Configuring broadcast facilities for maximum security is one of the most straightforward ways to ensure business continuity—no matter what crisis may arise. In news production, which has keenly felt the impact of the COVID-19 pandemic, how can teams safeguard remote workflows to support a distributed workforce while also protecting resources with a growing number of inputs, users, and outputs?
The effects of the last 18 months have forced broadcast organizations to grapple with ever-shifting daily challenges. Beyond the unpredictability of the pandemic, concerns such as the sharp rise in ransomware and other cyberattacks, as well as climate-related threats to broadcast and data centers, have highlighted the need for disaster recovery planning and a secure infrastructure.
Avid has always designed disaster recovery solutions with an eye toward minimizing risk and ensuring business continuity at different functional levels. It's true that this is a heavily technology-oriented area of development—continued innovation is fundamental to staying one step ahead of emerging threats. However, as news production witnesses a surge in remote access due to increasing levels of distributed production, the entire team has a hand in keeping data secure. In short, security is everyone's responsibility, and it entails continuous monitoring and improvements.
8 Critical Security Questions for Broadcasters
By its very nature, news is a fast-paced and highly responsive environment involving contributions from a large pool of employees and freelancers. A growing number of news sources from users (i.e. user-generated content), IP cameras, apps, encoders, and traditional satellite and fiber, combined with a distributed workforce and growing number of employee devices vying for resources presents a series of security challenges. This makes it more vulnerable than some other areas of broadcast to security risks, such as those associated with server access and content exchange. In a recent webinar, Avid's VP of Architecture Shailendra Mathur laid out eight questions for security teams to ask themselves:
- How do I ensure that my production environments are protected from intrusion?
- How do I exchange and store my data securely?
- How do I identify the people who can access my data?
- How do I find the root cause when a breach occurs?
- How do I provide my administrators with centralized control over security?
- How do I protect my brand from manipulation and deepfakes?
- How do I ensure that my application is not compromised?
- How do I pass my infosec and client's stringent security requirements?
Shared Responsibility and the Zero Trust Model
The weight given to each of these considerations will inevitably vary between organizations, security best practices for remote access should be a universally high priority. In particular, there is now a general acknowledgment that the long-standing reliance on virtual private networks (VPNs) for giving remote workers access to an organization's network and applications is no longer fit for purpose. The US-based National Institute of Standards and Technology is among the groups to have warned that VPNs are not sufficient to secure the intricate mesh of remote devices, internal networks, and cloud services.
Even by the standard of modern broadcast organizations, news production typically involves an extensive array of talents. When producers, editors, and field reporters are all in the mix, the VPN model of using perimeter security—which assumes that anyone with the correct logins is acting in good faith—isn't up to the task. It's also worth noting that variable bandwidth means VPNs are just not a practical option for some users.
All in all, then, it's not surprising that news broadcasters have increasingly embraced a Zero Trust security strategy, which aims to make no assumptions at all. Instead, it involves evaluating as many variables as possible to combat illegitimate activity. In order to help mitigate risk, access is allocated on the basis of roles or context. This might mean, for instance, that a producer is able to access an asset management system from their home network but will be asked for further authentication if accessing from a public space.
Acknowledging this may prove to be the first step on an extended journey to achieving a fully secure Zero Trust infrastructure—although it is undoubtedly helpful that broadcasters now have access to more easy-to-deploy solutions that have this strategy at their core. For instance, from Avid's own portfolio, MediaCentral provides centralized security controls over users and group permissions for all the apps and services it contains. Since Zero Trust asks for authentication for all APIs and messages, it also offers the ability to integrate third-party identity providers.
There's also considerable scope for more granular control over access within the MediaCentral platform. The platform can support multiple roles, each with its own restrictions, and offers content-based access and legal lists functions. In essence, it's very easy for senior news producers to restrict access to applications and resources based on a reporter's or editor's specific responsibilities.
As compliance expectations become more acute in many locations, these kinds of capabilities help lay the foundation for broadcasters to satisfy security regulations and protect news teams.
5 Steps to Building a Zero Trust Security Model
Media security is one area where a one-size-fits-all approach will never be appropriate. As some news organizations become more specialized or orient themselves toward specific audience profiles, their security strategies will have to adjust to fit those unique needs. However, Avid Lead Solution Architect of Strategic Solutions Gurparkash Saini recently defined five zero trust security best practices that can provide a useful starting point for companies everywhere:
- Survey your technical architecture.
- Define an identity policy.
- Create a strategy for defining good behavior.
- Systematically and iteratively re-architect.
- Proactively monitor activities in your network.
As broadcasters prepare for the next era of news production, the industry is set to prioritize a rigorous understanding of roles and responsibilities, a commitment to ongoing improvement, and an awareness that good behavior must go hand in hand with good technology—making room for secure but infinitely more fluid and flexible infrastructures.
