Mark Harrison, Managing Director, DPP (Digital Production Partnership)
Jim Tierney, President, Digital Anarchy
David Benson, CTO & Co-Founder, BeBop Technology
Emery Wells, CEO and Co-Founder, Frame.io
Larry Jordan: As more companies move media production and post to the Cloud, security becomes an ever present concern. Tonight on the Buzz, we talk with experts on what it takes to keep our projects secure as collaboration increases and more assets are stored in the Cloud.
Larry Jordan: We start with Mark Harrison, managing director for the Digital Production Partnership. This international organization helps media companies cope with technological change. Tonight, Marks provides an overview of what we must know to keep our media secure in an interconnected world.
Larry Jordan: What do you do when you learn that your server has been hacked? Tonight, Jim Tierney, president of Digital Anarchy, shares his experiences when he discovered his company was hacked, and what they did to improve their security going forward.
Larry Jordan: BeBop Technology allows creative artists and companies to collaborate around the world. But what’s the risk to your media as your assets leave your control? Tonight, David Benson, CTO and co-founder of BeBop Technology explains how they work behind the scenes to make sure your media doesn’t get out of your control.
Larry Jordan: Finally, Emery Wells, the CEO and co-founder of Frame.io discusses how his company has worked to implement security for online media, why security is a moving target, and what producers need to know to keep their assets safe, both locally and online.
Larry Jordan: The Buzz starts now.
Announcer: Since the dawn of digital film making, Authoritative: One show serves a worldwide network of media professionals. Current: Uniting industry experts. Production: Filmmakers. Post-production: And content creators around the planet. Distribution: From the media capital of the world, in Los Angeles, California, the Digital Production Buzz goes live now.
Larry Jordan: Welcome to the Digital Production Buzz; the world’s longest running podcast for the creative content industry, covering media production, post-production and marketing around the world.
Larry Jordan: Hi, my name is Larry Jordan. Tonight we’re looking at security as more of our media and other assets move to the Cloud, but before we start, I want to welcome back Take1.tv to the Buzz family. Take 1 provides professional grade transcripts for all kinds of media. We first started working with them five years ago, and I’m delighted to report that they are back transcribing the contents of each weekly Buzz episode. You can find our transcripts at digitalproductionbuzz.com and click the transcript button in the menu bar at the top. And you can visit Take 1 at take1.tv. Welcome back.
Larry Jordan: By the way if you enjoy the Buzz, please give us a positive rating and review in the iTunes store. We appreciate your support, to help us grow our audience. James DeRuvo is on assignment this week. He’ll be back next week at his usual time.
Larry Jordan: Our first guest is Mark Harrison. As we were chatting before the actual interview, Mark shared his impressions of the recent CES show. I found his opinions so striking, that I want to share them with you at the top of his interview, then we’ll move into security. Mark Harrison is the managing director and co-founder of the Digital Production Partnership, an international business change network for media companies. Hello Mark, welcome back.
Mark Harrison: Hi there Larry, great to talk to you again.
Larry Jordan: Mark, tonight we’re going to be talking about privacy and security as we move more and more of media and assets to the Cloud. But before we switch gears, we’re recording this interview on the last day of CES which I know you’ve been attending on behalf of your members.
Mark Harrison: That’s right, I have.
Larry Jordan: From a professional media point of view, what are the highlights?
Mark Harrison: Well do you know Larry, I think what’s extraordinary about this year’s show is that we have witnessed an absolutely fundamental change that could revolutionize media and yet nobody seems to have noticed. What we’ve seen this year for the first time, widely across a number of display manufacturers, the integration of truly intelligent content search by voice. Most of these are integrations with Google Assistant, and as you probably know Google Assistant is quite good at contextual search. It can have a bit of a chat with you about things and it can go beyond just instructions to switch things on and off.
Mark Harrison: So what we’ve seen demonstrations of this year, have been the capability to search for content using voice. Now why do I think that’s so important? Although we’ve been talking for years about the challenges for content providers in keeping their own brands distinct in very crowded content context, once you have got search by voice you can actually disintermediate them altogether. You’re not searching now for what’s on Netflix, you’re just searching for a particular show.
Larry Jordan: This will be very analogous to Google News where they aggregate news from a variety of newspapers and news sources and delivers it in a single distribution format which is a web browser. We’re doing the exact same thing except now we’re searching for media and it’s delivering the media to us in a web browser.
Mark Harrison: That’s exactly right. It’s just like that. It’s also very much like what happened in the music industry of course, because who knows now what record label a particular album has been recorded on? Nobody does. You just search for the title of a particular piece of music, or you search for the artist.
Larry Jordan: Well that had a devastating effect on the music industry and it’s also had a devastating effect on the newspaper industry. Are you expecting the same kind of financial chaos in media?
Mark Harrison: I think there will be certainly huge change. Whether it becomes chaotic, whether the commercial models are transformed, remains to be seen. It could be that the commercial models really shift because it could in time put the commercial power back into the hands of the creatives, because the creatives can now go direct to the consumer, although I would have thought always by some kind of intermediary organizing platform of some kind. But it’s going to take a while, it’s going to take several years, but if there is a Netflix killer on the horizon, it could look something like this.
Larry Jordan: Well clearly we’re going to have to bring you back to talk about this in more detail in the future, but let’s switch gears and talk now about media security. DPP recently held a conference. What was that about?
Mark Harrison: We held a conference about security that was all about securing creativity. We wanted to lift the conversation up away from that normal one you tend to get in media where everybody talks about the kind of threats we all now face with connected media and then tends to moan about the fact that creative people and producers are very difficult to police around security policies. Now we asked ourselves, since we are a creative industry and the only reason we have security is to secure a creative industry, what will happen if we just take that a bit more seriously and actually talk to the creatives themselves about how they see this world, and how they go about trying to ensure that their content remains safe?
Larry Jordan: What did you learn?
Mark Harrison: What we learned was that there’s actually now a shift happening amongst those who are more far sighted about how to introduce security policies that will actually work in a creative environment. What we heard from security experts and technologists was that they no longer regard people as the weakest link. They actually are starting to see them as the strongest link. When we listened to producers, you really understood why because when you hear from producers about security, you actually hear about a really rich and deep contextual understanding of what it means to try and stay secure.
Mark Harrison: Because almost every piece of content making is a bit different, everything has very particular context or different locations or different people, takes place over different periods of time, different kinds of threat and risk, it’s very difficult to impose any kind of cookie cutter approach to security around media. So what we heard was that producers have got a very rich contextual understanding that actually makes them expert even though they were never trained as experts in security, and meanwhile a lot of security experts are starting to recognize that they need to listen to that expertise.
Larry Jordan: Do you see the basic problem with security being that the Cloud providers don’t understand media? Or that media providers, the producers, don’t know how to work with the Cloud or is there some other disconnect that’s keeping the two apart?
Mark Harrison: I think all those things are true. Where there are problems at the moment are fundamentally around trust. I don’t think producers seriously believe that if their content is sat in the data center of one of the global tech giants, that somebody’s just going to come in and steal it. They’re not that naïve. They do have a sense of how highly protected that content will be. But on the other hand, they also know that when content moves it becomes vulnerable and they haven’t yet got historic relationships both of working with those particular providers, and also of working with those particular technologies to know the content can nonetheless, be kept safe.
Mark Harrison: So really what we’re seeing here is a need or both the production community to start to feel comfortable with Cloud based technologies, and for the Cloud community to know how to speak to producers and how to understand their culture better so they can be more persuasive about the security that they can offer.
Larry Jordan: I can’t do anything about a Cloud vendor, but what can I do as a producer to be able to keep my assets more secure and to learn how to trust a Cloud vendor?
Mark Harrison: That’s a great question. The first thing is to let go of some of that anxiety that’s been generated by the security industry itself when it pointed out to everybody that the minute you connect you become vulnerable. This is a huge irony. They actually created the fear that they are now trying to address. Maybe that was on purpose because it’s a way of making money, but actually if producers could step past that, in fact it can be a much safer way to operate. The reason I say that, is this. Because if you are connecting to a Cloud based service, then actually your individual device hasn’t in fact got anything of much significance on it and that Cloud based environment will be being managed by one of those huge specialists with a huge number of security staff. So it’s no longer up to you to remember to always do your software updates. It’s no longer up to you to ensure that there’s not a weakness in somebody else’s machine because they’re on the same system as you. You can actually can be a little individual doing your thing, and you can leave all the heavy lifting of security to those who manage those Cloud based services.
Larry Jordan: So then what do we need to do to start to reassure ourselves that we can trust the Cloud? Because that I think is the core question that once it gets up to the Cloud, I’ve lost control
Mark Harrison: It’s going to be hard for people to believe that that isn’t the case I think, until they start to live it. But the fact is, they are beginning to live it. You know, when you talk to producers, what you find is that actually they’re already using far more Cloud services than they realize, they’re already using a lot of social media applications to communicate with their teams, and more progressive producers, as you and I have discussed before, are beginning to use Cloud based services for editing, for sharing of content, for storage. Indeed in some recent research that we did, we found that WeTransfer is used by 100 percent of the producers that we spoke to. So it’s not as if we’re not using these services, it’s just that somehow we think that when we find a nice, simple user friendly lightweight app that somehow that’s a bit different from being in Google’s Cloud, or Amazon’s Cloud or Microsoft’s Cloud. But fundamentally, it isn’t and actually those big Cloud vendors are probably going to be offering better security than some of the smaller applications.
Larry Jordan: So where does DPP fit into this? How can you help us to make this migration as painless as possible?
Mark Harrison: First of all, trying to stimulate this conversation between the creative community and the security community. It was fantastic to bring them together and I have to tell you, a little bit misty eyed when I sat and listened to two producers talk in turn about how they ensured security of their productions. One was a production manager who worked in undercover reporting, in news and current affairs, and one was a production executive who worked in unscripted content, in drama. And each of them talked in detail about what they do. Neither of them have any formal training in technology or in security, and this roomful of 100 security experts just fell silent in awe around their expertise. Afterwards, they couldn’t wait to get to speak to them to pick their brains further about the knowledge that they’d got. As always, the most important thing is to facilitate communication because when people understand each other, that’s the quickest way to remove distrust and anxiety.
Larry Jordan: DPP is doing so much to enable producers. Is it possible for others to become members?
Mark Harrison: Oh absolutely yes. It’s very cheap and simple for any producer to become a member of DPP.
Larry Jordan: Where can we go to learn more about what membership provides and what the DPP is doing?
Mark Harrison: Well, stand by for a rather long email address. www.digitalproductionpartnership.co.uk.
Larry Jordan: That’s one gigantically long word, digitalproductionpartnership.co.uk not .com for the DPP Digital Production Partnership of which Mark Harrison is the managing director and co-founder of the DPP, and Mark, thanks for joining us today.
Mark Harrison: Thanks so much Larry.
Larry Jordan: Here’s another website I want to introduce you to. Doddlenews.com. DoddleNEWS gives you a portal into the broadcast, video and film industries. It’s a leading online resource, presenting news, reviews and products for the film and video industry. DoddleNEWS also offers a resource guide and crew management platforms specifically designed for production. These digital call sheets, along with their app, directory and premium listings, provide in depth organizational tools for busy production professionals. DoddleNEWS is a part of the Thalo Arts Community, a worldwide community of artists, film makers and story tellers. From photography to film making, performing arts to fine arts, and everything in between, Thalo is filled with resources you need to succeed. Whether you want the latest industry news, need to network with other creative professionals or require state of the art online tools to manage your next project, there’s only one place to go. Doddlenews.com.
Larry Jordan: Jim Tierney founded Digital Anarchy in 2001 specifically to develop plug ins to simplify creating visual effects. But recently he had a security experience that makes it worthwhile for us to talk with him on tonight’s show. Hello Jim, welcome back.
Jim Tierney: Hey Larry.
Larry Jordan: Tonight we’re talking about security and you recently discovered that you were hacked. Tell me what happened.
Jim Tierney: We have the different parts of the Digital Anarchy website broken up onto different servers. The server that we use mostly just for file sharing, but in the past we’d used it to manage our newsletter list, so we had the old software that we used for that, still on that server. We hadn’t used it for about three years, and we hadn’t really done anything with it including update it and somebody managed to find it and make use of and exploit or something like that and get into it.
Larry Jordan: How did you find out that you’d been breached?
Jim Tierney: Well they started sending out emails.
Larry Jordan: That’s a really good indicator.
Jim Tierney: We had people emailing us and asking us “What is this? Is this from you guys?” I’m like, “No.” So luckily in that case since it’s just a server we use mainly for file sharing and not for email, I could just go in there and turn off the mail service for the server, and that stopped any other abuse of the old email list, rather quickly. But they still probably did get access to that email list.
Larry Jordan: Are you able to determine what kind of damage they did?
Jim Tierney: It’s really just the email program, so we’re assuming that they downloaded the email list but we don’t know that for sure. We do know that they sent out about half of those phishing emails. The emails didn’t seem like they were coming from us, it’s not something we would have sent out. It’s not like “Hey, come download the latest version of Flickr Free for free,” which if they were really smart that’s what they would have done because I imagine a whole bunch of people would have clicked on the links. What they did was send out a super spammy phishing email and most people were like “Yes this doesn’t look legit.”
Larry Jordan: So what did you do first to respond, and then second what did you do to recover?
Jim Tierney: First thing was to turn off the mail service for the server so that no more emails could be sent out. The second thing the next day was send out an email to our current list which we run through a third party mail service, so hopefully it’s a bit more secure, just explaining what happened, why they got the weird emails and explain that that was a server that we don’t use any more, that it didn’t affect all of our customers but that they probably did get access to the email list. So it’s possible they could try emailing to that list in the future, but not through our server.
Larry Jordan: What can we learn from your problems?
Jim Tierney: Keep software updated you know, especially if you have stuff that’s sitting on a dedicated server that you’re managing and isn’t managed by someone else who supposedly will be keeping things up to date. We had this happen with our WordPress blog as well, that got hacked a year and a half ago just because we hadn’t updated WordPress and somebody just used an exploit to get into that so the really critical thing is if you’re managing a website, you really need to keep all of the software on that website up to date including stuff that you just don’t use any more, or you haven’t thought about it. Just because you don’t use it, doesn’t mean that somebody can’t just ping every address looking for xxx.com/sendstudio which was the name of the email program and just send that out to a million servers and anything that doesn’t 404, they’re like, “Hey, we can get in here.” There’s people doing that, just constantly pinging a million different servers to see if they get a hit and they get a hit, and the next thing you know they’re in and sending emails. The same works for WordPress or Joomla or any other big platforms out there. There’s hacks for these things and if you don’t keep them up to date, you run the risk of having somebody bust into your site and start posting random things or emailing stuff.
Jim Tierney: The other thing that we do with Digital Anarchy is all of the different aspects of the website, the website itself, the blog, email service, the store, they’re all on different services so that if somebody breaks into one, they can’t get access to everything else or it makes it much harder to get access to everything else. It’s basically just trying to defend yourself as well as you can and make it as difficult as possible for people to get access to stuff.
Larry Jordan: How did your customers handle it?
Jim Tierney: Pretty well. People understand that stuff like this happens. Again, because we split things up there wasn’t any financial data that was lost or any other information. It was basically just the email addresses and I think most people just assume that they’re on 50 million spam lists anyways. That’s a sad fact of our modern world. Since it was limited to just email addresses and it really only affected about half of the current email list, because again this was a list that was three years old, most people really appreciated me sending the email out immediately as soon as we found out about it because I didn’t want anybody thinking we were spammers or accidentally clicking on the email because they thought it was from us. A lot of people appreciated the immediate response instead of doing the Google thing and waiting three months. So we didn’t really have any real fallout from it. Just people mostly thanking us for being upfront about what happened. So it’s really just being aware that you have to keep the software up to date because there’s always people phishing around for out of date WordPress instances or whatever and that’s what most websites are built on these days.
Larry Jordan: Jim, for people that want to learn more about the products that you’ve got and now that we know that Digital Anarchy is not in the spamming business, where can they go on the web?
Jim Tierney: Head on over to digitalanarchy.com and you can find out all about there.
Larry Jordan: That website is all one word, digitalanarchy.com and Jim Tierney is the founder and CEO of Digital Anarchy. Jim, thanks for joining us today.
Jim Tierney: Thanks Larry, I appreciate it.
Larry Jordan: David Benson is the CTO and co-founder of BeBop Technology. Dave has spent more than 20 years developing ground breaking technology solutions for film studios, television networks, digital content developers and distributors including folks like Deluxe, Sony Pictures Television, and Final Draft. Hello David, welcome.
David Benson: Thank you Larry.
Larry Jordan: Tonight we’re looking at security for our media as we migrate more and more of both production and post to the Cloud, but before we start talking about security, how would you describe BeBop?
David Benson: I’d describe BeBop as more of a collaboration platform than anything today. Where it started four or so years ago was really focused around enabling certain use cases around workstations and storage and various other pieces and parts, where we’ve evolved to today as I said, is really more of the integration of all of those things and the way you actually interact and consume them, which turns more into a collaboration type of use case.
Larry Jordan: What do you mean by collaboration?
David Benson: Collaboration is essentially the intersection of all of those use cases, so if you think about editorial on its own, about visual effects on its own, about animation on its own, all of those things are pieces of an overall supply chain that creates content. So when you bring all those things together, into one platform, an eco-system which is BeBop, you start talking about collaboration a lot more than pieces and parts and workstation configurations.
Larry Jordan: So it isn’t just the editor’s task or the VFX artist’s task, it’s how they relate together?
David Benson: Exactly and that’s a lot of where the security conversation comes into play, because whereas in the past you had disparate locations and regions where these things were happening, and you had to manage security in a different way. Now we have an opportunity to manage it in a more centralized way in a single logical secure environment that spans across all of these different locations and within some of the largest public Cloud providers on the planet.
Larry Jordan: What first got you interested in creating a Cloud based service?
David Benson: My previous company to this that now is called BeBop Managed Services, was a company called DSB Consulting that I started about eight years ago. We built various large platforms over the years for different studios and post production houses. When we finished a large project for one of the studios where we migrated their entire channel licensing business into AWS, the entire workflow went very nicely into the Cloud, except for one piece which was the editorial because at the time there was no way to do that viably. So once we finished that project I was starting to experiment with how to solve that problem because it was intriguing to me, and that was right at the same time that Amazon released their Teradici based workspaces product and we worked very closely AWS for many years, so I was poking around at how they had done that. Came to Teradici very quickly, I created a partnership with them and about four to five months after that, we spun BeBop out of DSB Consulting and launched the company and the rest is history.
Larry Jordan: Very cool. With the daily drumbeat of hacks and data breaches, producers are understandably nervous about moving assets outside the local premises. How does BeBop keep our assets secure?
David Benson: We work very closely with those public Cloud companies that I just referenced. It’s our belief, and I think a growing belief in the industry, that while there are incidents that do happen in any environment, whether it’s on premise or in a public or private Cloud provider, it comes down to your best practices, how you implement and enforce those for your own organization regardless of if you’re hosting your own infrastructure or using a service like BeBop. A lot of where we help our customers is creating and working and evolving those best practices that are used in Cloud environments and helping to migrate some of the ones that have been occurring on premise for a long time.
Larry Jordan: Security is like a really broad topic, like the word media and it covers so much stuff. How does BeBop define what security is?
David Benson: Security really is an awareness, from our perspective. To your point there’s a multiheaded conversation that could take many days if we wanted to try and cover all aspects of quote unquote security. Security is an awareness or a state of mind and what that really comes to is an ever evolving and changing characteristic of what we call security. So when we started three or four years ago, security meant a lot of things around terms like air gap storage, and terms like air gaps compute. Some of those terms we don’t hear as much anymore because large enterprises, large production companies, large studios have started to get used to and understand the different methodologies that the public Cloud providers use to achieve the same levels of security, just in different ways and from different approaches so you get the best of both worlds when you start to move in those directions. Where you get the scalability, you get the cost points, you get all of the things that the public Cloud promises, at the same time you get them under a secure best practice or common understanding of what those security best practices need to be.
Larry Jordan: But we can’t just leave security to BeBop. I can’t just upload my assets to BeBop and say, “OK everything is secure.” There’s also a security at the local end in terms of what producers need to think about and what producers need to do to keep their assets secure. How does BeBop help us plan or think through the workflow necessary to make sure that everything we create stays secure both locally and on the Cloud?
David Benson: We have a dedicated team called our customer success team. They’re also involved in our professional services offerings where we will very frequently work with our customers, large and small quite frankly, to do exactly what you just elaborated in terms of not only the security aspect of it, but the overall usability and user experience. So our number one job here at BeBop other than providing our platform, is to provide the best possible user experience for every user that comes on the platform, whether they work at a large studio or they’re an independent producer or even production on their own. That aspect of what we do is of critical importance for exactly the reasons that you’re elaborating, is that if we just let people come onto the platform, didn’t provide any context, any best practice, any instruction or any tutelage around how to use the platform, similar to how an editor ten years ago learned how to use an Avid media composer or used how to learn any other editor. They went through a course, they went through some type of training, some type of indoctrination of process and institutional knowledge of how we do things in this industry. So, there’s a lot of that similarity into how we do things when we onboard people into this eco-system, it’s just that the characteristics are slightly different because of the eco-system.
Larry Jordan: What advice would you give to a producer who’s never had to work with the BeBop platform before? They’re coming to it for the first time, they’re understandably nervous, and are trying to figure out, “How do I fit this in? How do I keep my media secure?” What questions should they be asking and what should they pay special attention to?
David Benson: I think it really comes down to a lot of the same things that producers ask today, so we work with the MPAA, we work with the trusted partner network, we’ve worked with various different security audit firms that do a lot of the work in the industry for the large studios and media companies. And a lot of those questions are the same ones that a producer would have asked in the past. The differences are really instead of “Where’s your facility? And what kind of locks do you have on the door?” The questions are more around, “Where’s your virtual facility, and what regions are you providing services in, what Cloud providers are you doing that with, and what does your partnership look like? How are those relationships managed?” and things like that.
David Benson: To that end, we’ve done a lot of work with those same organizations to help push the envelope a little bit with current certification programs so that they’re a lot more Cloud centric and a lot more Cloud relevant. If you can imagine two, three, four years ago, a lot of those programs, the trusted partner network wasn’t even in existence yet, but the existing MPA programs and traditional programs were really designed around certifying facilities that were handling secure content. So it was very focused around door locks and door combinations and policies of people coming in and out of those facilities and so on. Those are, I don’t want to say not relevant, but they’re less relevant for a company like BeBop because we essentially offload all of that complexity to three of the largest companies in the world that are spending the most money that’s ever really been spent on security and compliance and all of these issues.
David Benson: So I think a culminating point on this whole thing is that really is something that I come back to a lot, is the amount of money and attention and ongoing investments that is happening between just say Amazon, Microsoft and Google from the largest public Cloud service provider perspective, that is going on today and will continue and increase as we move forward, is unprecedented. To go back to a comment that you mentioned earlier in terms of people being more secure or more confident in on premise facility, I would almost argue at this point that it is safer for it to be in a public Cloud environment with the proper best practices and management around it. That last part is a very key piece of it.
Larry Jordan: If I’m a producer that’s never been in a Cloud environment before, aside of course from using email or other Cloud communication services, am I smart enough to be able to figure out BeBop? Or do I need to have an IT department and really be working for a large facility to be able to use your tools?
David Benson: Ironically speaking, if we do have challenges sometimes in getting folks or new customers up online, those complexities typically come from larger facilities because their networks have lots of different things going on on them. We very rarely, if ever, have any types of customer support issues or questions or any issues whatever, for users that are using BeBop from remote locations, from their homes, while they’re traveling, and so on. So a longer way to answer your question, any user from an individual to somebody at a large studio that does have a large IT department can get on and use BeBop pretty much in the same way and with the same process, the same knowledge base.
Larry Jordan: Aside from enterprises who I can understand, but is there an ideal type customer on the smaller side?
David Benson: I would say that we align very closely these days with our partner Adobe. The answer to that question would probably align closely to the way Adobe would answer the question in terms of their much larger almost individual and individual producer from a person perspective, to individual or small production companies that are doing both editorial and traditional production for film television and OTT production, to visual and special effects that are done with other parts to their Creative Cloud Suite.
Larry Jordan: For people that want more information about BeBop’s products or to begin working with BeBop, where they can go on the web?
David Benson: www.beboptechnology.com and there’s a form that can be filled out there and we’ll reach right out to you to get in touch.
Larry Jordan: That website is all one word, beboptechnology.com and David Benson is the CTO and co-founder of BeBop, and David thanks for joining us today.
David Benson: My pleasure, thank you Larry.
Larry Jordan: I want to introduce you to a new website. Thalo.com. Thalo is an artist community and networking site for creative people to connect, be inspired and showcase their creativity. Thalo.com features content from around the world with a global perspective on all things creative. Thalo is the place for creative folks to learn, collaborate, market and sell their works. Thalo is a part of Thalo Arts, a worldwide community of artists, film makers, and storytellers. From photography to film making, performing arts, to fine arts and everything in between, Thalo is filled with the resources you need to succeed. Visit Thalo.com and discover how their community can help you connect, learn and succeed. That’s Thalo.com.
Larry Jordan: Emery Wells is the CEO and co-founder of Frame.io, a video review and collaboration platform used by hundreds of thousands of media professionals and companies. Before Frame.io Emery was an award winning producer, and visual effects supervisor. Hello Emery, welcome back.
Emery Wells: Hey Larry, always a pleasure to be here.
Larry Jordan: It is always fun to talk to you because you’ve got this wonderfully unique perspective on the industry and tonight we’re looking at security for our media. As we were planning this show, I realized that security is a very broad term that covers a lot of different uses, and media and applications. So let’s start with something hopefully simple. How does Frame.io define security?
Emery Wells: I think broadly the way we define security is ensuring that nothing happens to your media that you didn’t want to happen. That means no-one can access it, people that are not supposed to access it can’t access it, people that are not supposed to be able to manipulate it can’t manipulate it. Any data that you upload to Frame.io is secured and encrypted, we’re following all of security best practices. I am not a security expert, I have had, as you said, a unique position as the CEO of a company that is extraordinarily security focused and so I’ve had to learn a lot about security over the past few years. At Frame.io we’re trying to move more and more of the post production process into the Cloud.
Emery Wells: I think on our very first interview, the immediate thing that you flagged, many years ago, four years ago, is “How do you do this securely?” If I look back four years, I think we were naïve. We didn’t have the expertise at the time at the company to really make any kind of broad security claims. We were following best practices, we were doing things like encrypting your data in transit and rest, but as I’ve come to learn over many years, and as we’ve built a really amazing dedicated security team, we hired one of the leading security researchers from AT&T cyber security researchers. He has dozens of patents on cyber security research, and he’s led our security efforts. There are just hundreds of things that we’ve done on the infrastructure side, there’s hundreds of things we’ve done on the software client side, there’s a lot that we’re investing in the content security side, around watermarking and encryption. So it’s a whole host of things.
Emery Wells: One of the most important things that I think everyone needs to understand about security is that first of all, there’s nothing that is truly 100 percent secure. I say that with the understanding that we all use online banks, and our money is stored, and potentially vulnerable in all different aspects of our lives, so we can get to a place where we can feel extraordinarily secure with our investments in data, our investments with money. We do it every day. But it is an ongoing process, it is not a check box. It is something that you have to do every single day. If we were secure at one snapshot in time, if we were secure today, it doesn’t mean that we’re secure six months from now. The landscape changes so quickly, the vulnerabilities change so quickly, the threats change so quickly.
Emery Wells: So really someone that can claim to be bank level secure, a lot of people use the term, bank level encryption, that is just one tiny aspect of security. You can use encryption, that does not mean necessarily that your entire platform is secure. There could be lots of other ways that you could be compromised. So, really security you think about more as an everyday motion. What are the processes that you’re putting in place and how do you monitor those processes, how do you audit those processes? And that’s what a lot of the compliance stuff is about, so we’ve now met various security compliance needs, so we have SOC2 type 1 compliance. We’re actually in the process of doing SOC2 type 2 compliance. The difference between SOC 2 type 1 and SOC2 type 2 is that SOC2 type 1 is a snapshot in time. It means that a third party, independent auditor came and evaluated all of our security systems, top to bottom, and they deemed that we were compliant. SOC2 type 2 means that they will come back six months later and they will assess if we have been following security practices as we claimed that we were going to, and do we have the audit reports? Do we have all the documentation that shows that our motion of work every day is secure? So that’s what we’re actually doing right now, our SOC2 type 2 compliance.
Emery Wells: We also did our TPN compliance and TPN is a new joint initiative between the MPAA and CDSA which is a new global security standard for content, and we went through that audit. There’s a number of things that you don’t think about. You think of the technology security but there’s also physical security we have to have throughout our organization and make sure that we’re physically securing the devices that have access to other parts of our digital infrastructure. So it’s very comprehensive, and that’s what these compliance reports provide. Now a customer can request to get one of our audit reports and they can feel safe knowing that we have invested a lot of time and a lot of money to follow a bunch of procedures.
Emery Wells: The unfortunate thing about security is that it’s expensive. There’s no way around it. If you’re a small company it’s pretty difficult to claim that you’re really truly going to be secure. We’ve invested millions of dollars at this point, we’ve hired a dedicated security team and just going through all of these processes for compliance, not only does it add tons of time to our everyday motion, we have to do lots of extra work, but it costs money to do the audits. Hundreds of thousands of dollars. We’ve worked with various third party auditors, we’ve worked with ISE, Independent Security Evaluators, they are one of the leading security evaluators for the media industry. They do all of Disney’s audits.
Emery Wells: So in short, it’s complicated, it is multifaceted, it is expensive and it is time consuming. But it’s also critically important. What we recognize as we started growing the company is that security has to be a core pillar of what we’re offering. We are living in an age where we hear about security breaches happening all the time. Security just seems to be the thing that’s at the forefront of everyone’s mind, for good reason, especially if you’re doing the tier one content, the Hollywood feature films, the episodic television. You can almost think of that like cash. It’s like holding cash in a bank. If someone were to get access to Stranger Things season four, three, four, five months ahead of schedule, that would be bad. That’s like someone breaking into your bank account. So we’ve done a tremendous amount of stuff to ensure that we’re actually set up to secure the most sensitive tier one assets.
Larry Jordan: I accept that Frame.io has to go through and has gone through, a tremendous effort to become secure, but to me that seems like it’s only part of the equation. The producers also as you say, need to focus on the process of being secure, and it isn’t just flipping a switch. What do producers need to think about to make sure they’re keeping their projects secure?
Emery Wells: There’s a number of parts to that we don’t touch and that a producer would. The funny thing is I understand why there’s a lot of focus on Cloud security because it feels the most vulnerable. But when you work with a company that is sufficiently large and has gone through the compliance requirements and can prove that they’re operating in a secure manner, in some ways you might be able to claim that they’re the most secure part of your entire operation. Having a PA take a drive from point A to point B is probably not so secure. Or holding the drives in your facility that could easily be broken into, maybe not so secure. I think there’s a lot of unsecure things that we do in our everyday process but we have trust baked into those processes, even though they’re not secure we have trust baked into those process. There’s a person that we know that’s doing a thing, I think in many ways that a service like Frame.io and others that make the investment are more secure than on prem solutions.
Larry Jordan: Which gets to, I think, another core part, is that we worry about the people we don’t know, Frame.io in this case. We don’t worry about the people we do know, and we don’t focus on what we can do locally to make sure that our projects are secure as opposed to worrying about these strange Cloud based companies. Is that a true statement?
Emery Wells: Well I think the customers that are most concerned about security probably think about all of it. I remember speaking to someone who led security at one of the major studios and he said to me, and I’ll never forget it, he said “Our main concern is not that people who are not supposed to have access leaking our content. Our biggest concern is the people who are supposed to have access leaking our content.” And they need the protections in place so that they can protect against the people who have been authorized to access their content.
Emery Wells: That gets into other types of security, so in that case, access controls are not going to help because they have access. So things you can do on the content security side, you can do things like session based watermarking. This is an area of investment for us right now, we’re going to have some water share on that, where that’s every individual, so say you log into Frame.io Larry, something for you to review, and you watch it, and it’s going to have Larry Jordan burned in with your name, your IP address, time stamp, your information is going to be burned in for that individual play session. Now if he or she were to share the review with somebody else that person will also have their individual information burned into that content. That’s a deterrent, so you know “Hey, maybe I shouldn’t leak this stuff because my name’s all over it, and I’ll probably get in trouble.” So there’s things like that.
Emery Wells: There is DRM, so you can only view it maybe within Frame.io, but if you were to download it it suddenly wouldn’t work. You wouldn’t have the DRM keys any more. So as you said, as we talked about, lots of different facets to security, and depending on what you’re trying to protect against, there’s different things you have to think about, different things you have to invest in.
Larry Jordan: So let’s step back to a smaller producer that’s not a studio. Based upon what you’ve learned, over the last four years, what should we as producers of smaller sized projects, think about as we’re starting to plan our security? What questions should we ask ourselves?
Emery Wells: This will sound a little self-serving, but I think that even the smaller producers get to benefit from all the work we’ve had to put in to appease the larger content creators, so all this work we’re doing, it’s not exclusively available for only people who are doing high end tier one content. Frame.io runs on the same one security infrastructure, so everyone gets access to it. So it would say that first if you’re concerned about security, and not everyone is, by the way. You know, I think people that do content that is shorter lived, and faster turnover and things like that, there are people that are just less concerned about it. But if you are concerned about it, choose your vendors wisely. Choosing companies that have the time, the scale, the money to invest in a secure infrastructure. That means unfortunately, that a lot of the tools that might be developed by smaller companies are not necessarily always safe if you are sending sensitive data to them.
Larry Jordan: With Frame.io products do we need to pay extra for security?
Emery Wells: Not for any of the base level securities. There’s nothing today. We have a handful of security features that are available to the enterprise customers that are not available on the base level products, like our watermarking features. But the infrastructure, the core infrastructure, secure infrastructure, all the work that we do with threat detection and IP blocking and all that ongoing work is something that everyone benefits from.
Larry Jordan: For people that want to learn more about the products that Frame.io offers, where can they go on the web?
Emery Wells: They can go to frame.io.
Larry Jordan: That’s all one word, frame.io, not dot com, frame.io and Emery Wells is the CEO and co-founder of Frame.io and Emery, thanks for joining us today.
Emery Wells: Thanks Larry.
Larry Jordan: You know, I was just thinking, as I was talking with our guests this evening, I realized that security is not an us versus them proposition. Instead, it’s a partnership. Each of us holds different pieces of the puzzle, our facilities, employees, contractors, vendors and Cloud services each have a role to play in keeping our assets and media secure. As Emery Wells made clear, a totally secure Cloud service can be instantly undermined by untrustworthy employees.
Larry Jordan: As I learned from David Benson tonight, Cloud vendors may be more secure than your local office. The key is to work with them to develop the trust you need that they can handle your assets securely. Security may be more an issue of understanding and trust than technology. And to reinforce another comment from Emery, security is a moving target. What we need in the future will be different than what we have today. Be sure to pick vendors and employees that are able to continue to grow and learn from our rapidly changing technology landscape.
Larry Jordan: Which brings me to another point I want to mention this week. I’m still reflecting on Mark Harrison’s thoughts about the biggest news from CES. The ability for end users to directly reach content creators and bypass the studio system. This is analogous to what happened to both the record and newspaper industries, to devastating effect. If you’re a content producer, Mark’s thoughts are great news. It means that you can take your projects direct to consumers more easily than ever. Though this also means that you bear all the responsibility for marketing and distribution. The gatekeepers that have traditionally funded and controlled distribution no longer block your access to the market.
Larry Jordan: If on the other hand, you’re a content producer or a studio or a network with a library of titles that you expect to earn revenue on, this is terrible news. It means that your brand name and your distribution clout are quickly diminishing in value as consumers search for titles and artists not distributors. There’s also, I think, a corollary. Big budgets for production, marketing and distribution are still controlled by the studios. As the power and reach of studios becomes bypassed, those budgets will also decline. Only sure hits will be likely to see significant financing. You only need to look at the perilous financial state of newspapers, magazines and the record industry to see the potential for significantly disruptive change in our industry.
Larry Jordan: We can’t reverse technological trends, nor their impact on the market, but we can reflect on them and think about where we are vulnerable, and where we can benefit. Consider Mark’s comments a warning that, as usual, more change is coming. Just things I’m thinking about.
Larry Jordan: I want to thank our guests this week, Mark Harrison with Digital Production Partnership, Jim Tierney with Digital Anarchy, David Benson with Bebop Technology and Emery Wells with Frame.io.
Larry Jordan: There’s a lot of history in our industry and it’s all posted to our website, at digitalproductionbuzz.com. Here you’ll find thousands of interviews, all online and all available to you today. Remember to sign up for our free weekly show newsletter that comes out every Saturday.
Larry Jordan: Our theme music is composed by Nathan Dugi-Turner with additional music provided by Smartsound.com.
Larry Jordan: Our producer is Debbie Price, my name is Larry Jordan, and thanks for listening to The Digital Production Buzz.
Larry Jordan: The Digital Production Buzz is copyright 2019 by Thalo LLC.