s two types of security, there’s security for files that are being stored, called files at rest, and files that are being transferred from one location to another called files in motion. Where does FileCatalyst fit?
John Tkaczewski: We’re definitely on the files in motion part. Our goal is to make sure that the files that are being delivered are secure as the data is moving from one storage disk to another storage disk over the internet.
Larry Jordan: How do your products help us with security as our files are in motion?
John Tkaczewski: We have built several different ways of securing the delivery. So I think one of the more important ones would be the presence of a reverse proxy.
Larry Jordan: I think of a proxy as being a small version of a large file, it doesn’t have the same resolution, it doesn’t have the same data. But it is a visual representation of what that file looks like. Is that what you’re meaning by a proxy here?
John Tkaczewski: No, it’s not exactly the same thing. Here we’re talking about proxy in terms of internet security and network security. So a proxy in terms of network and internet security means a server in the middle, or in between, the actual servers that contain all the data and the client application that runs on the internet.
Larry Jordan: What value does this proxy server have in securing our files?
John Tkaczewski: First the biggest value here is that you’re not exposing the servers or the server application that contains all your media directly to the internet. Everything goes through a secondary smaller connection that even if someone hacks into that secondary smaller server, they are not really getting anywhere with that because it’s just a proxy server they’re getting into. There’s no real media residing there.
Larry Jordan: Can I think of a proxy server as like a card catalog in a library? Is it the proxy server’s got little pointers in it, but there’s no actual data, the books on the shelf are separate from the card catalog?
John Tkaczewski: Exactly. So if you think of that, and then you lock up your card catalog and if someone let’s say figures how to get into the card catalog, it doesn’t necessarily mean they will have access to the books.
Larry Jordan: To get right to the core of it, what can we do to ensure that our systems are more secure?
John Tkaczewski: I don’t have a statistic here to quote, but I think most of the breaches that happened in the recent years, were all instigated by human error. That means that somebody clicked on a link they shouldn’t have clicked in an email, or maybe they lost a laptop at the airport and there was some sensitive information on it. Once potential hackers get what I call the beach head into someone’s network, then they will try to hack deeper and get into those really sensitive materials that you have. So I think the biggest way to secure someone’s network, is the human factor. It’s the training, it’s the continually talking about cyber security with your staff and your suppliers and making sure that the human error is minimized. This leaves those hackers a lot less room to start hacking, because a hacker without any kind of information ahead of game, they will probably not attempt to get into your network. They must have something already to get them going and get them started.
Larry Jordan: John, I listen to you talk and I start to wonder, are there any standards that we can follow for maintaining security?
John Tkaczewski: That’s something that I think media industries are behind on other sectors. You know, there are some standard, for example in the UK there is the DPP standard that came out, but it’s only predominantly used in the UK. There’s nothing really centralized or a globalized body that dictates security standards for media. I can think of another industry, for example, the health sector where you have the HIPAA standards where if you want to exchange any kind of data, you have to adhere to these standards, that there’s a body that presides and keeps everything secure. But nothing like this exists in media and I can’t stress enough the lack of that in the media sector.
Larry Jordan: Who should take the lead on that? Who do you think should be responsible?
John Tkaczewski: I think it has to be the biggest players in the sector, so anybody who generates a lot of content, thinking here of the large media companies probably should be the ones spearheading something like this, because this is ultimately in everyone’s best interests but they will benefit the most.
Larry Jordan: And for people that want more information about the security and other services that FileCatalyst can provide, where can they go on the web?
John Tkaczewski: They can go to our website at filecatalyst.com.
Larry Jordan: That’s all one word, filecatalyst.com and John Tkaczewski is the co-founder and president of FileCatalyst, and John, thanks for joining us today.
John Tkaczewski: Thank you for having me.
Larry Jordan: Mathew Gilliat-Smith is the co-founder and CEO of Fortium Technologies which he started in 1999. Fortium provides digital content protection solutions for the film, entertainment and broadcast industries. Hello Mathew, welcome back.
Mathew Gilliat-Smith: Hello. Good to speak to you.
Larry Jordan: Providing digital content protection solutions sounds really impressive. What does Fortium actually do?
Mathew Gilliat-Smith: We have specialized over the years in providing digital security to the film and TV companies. One product we have is for optical disk security, where we protect Academy Awards and BAFTA screeners and the other side is digital media file protection for encryption at rest on post production workflows before they’ve hit the cinema and after they’ve cut the film.
Larry Jordan: The optical disk protection we’ve talked about in the past so I’m glad that you are still supporting that for those of us that are releasing optical disks. But today I want to focus on protecting our files at rest, which means they’re being stored somewhere as opposed to being transferred. How would you categorize the security threats that we’re facing today?
Mathew Gilliat-Smith: There’s three areas in content security at the moment. One is 30 percent of the most serious breaches are caused by human error still. So people accidentally making content available through a link and not realizing they’ve typed in the wrong name. The second area is the cyber threat which is where someone’s clicked on some email and some malware gets into the system, even if you’re behind a firewall. And what happens is, they get held to ransom, because they’ve got the content and we heard about that last year on a number of occasions. The third area is pure theft where someone from the outside pays someone on the inside to steal content and the person on the inside has got access to that content by nature of the fact that they work together. Whereas with things like MediaSeal, access controlled by individual user and file, it prevents exactly that sort of thing happening.
Larry Jordan: What security do you provide here?
Mathew Gilliat-Smith: It’s called MediaSeal, and it’s an encryption at rest product. One of the big challenges in the industry is you have lots of different systems, you have your Avids, your Final Cuts, Adobe software in terms of programs, and then you’ve got multiple different file formats from Quicktime right up to ProRes and MXF etcetera and the challenge is how do you mix encryption and security with all these different workflows and different file formats? We were able to build a file system filter driver which does a very neat handoff between a file which is encrypted, and a program which is viewing back the file. That’s on the one hand, and on the other hand, it means that the encryption can stay with the file while it’s being worked on in all these multiple workflows.
Larry Jordan: Mathew, you know as well as I do that as soon as we encrypt a file, the speed of everything slows to a crawl which prevents me from getting any editing done. How do you fix that problem?
Mathew Gilliat-Smith: Very good point, and we’re very sensitive to that issue. That’s why we built an encryption wrapper. So we don’t have to transcode the file, we simply apply the wrapper to the file. It’s a very light wrapper, it adds no extra size to the file. It is important to note of course that you have to go through that process, but it’s very little overhead, barely noticeable. Security is a balance. The most important thing is not to interfere with the workflow but we’ve seen in the last year some very serious security threats and that is what is worrying people. I think on the one hand you want to have fast efficient workflows, but on the other hand if you have suffered from a leak or a cyber attack, then that’s a whole different ballgame and loss of reputation, loss of content, loss of funds, that’s something that people are really beginning to sit up and listen to.
Larry Jordan: Help me understand. The file is stored encrypted on the hard disk and on the fly it’s decrypted when it comes into a Final Cut or a Premiere for editing, and then as it comes back out again, it’s encrypted again?
Mathew Gilliat-Smith: Actually the encryption stays with it. All we’re doing is access control, so for example I’m receiving a file, maybe I’m at a localization house and I’m doing a French translation of a TV title or a movie. I would receive an encrypted file, I would click on it in the normal way, access it with my credentials, so I put in my password and an iLok key which is identifying me as the user, and it’s pinging the server just checking that I’ve still got the rights to open that file. I’m not going to see any overhead, any latency. I really won’t notice the difference at all. We’ve been able to perfect this over the months and years because we found that editors are very unforgiving. If there’s any delay at all, they are not interested. If you were to ask people who use our content security thing, they would say “Look we would only use it if it didn’t interfere with those workflows.”
Larry Jordan: So what’s involved in installing your software?
Mathew Gilliat-Smith: It’s pretty straightforward actually. If you can imagine you’ve got the people doing the encryption and the people receiving or reading the files, what happens is, when a project starts, generally on behalf of the content owner we are asked to contact their studio or their localization house and we send them an email saying, if you haven’t already used MediaSeal then you just need to click on this link and register yourself, one time, and then click, click, click, one time restart of your system, and you’re good to go forever more. And I think people feel comfortable that they’ve got some layer of security which is protecting them.
Larry Jordan: OK, well help me walk through the workflow. I’ve shot footage, I’ve got my dailies, they’re now sitting on a single hard drive. Let’s say it’s a terabyte or four terabytes, pick any arbitrarily strangely large number. Now I apply MediaSeal. It’s now got to go through and apply this wrapper to all of my files before I can start to edit them. How long does that process take?
Mathew Gilliat-Smith: As I say, it’s really a minimal time. It’s like the time that it takes to copy some content of a file from one folder to the next I guess. It’s like that. So if it’s a small file, it’s ping. If it’s a much larger file, you’ll just see a very small quick progress file going across. It really isn’t like transcoding or anything like that.
Larry Jordan: When the project is complete, let’s say hypothetically we don’t need to have the storage continue, can we take the wrapper off so that we have unwrapped footage that could be archived?
Mathew Gilliat-Smith: Correct. We provide all those features. We designed this in conjunction with one of the major film studios so if you like it was designed by a studio for studios. We’re a technology company and I don’t think we’d ever have been able to know how to get all the GUIs and all the user experience without having that input.
Larry Jordan: Mathew, for people that want to learn more about MediaSeal, where can they go on the web?
Larry Jordan: There’s two websites, the main company is fortiumtech.com and mediaseal.com. Mathew Gilliat-Smith is the co-founder and CEO of Fortium Technologies, and Mathew, thanks for joining us today.
Mathew Gilliat-Smith: Thank you very much.
Larry Jordan: Pierson Clair has spent the last decade conducting digital forensic investigations in support of companies who have suffered a breach or other loss of data. His investigative specialties lie in the realm of Mac and mobile devices, and he’s currently the senior director for cyber security and investigations at Kroll. Pierson, welcome back.
Pierson Clair: Good afternoon Larry, how’s it going?
Larry Jordan: I’m talking to you, and we’re talking security, how much more fun could it possibly be?
Pierson Clair: It is a great life to be in.
Larry Jordan: Before we talk security, give me a description. What’s Kroll?
Pierson Clair: Kroll is a giant global investigations company. We’ve been around for 40 years, we have 2000 dedicated examiners, investigators who work in all facets of investigations, everything from identity theft to due diligence. I’m proud to be on our cyber security and investigations team.
Larry Jordan: In this show today we’re talking security and so far this has been just really depressing. I mean, can we put stuff on the web and have it be secure? Or shall we just give it up?
Pierson Clair: Well when we talk about security, it’s all about risk management and risk mitigation. If something’s on the web, it’s out there. In January alone, or December and January together, every Intel processor made since 1995 with a major vulnerability, is there such a thing as security? That’s tough to say. Being online your data’s out there.
Larry Jordan: If that’s a true statement, if we are moving to the cloud increasingly, business critical information’s being stored on the cloud, what can we do to protect ourselves?
Pierson Clair: So there are so many different steps that we can take to protect ourselves. I like to take the analogy of storing your data in the cloud, as similar to an apartment that you may rent. If you lock the front door, but leave the back window open and your apartment’s broken into, is that the apartment complex’s fault, or is that your fault? So frequently we see a misconfiguration of some type of online storage and you can read these stories in the news week in and week out. And people are so fast to jump to that, “Well it’s Amazon’s fault. It’s someone else’s fault.” Well, the configuration left that back window open. And by leaving that back window open, once somebody walked around the back of the apartment, they figured out they could break in. So security is not just how it’s initially configured, it’s also that ongoing testing, that ongoing verification, that ongoing validation whereby you maintain the best level of security that is known about.
Larry Jordan: For smaller companies, that don’t have a built in IT department, are there places they can go to get advice, or guidance in terms of how to set up security? What kind of national organizations can we refer to?
Pierson Clair: There are many different places that have great security advice. Whether it’s taking a framework, for example, from an organization like NIST, the National Institute of Standards and Technologies, or ISO, the International Standards Organization, or even a third party training group like SANDS, each of these has a wide range of frameworks that you can adopt that include best practices, that include implementation recommendations. So many different things that can help large and small organizations have a better security posture.
Larry Jordan: Well let’s define a couple of terms. You’ve used security framework, security policy and I’ve heard security protocols. How would you define the differences between them, or are they the same thing, just described in different words?
Pierson Clair: Security framework would be something that would come down from NIST, the National Institute of Standards and Technology or ISO, the International Standards Organization. And those lay out best practices for many different use cases. You might not want your accounting computers being able to talk to your edit bays as an example. Once you have a framework, then you can set policy. Perhaps no social media on accounting computers. Or no bit torrenting on your edit bays. So, from there we map from policy, from a framework, and then we implement that with some technical controls. That together create as secure of a posture as you’ve identified as necessary.
Larry Jordan: One of the challenges that the companies that listen to the Buzz have, is that we all tend to be small, we tend not to have built in IT departments, and we have got plenty of deadlines to meet without having to worry about security. How much time should we spend with security and does it require a dedicated IT staff and what kind of resources do we need to provide for it? With even enterprises having trouble keeping their data secure, what can a small company do to mitigate their risk?
Pierson Clair: Keeping your own computer up to date. There’s a reason that updates are pushed onto computers. They patch a vulnerability. They’re like a Band Aid, they protect you against problems. So let’s start local. Let’s start with your own computer. Keeping the software up to date. Keeping everything fully patched, and that’s the operating system, and all of your applications. Then let’s talk about those spam emails that you may get, those phishing emails you may get. And phishing is such a prevalent way of getting into people’s data right now. So phishing or social engineering is where you may receive an email that purports to be from maybe your internet service provider, your email provider, saying there was a problem with your email account. It’s about to be locked out, or there’s suspicious activity on your email account, click this link. You click the link, it then takes you to a page that looks like the sign in page, from the sign in page you enter your credentials, but you’re not actually at your sign I page for your email provider. You’re at some third party scam site which now has your email credentials.
Pierson Clair: So frequently we see it’s a user who’s willingly giving away their credentials. Well maybe not willingly, but they’ve clicked and they’ve provided the credentials, therefore all the attacker has to do is then go to their email, go to their Dropbox, go to their fill in the blank, and authenticate as the legitimate user. How do we move to a more secure posture? Be careful where you’re entering your credentials. Turn on two factor authentication. Two factor authentication or multi factor authentication is probably the single easiest way to protect yourself online.
Pierson Clair: There are three different ways that you can authenticate somebody. The first one is something you know, most commonly that’s a password, but Larry, if you were to give me your email password right now, how would your email server know the difference between you and me? And it wouldn’t because I have your password, therefore I’m authenticating as you. But next way you authenticate someone is something you have, and that something you have might be a cell phone that can receive a one time code, a text message. So with so many online service providers now, whether it’s cloud storage, whether it’s email, whether it’s financial institutions, they offer two factor authentication whereby you type in a user name and password, and then it sends you a one time code. That one time code says, “I know that the only person who can receive this is the person who has access to the cell phone, and therefore that authenticates them.”
Pierson Clair: The third way is then some type of biometric, we call it something you are. And for most cases, that’s more used for maybe building authentication. And once you’ve done those, then it comes down to the configuration. If you’re using some type of online storage, and you’ve not locked it down and that’s to say, you’ve left the bucket or the account storage wide open, well anybody can walk in. It’s like leaving the front door unlocked. So the configuration of your online storage is vitally important. It’s also important to note that these companies that you may be paying for the online storage, from time to time they change how their service operates, so going in every three, six, nine, 12 months and doing a security check, a security verification, making sure that everything looks the way it’s supposed to.
Pierson Clair: Going back to your original question of you may not have an IT department, and so many people don’t, it’s about being aware, it’s about slowing down and saying, “This looks strange. Let me go run it down.” So is that a certain number of hours per week? Not necessarily. Might it be more hours one week than next? Certainly. Deadlines are always looming, but security is kind of the underpinning now of the internet, something that is vitally important, so you do need to invest the time when you identify it’s necessary.
Larry Jordan: Well let’s shift gears. We’ve been talking about security in general, but Kroll is a company that specializes in security. For smaller companies, does Kroll have anything that could help us maintain security with our own assets?
Pierson Clair: From a cyber perspective, we work in three different verticals if you will. Before, during and after. With before, it’s trying to help you avoid a breach, trying to help you set up the policy, set up the structures so that when there is a breach, it’s far easier to investigate. The during is when you call us, and you say, “There’s something very bad has happened. Help me figure out what happened.” And then the after, is how do you recover from that? How do you remediate from that? So, we have a couple of really clever products. One of them is what we call a cyber detector, and it’s a cyber detector powered by Red Canary. It’s a very unique product. It sits alongside conventional antivirus and is very low resource. Certainly I know that in the production and media space, resources are everything. You don’t want a memory hog, you don’t want a processor hog, and so this is a little agent that sits on your computer and it’s a next generation threat intelligence tool. Typically this is something that you roll out for companies that might have 100 or more employees, because it gives the ability to allow us to be your outsourced sock, or your security operations center. That way we can feed intelligence back into your organization for any type of malicious or otherwise anomalous activity that’s happening on your end points.
Pierson Clair: Our traditional offering for cyber detector is for the 100 or more end point category, but that doesn’t mean that if there are smaller organizations that have a very high security profile and security need, that the offering may make sense.
Larry Jordan: For people that want more information about the services that Kroll can provide, where can they go on the web to learn more?
Pierson Clair: Kroll.com.
Larry Jordan: Pierson Clair is the person you’ve been listening to. He is a senior director for cyber security and investigations at Kroll. And Pierson, as always, thanks for your time.
Pierson Clair: Thank you so much Larry.
Larry Jordan: Here’s another website I want to introduce you to. Doddlenews.com. DoddleNEWS gives you a portal into the broadcast, video and film industries. It’s a leading online resource, presenting news, reviews and products for the film and video industry. DoddleNEWS also offers a resource guide and crew management platforms specifically designed for production. These digital call sheets, along with their app, directory and premium listings, provide in depth organizational tools for busy production professionals. DoddleNEWS is a part of the Thalo Arts Community, a worldwide community of artists, filmmakers and storytellers. From photography to filmmaking, performing arts to fine arts, and everything in between, Thalo is filled with resources you need to succeed. Whether you want the latest industry news, need to network with other creative professionals or require state of the art online tools to manage your next project, there’s only one place to go. Doddlenews.com.
Larry Jordan: In his current role as director of technology at Key Code Media, Michael Kammes consults on the latest in technology and best practices in digital media and communications. Hello Michael. Welcome back.
Michael Kammes: Hello Larry, good to hear your voice and thank you.
Larry Jordan: Michael, this evening we’ve learned about how to keep our files safe locally, the challenges of keeping our files safe in transit and how to improve security for files stored on the web. You’ve been listening to the whole show, what’s your reaction so far?
Michael Kammes: I’ve been listening to this show and in the chat room, talking about this on the Digital Production Buzz website and I think we’ve heard a lot of great concepts, but I think there’s kind of a missing link with those concepts as to how to apply those to the average lay person who isn’t transporting a ton of data and needs FileCatalyst or needs to operate on a server level. I think there’s some missing glue there.
Larry Jordan: OK, what’s some of the glue that we’re missing?
Michael Kammes: Well some of the glue would be, especially for folks in the media and entertainment space, you’re working on a television show or a film and you want to get data from on set back to the mother ship, back to where you’re going to edit or back to where the production company is. All the technologies and concepts your guests have talked about tonight, that can all be incorporated into portable drives, which is a very common way of transporting data securely.
Larry Jordan: Well that was the thought that Larry O’Connor mentioned, is it’s a whole lot easier to FedEx eight, ten, 15 terabytes of data than try to transfer it over the web. Would you agree with his comment though that file transfers over the web are reasonably secure these days?
Michael Kammes: Well I think your last guest hit it right on the nose which is, once you put it on the web, there’s no guarantee it’s going to be OK. We just saw the boot code for the iPhone posted online, on GitHub. If something like that can be hacked or delved into, then what’s to say what you’re paying 19.95 a month for can’t be hacked too. So I’m a big fan of the let’s have that abstraction layer and let’s not transport it online. Let’s do it the old fashioned way and carry it.
Larry Jordan: Well that brings up a bigger point. How can we tell, and we may need to go to another expert to come up with this answer, but how can we tell if we’ve been compromised? Is it just when somebody else tells us that they’re seeing our files on the web?
Michael Kammes: I think yes, that’s one way of doing it, and one way to thwart that, and this is what a lot of facilities do, I’m manipulating your question a little bit, is just watermarking. People are scared of getting in trouble, and being blackballed and being ostracized. So quite often facilities will put someone’s name on there, Bob Smith. Well Bob’s not going to take any chances of leaking footage if his name is on that footage. We can also go into forensic watermarking. Phillips has technology that does that. So you can’t see the watermark but it’s actually embedded in the video and those kind of scare tactics keep folks away from putting themselves in a situation where they may leak footage. I’m sure as you also know, many facilities are on lockdown meaning the computers aren’t online, a lot of times they keep the machines in the machine room or centralized room. So you can’t plug in a thumb drive, you can’t plug in a portable drive in order to get data out.
Larry Jordan: John Tkaczewski says that there’s a lack of security standards regarding media. Unlike where in medicine where HIPPA controls or financial data being transferred. Do you agree with the fact that media needs to have more consistent standards for encryption and security?
Michael Kammes: Well, there are standards. There’s the Advanced Encryption Standards. People who like acronyms have probably heard of AES encryption, 128 bit 256 bit, and that’s a standard for encryption, and just like codecs, we have the essence and then we have the wrapper around it. Having this encryption wrapper around your media can adhere to the standards that have already been put out there. And a lot of these hardware based security protocols we have, and a lot of the software based ones, adhere towards the AES 256 bit encryption which is very difficult to crack and NIST, the National Institute of Standards and Technology have said, “Yes, these are pretty much unbreakable.”
Larry Jordan: Although we can’t necessarily use that for files which are coming into our editing systems because it would take too much time, generate too much latency if we had to decrypt as it was being played back for editing. So this would be an encryption standard for storage and archiving correct?
Michael Kammes: That’s correct. It would be to have media locked on set, locked for transport and then stay locked until you plugged it in, booted up the computer and then entered in a password. You’re completely correct, if you try and do this in real time there’s a lot of latency on the computer and no-one’s been able to, for lack of a better term, crack that nut just yet.
Larry Jordan: Shifting back to the idea of applying our security standards in the real world, what habits do we need to break that are putting our files in jeopardy?
Michael Kammes: It’s a great question. First off is your editing machines, don’t put them online. And I know that there’s a lot of independent editors who say, “Look, I need to share stuff via Dropbox and I need to collaborate.” Don’t. Unplug it until you need it, then plug it back in, then unplug again. There’s nothing wrong with that. In a lot of facilities, that can’t afford enterprise security, they have an abstraction layer which means they have a firewall between the switch that controls all the internal data on the network, and a switch that goes out to the real world to hit YouTube or whatever websites you want to hit. Keeping a firewall between those is one more layer of security that prevents folks from getting out and getting in. So that’s one way to do it.
Larry Jordan: Seeing as you’re batting clean up here, we let you get all the important questions. What would you say are the three most important elements that people should consider when they’re looking at setting up a security workflow?
Michael Kammes: If you have anything that’s password protected, and that password is shared amongst multiple people, like Dropbox for example, multiple people can have the same password and same log in for a shared account. Don’t do that because all it takes is for one person to slip up and things are compromised. Keeping your machines off the internet, that certainly helps quite a bit. And any kind of media that you have on a hard drive that’s being transferred from one location to another, look at something like Apricorn, it’s Capricorn without the C, and they have portable drives and thumb drives which are all encrypted and you can store your data on that.
Larry Jordan: Well one of the things I enjoy is watching and listening to your five things podcast. Tell us what’s coming up because I think what you have coming is relevant to our discussion on security and remote editing.
Michael Kammes: Thank you for that, the upcoming episode which will probably be out later in February, will be on remote editing, and things to look forward to in remote editing and why it’s such a challenge to do it now in a cost effective way and still retain security.
Larry Jordan: Do you view remote editing as the same as collaborative editing?
Michael Kammes: I think the term collaborative gets thrown around quite a bit. Some people would look at Dropbox as being collaborative, which it is in some respect. But when I talk about editing and collaborative editing, I’m looking at shared projects, shared media, shared timelines. So there’s a complete flow as opposed to more of a push pull methodology that you would work with with Dropbox.
Larry Jordan: With the collaborative editing or with the remote editing, do we need to have assets stored locally, or are you accessing assets on the cloud?
Michael Kammes: That really depends on what system you’re going with. There are very few NLEs that support editing from a cloud based system, but they will support editing from your personal cloud in your own data center back at your office. So it really depends on what NLE you’re trying to use and what technology, but more importantly, what kind of budget you have.
Larry Jordan: And for people that just need to know where you are on the web and watch the next 5 things episode, where can they go on the web?
Larry Jordan: That’s the number five, 5thingsseries.com and michaelkammes.com and Michael Kammes himself is the voice you’re listening to. Director of technology at Key Code Media, and Michael as always, thanks for joining us today.
Michael Kammes: Thanks so much Larry.
Larry Jordan: Take care, bye bye.
Larry Jordan: You know, I was just thinking. In the old days, security was a lot easier. We just needed to lock the office door when we left at night. These days it seems much harder, and there are always tradeoffs. As Pierson mentioned, security is a balance between the resources you have available and how likely our files are to be hacked. Often, we get hacked because we aren’t paying attention and get caught with a phishing email. Or we get hacked because a disgruntled employee shares private files with the world. Or we get hacked because our cloud storage provider got hacked.
Larry Jordan: Even high tech security can’t fully protect us against stupidity or unhappy employees. But as we learn tonight, we can do more to keep our precious digital files safe. Partly by thinking more about security on a daily basis, partly by encouraging our team members to think about security, and partly by harnessing technology to help us protect our files.
Larry Jordan: Just as we’ve learned overtime that we can’t archive files simply by storing them on a hard disk and parking it on a shelf, so also we can’t ignore security threats. Security does not improve by ignoring it. We need to take an active interest in keeping our systems up to date. Avoid making stupid mistakes like sharing log in credentials with suspect websites. And we need to harness the power of technology to help keep our files safe. Just a quick personal example on this last point. Recently I added a new server here at the office and it didn’t work properly. After some research I tracked the problem to my network switch where I discovered the last time I updated its firmware was October of 2010. Ha, looks like I need to pay more attention to my own systems.
Larry Jordan: Security is an ongoing process, not just an event. Just something I’m thinking about.
Larry Jordan: I want to thank our guess for this week, Larry O’Connor with OWC, John Tkaczewski with FileCatalyst, Michael Gilliat-Smith of Fortium Technologies, Pierson Clair with Kroll, Michael Kammes with Key Code Media, and James DeRuvo of DoddleNEWS.
Larry Jordan: There’s a lot of history in our industry and it’s all posted to our website, at digitalproductionbuzz.com. Here you’ll find thousands of interviews, all online and all available to you today. Remember to sign up for our free weekly show newsletter that comes out every Saturday.
Larry Jordan: Our theme music is composed by Nathan Dugi-Turner with additional music provided by Smartsound.com. Text transcripts are provided by Take1 Transcription. Visit Take1.tv to learn how they can help you.
Larry Jordan: Our producer is Debbie Price. My name is Larry Jordan, and thanks for listening to The Digital Production Buzz.
Larry Jordan: The Digital Production Buzz is copyright 2018 by Thalo LLC.
Announcer: The Digital Production Buzz was brought to you by KeyFlow Pro. A simple, but powerful media asset manager for collaboration over a network. Download a free 30 day trial at Keyflowpro.com.