Entertainment Security: Managing Third Parties
Print Issue: October 2019
Technology is pushing Hollywood far beyond capturing starlets and classic monsters such as Dracula and the Wolf-Man on celluloid film, with digital now the industry norm. But film studios and television networks still have their own beasts to battle, especially in an age when content is king.
Instead of a werewolf, these firms focus on precautionary measures against spoilers and leaks, which could cost millions in lost revenue. A silver bullet to take down these threats remains elusive, not only because of the varied risk each individual product and its various stages can present, but also because both industry best practices and the technology used to create content continue to evolve.
Operating under the overarching goal of preventing content from leaking, especially onto the Internet, content management intersects with other protective measures, including cybersecurity operations and engineering, and supporting content as it develops from its earliest stages to broadcasting and distribution. The finished product is not the only target; leaks or spoilers can range from small components, like a set photograph taken by a snooping drone, to large ones, like an unauthorized script release.
“Anything about the film or the television series that leaks out prematurely can be a risk,” says Stevan Bernard, a senior security advisor and a former executive vice president for a major film production company.
If content creators or owners do not secure their product, Bernard says someone else will likely take it and try to monetize it. There are also individuals who aren’t seeking to profit from a leak—instead, they just want to test their abilities against the protections in place.
“It’s kind of like the Wild West,” Bernard adds. “They may not be doing it to damage your brand or alter your product... it’s just to be able to say they breached you. There are all kinds of bad guys out there.”
What often helps mitigate these risks is recognizing who shares your foxhole.
“This industry is very much well-known for sharing information, sharing what we call indicators of compromise,” says Stephen Fridakis, former vice president for media and tech operations for HBO. “If somebody is attacking one organization, most likely they will be attacking others, so we work very well together and we share information.”
Whether gleaned internally or from an outside source, threat intelligence paired with adaptable controls creates effective security for those seeking to keep content under wraps, especially for a heavy, scenario-based workflow like creating a movie or television series.
Part of securing content involves utilizing cybersecurity operations and engineering to focus on perimeter protection, cloud security, incident response and monitoring, and consumer-facing products. However, each aspect is relatively fluid, dependent upon the quantity and quality of the data involved.
According to Kurt Fischer, vice president for the Motion Picture Association of America’s (MPAA’s) content security program, the overall rigidity and amount of security a creator or studio may apply is ultimately influenced by the value of the content, such as a pre-aired, edited version of the next superhero blockbuster versus a rerun of Wheel of Fortune.
Content management also varies in its intensity depending on the production phase: pre-production, production, post-production, and broadcasting.
“Depending on where exactly they are, we get engaged and we discuss and manage how the data is going to be handled,” says Fridakis, who is now the chief information security officer at WW.
Like other companies that can both create and distribute, HBO may be handling dozens of separate productions at a given time. Before the cameras start rolling, during a project’s pre-production phase, a firm’s security team works on setting up barriers and protective measures around each aspect of the production.
“There is the onboarding of the cast and the crew; there is a lot of discussion about how it’s all going to flow,” Fridakis says. This includes determining and reviewing shoot locations, how sensitive content—like the script—will be edited, and who will have access to each facet of the production.
During these briefings, Fridakis’s team recommended to production staff, especially actors who tend to have heightened social media followings, that they “whitewash” their social networks, by not sharing anything online related to their current project until an agreed-upon time. Any posts that could contain a spoiler or leak would also need to be removed or deleted.
Even if there is no malicious intent, posting a picture to share a new costume or a great scene that a cast member was working on can still reveal too much of the story, especially for high-risk shows. “But that's the kind of thing that on a production phase, you would be looking for,” Fridakis says.
Once a project enters production, compartmentalization aids with aspects like “dailies,” a collection of raw film shot over the course of a single day. Dailies are transmitted to authorized persons, such as producers and directors, for further review and editing.
Despite the limited amount of information dailies contain compared to the final product—single scenes are significantly less damaging if leaked online—dailies are still surrounded by layers of security, ranging from monitoring access, securing the delivery format, saving the files, and managing the dailies’ availability to outside individuals.
There are also barriers around valuable items like the script, which often does not appear as a book for people to easily pick up and peruse—this is another aspect of the production process that is almost entirely digitized. Companies are veering more towards securely housing and sharing scripts through a preferred application, according to Fridakis.
“The problem with that sometimes becomes remote locations where there’s no access to Internet. So that’s where we come in and we bridge the gap,” Fridakis says. In those instances, the script is placed on a device that can be remotely erased if compromised or lost.
The production stage involves other sensitive information, including details about actors’ schedules, allergens, or illnesses, which can still affect those associated with the production.
“We feed people; we send cars to pick them up; we arrange their travel,” Fridakis says of protecting staff. “We have that information under very secure systems, and obviously that is very sensitive for us.”
Given the various sensitive facets on a single production, Fridakis adds that having an established and trusted relationship with a film crew specific to a location is helpful. Both Sex and the City and Girls were filmed in New York City, and for both productions HBO relied on the same crew: electricians, grips, cameramen, makeup artists, and more.
“Obviously, individuals may come and go, but the core crew is the same,” Fridakis says. The industry’s exclusive nature works in content security professionals’ favor in this case—the crew is briefed and onboarded at the very beginning of shooting the first season of a show. As time goes by, those crew members can pick up refresher courses, but they do not need to be reintroduced to the studio’s security procedures.
After the wrap party, the sets are torn down, cast and crew head home or to the next gig, and post-production begins. Editing, special effects, overlaying a musical score, subtitles, and dubbing—most of these services are provided by outside firms or companies, but all of them require access to at least some portion of the movie or show.
Production houses must have faith that third-party providers (TPP) are safeguarded against leaks. This is the stage where trust and collaboration become crucial.
“Our business relies heavily on third parties,” Fridakis says. “You cannot make a series, you cannot develop a documentary on your own. You require heavy collaboration.”
In the United States, some of that collaboration comes from the MPAA—which does more than determining a film’s rating. The MPAA represents Paramount Pictures, Sony Pictures, Universal Pictures, Walt Disney Studios, Warner Bros., and Netflix. It recommends best security practices for the industry, offering a baseline for effective protection when handling content and trying to avoid leaks in a physical or digital format. Free and publicly available for global content owners and TPPs, these detailed guidelines are predicated on international security standards.
“The best practices have been an evolution,” Fischer says, adding that they keep up with trends and members’ needs, as well as the latest innovations in filmmaking and technology.
“Now it's obviously migrating as the industry has evolved,” Fischer explains. “We have to evolve our best practices and focus a lot more on digital security, on making sure networks are segregated, and that people aren't sharing things inappropriately—through social media—so those have been written into the guidelines as well.”
Fischer adds that although the MPAA does not certify, accredit, or endorse TPPs, it does provide security assessments throughout the world to analyze and score how well vendors adhere to its best practices.
In 2018, the MPAA partnered with the Content Delivery and Security Association to launch a joint venture based on the MPAA’s best practices. The Trusted Partner Network created a directory of assessed industry vendors, and those assessments are available for review to content owners. Ultimately, however, the decision whether to use a particular TPP lies with content owners and studios.
While the MPAA did a lot of the heavy lifting, for Fridakis, a studio’s security team should still kick the tires itself—especially when considering a new company. Speaking with employees and spotting whether security protocols meet a studio’s standards through an on-site audit can help determine if a TPP is right for a project.
When auditing a TPP, Fridakis says he would want to know how and where the content a vendor receives will be stored and received, who will have access to it, how it will be returned, and how any remnants will be destroyed and scrubbed from the TPP’s system.
“In essence, we make them an extended part of our operation. Some of them are very sophisticated and some of them are truly mom and pop,” Fridakis says. Regardless of their size or sophistication, TPPs are still incorporated into HBO’s response and product management practices.
On top of vetting vendors or relying on trusted ones, security teams can also limit how much data each TPP receives, dependent upon the scope of the work assigned to it. Part of the upside of transitioning to digital film over celluloid and paper is reducing the physical risk of product loss, according to Bernard.
To further reduce the risk of loss, the data is sometimes sent in multiple packets, and digital keys are used to limit authorized users’ access time. High-risk products, like Game of Thrones and the final season of Breaking Bad, receive additional security measures. (See “Valuing Content” below.)
While some vendors or downstream distributors would typically receive weeks for certain jobs, like dubbing over all non-native speaking dialogue in a film, high-risk project work may be due in mere days.
Although sharing access to the product for even that abbreviated amount of time can make studios nervous, Fridakis says he understood that his team needed to be considerate when negotiating with TPPs.
“First of all, it takes more than an hour to transmit these files,” he adds. “But independent of that, you have to be reasonable. But, to allow them to do their dubbing, to do their subtitling and everything else, we come up with a negotiation where what we may decide to do is to send files that are not fully baked.”
For instance, studios can send TTPs “half-baked” pre-production files, which are of poor video quality or missing some final visual effects, but still accurately represent the script.
“In order for you to dub a movie, you do not need to have the full movie,” Fridakis says. “As long as you can see the moving of the mouths, in a general placement, it’s done in a way that you can truly facilitate that.”
Security teams also look for editors and special effects providers that offer self-contained services, untethered and disconnected from the Internet. Their portion of the data can be sent on a portable disc with security controls, making it unusable if stolen; the controls are reinstalled when the services are applied and sent back to the studio. Even this method has some hiccups, however, such as reusing discs that may retain data from a past project.
Security standards also become more stringent towards TPPs that will handle pre-air content, finished materials that have not yet been broadcast—often considered the crown jewels of a product.
“If somebody gets pre-air content, then we’re going to take them through a very thorough security review,” Fridakis says. Because telling a producer that he or she can’t use a preferred vendor can result in significant delays (translating into millions of dollars lost), Fridakis usually worked with the producer’s preferred TPP to establish additional controls, as needed, at the vendor’s facility to keep production on track without sacrificing intellectual property protection.
Given the highly varied and scenario-based nature of this supply chain, MPAA's Fischer recommends that security professionals understand the content and its sensitivity, as well as their clients and their risk appetites when determining protocols around the production.
“I’m not sure there’s a silver bullet,” Fischer says. “There's not one thing you can say that will cover all different scenarios.”
The Next Generation
More devices now offer access to content under the growing umbrella of the Internet of Things. Content control security methods are also expected to evolve, especially as risk to content rises with the increase of different avenues of access and the expected benefits from improving technology.
“Everybody’s going to be connected; everybody wants content,” Bernard says. “Because it’s so much easier to view and enjoy today than it’s ever been before; there's just more of it.”
And with increasing demand comes increasing risk, and a greater interest in leaking products before their official air times.
Applying blockchain technology to distribution or broadcasting mediums could eventually result in a way to mitigate the risk of leaks. Fridakis says he hopes that innovation will lead to the ability to distribute content through a platform that assures the consumer receives what the broadcaster meant for the viewer.
“Also, if content is compromised, you’ll be able to very easily render it unusable without even having to retrieve it,” he says.
A growing number of privacy regulations are also likely to impact studios and content owners, especially for companies providing streaming services or collecting user information. On top of established regulations like the U.S. Viewer Privacy Protection Act, budgets are likely to be rearranged to accommodate and adhere to evolving U.S. state legislation and regulations imposed by larger entities, such as the EU’s General Data Protection Regulation.
“We also see a big shift of dollars from traditional operational security to privacy and regulatory compliance,” Fridakis says. “I think you’re going to see more and more of that happening.”
The final seasons of Game of Thrones and Breaking Bad were considered high-value, high-risk products, each with estimated values of millions of dollars. Blockbuster films are expected to generate millions, sometimes even billions, in profits.
Determining a product’s worth is crucial to right-sizing security. While the cost to create a product can help determine its value, it’s not the only facet that matters.
“You have to look at what has a high level of appeal or interest,” says Stephen Fridakis, former vice president for media and tech operations for HBO. Potential marketplace and merchandising opportunities are also considered, and all aspects are weighed against how much effort a studio or owner wants to put into protecting the project.
One tool studios can use to determine appeal, especially for a new production, is a private viewing for a test audience. Shown prior to finalizing the product, it gives studios and creators a chance to get feedback and make changes.
During the test viewing, security measures are perhaps more noticeable, with personnel walking along the aisles or using night-vision goggles to ensure no one attempts to record the film on a personal device that could upload pre-air content.
“If a product leaks and it went on the Internet, you’re never going to get it back,” Stevan Bernard, a senior security advisor, says.
Ultimately, the higher the expected value of a product, the more security it receives, especially post-production but pre-air. “Anything that spoils that, it takes the magic of the storyteller away from the audience,” Fridakis says.
Sara Mosqueda is assistant editor at Security Management. Contact her at [email protected]. Connect with her on LinkedIn.