Following on from Reid Caulfield’s excellent article on content security and the role of trust certification, Netflix released a statement stating that they do not require trust certification from bodies like TPN. Instead, they have their own Content Security Best Practices for facilities and for home-based workers, Home Studio Security Guidance. In this article we are going to take a look at the advice and recommendations offered by Netflix, to help home-based workers and smaller facilities put realistic security practices in place.
In an attempt to make life easier for their content creator, the Netflix Studio Information Security team has put together what they believe are best practices for any entity handling pre-release Netflix content. Netflix stresses that these are a set of recommendations and that “Netflix does not, nor has it ever required participation in TPN or any other industry security assessment program”.
This article uses Netflix’s advice as a basis but also draws information from other sources including advice from Avid, advice from the Motion Picture Association as well as articles on Production Expert.
Content Security Best Practices For Facilities
Netflix recommends that facilities consider these as a baseline of high-level recommendations.
“Each best practice is not meant to prescribe a specific solution; rather, they are ideal end states with many different methods and means to achieve them. We encourage you to take a risk-based approach to content security ensuring that your specific risks are addressed by your security framework. We will work with you to ensure that any specific Netflix security asks are based on project-specific needs”.
Evaluate And Create A Plan
A lot of this is common sense and is a matter of looking at your systems, considering what could go wrong and then working out a strategy so that at best you can prevent a security breach and if there is a breach a plan in place so you know exactly what to do and who to contact.
Security Management
You should document your information security philosophy and rationale as clearly as possible.
This is so if the worst happens you can show that you considered the options and did your best to plan for them. Also if an individual ignored or bypassed your rationale then some or all of the responsibility could land at their feet.
You should implement a security training and awareness program.
This is so that all of the people in your organisation understand what security measures you have in place, why there are there and why they should apply them in everything they do.
You should conduct regular security awareness training for all your staff and freelancers as well as ensuring remote workspaces are adequately protected:
Secure every home router and invest in firewall and antivirus software for remote devices.
Use a modern, encrypted VPN for remote access.
Partition home networks to reduce the "threat surface" of unnecessary devices and users tangentially connected to the post-production facility's network. For example, instruct employees to use their work devices on a separate network that connects remotely to on-prem environments; that way, they stay distinct from personal devices, such as Internet of Things (IoT) devices that are vulnerable to cyberattacks.
Remotely manage software patches and upgrades and third-party software installations on end-user machines.
You regularly assess risk.
This is really important. In our research for this article, it is clear that risks change and as with most security measures you are in a race to stay one jump ahead of the people and organisations trying to steal what isn’t theirs. Protocols change, criminals, find weak points in security systems that need ‘patching’ or working practices changing to close that ‘door’. We are dealing with very high-value materials, which means there are people who will wish to ‘acquire, them by all means necessary.
Particularly when securing media, implementing a chain of custody log for file transfers, access, and deletion will help to identify the source of any leaks or inadvertent access. Subtle measures such as visible watermarking and invisible file fingerprinting can deter screen capturing or theft and will provide valuable forensic information if needed. As a result of changing working practices, accelerated with the pandemic, the mass move to working from home, mean that measures like these are even more critical to safeguarding remote workflows.
So you should conduct regular threat assessments and vulnerability scans to ensure…
Media is suitably encrypted in local and remote storage locations and during file transfers.
Chain of custody logs are in place for media management and transfers.
Media is visibly and invisibly watermarked.
Freelancers and employees understand screen sharing security best practices.
Netflix recommends that you should ensure all your hardware and software is kept up-to-date. This is a key part of managing the risk.
According to the Motion Picture Association's (MPA) security best practices documentation, "all point-to-point (e.g., VPN, private fibre, etc.) connections within the organisation through which content travels should be documented and reviewed for usage and business validity at least every six months, three months recommended."
For example, it is recommended that all computers are using a recent operating system. For example, Apple only guarantees to provide security patches for the last two versions of the macOS. This means any computer running an older OS like macOS Mojave could provide a weak point for ‘hackers’ to gain access to your network.
You should implement an incident response plan that documents exactly what you should do if the worst happens and there is a security breach involving client data or materials.
In the case of Netflix, they have a dedicated Studio Information Security email address, which you can use to report a ‘security incident’.
Consider and implement a business continuity plan.
What if the worst happens? In a crisis, we often don’t think straight and panic. However, if there is a plan and a checklist to work through, that has been considered carefully beforehand then people can work their way through the checklist, and make sure they do not miss anything else.
One of the best examples of this is how airline pilots work. They work through predetermined checklists for all the routine events, but they also have checklists for the ‘what-if’ moments. If you have ever watched the movie Sully, you will know what we mean.
Ensure only people working on a specific client project can access the content relating to that project.
In our research for this article the concept of least-privilege, also called zero-trust should be implemented. A zero-trust security paradigm essentially reverses the VPN's perimeter-based methodology. Rather than trusting users with everything once they're inside, a zero-trust methodology is designed to only give each user access to the systems and media resources they require to do that job. The intention of a least-privileges structure is to ensure that if someone hijacks their login, the hacker cannot access other critical media or networked resources, thus limiting the security breach
Anyone who is not a part of the project and who views the content should sign an NDA.
Although this in itself won’t stop someone intent on stealing content from doing so, it does provide a paper trail and makes sure the person signing the NDA is aware of the issues.
Define who is responsible for key security functions.
This may seem obvious, but how many times have you seen, when something goes wrong, people saying that they thought the other person was responsible for doing that, with the end result being that no one does it, and the system breaks down.
Network
Implement network connectivity based on least-privilege if appropriate (e.g. zero-trust or network segmentation via VLAN or physical air gap).
To begin the shift to zero trust security, here are some steps to consider…
Survey your technical architecture and inventory existing networks, devices, cloud services, media storage, and users.
Define an identity policy to authenticate authorised users.
Define normal network activity and what it means to monitor for bad behaviour.
Plan and implement to redesign your post-production security as business function allows as it will be very difficult, if not impossible, to do this in one go.
Proactively monitor and respond to network activity. It is really important to respond to red flags so that problems or breaches are caught early by implementing an auditing and logging system (network activity, connections, traffic, etc.)
Endpoint (e.g. Workstations, Servers)
Ensure endpoint devices that handle/store content are in a secure state at all times (e.g. firewalls and disk encryption enabled; password protection)
Use a virtual private network (VPN) for remote access to the network, ideally with multi-factor authentication.
Any post facility operating an existing VPN in its remote access workflow should regularly ensure that:
The VPN's security credentials and encryption meet industry standards (the Motion Picture Association (MPA) recommends AES-256).
The VPN is configured correctly and disables all unnecessary ports and protocols.
All connected computers are running the latest software updates and patches.
However, with the industry shifting toward more and more remote collaboration, especially with the pandemic, questions are being asked as to whether VPNs are the more secure way forward? It is being suggested that a better approach is zero-trust, which assumes a far more cautious and considered approach to user access and authentication.
Identity (e.g. user controls)
Implement an authentication framework that appropriately validates user identity on the content-handling network that grants permissions based on least-privilege or zero-trust…
Zero trust security protocols make you look into what proves a user's identity. Rather than just asking for just a correct user name and password, it may include elements such as:
Device identification
Location
Network address
Port ranges
Multi-factor authentication
A zero-trust approach should also cover network monitoring and what to do in the event of an incident. Ideally, automated network monitoring should alert system administrators to any red flags in user logins or network activity, triggering an established procedure for responding and escalating situations to facility managers.
Reid in his article on Content Security recommends the following where each person would have…
Their own partition on the content server;
(Possibly) their own sound effects libraries;
They would each need specifically-programmed access card keys allowing them entry to some rooms in the facility but not others (and a computer logging system to keep track of all the comings & goings);
Each individual would require separately maintained Active Directory accounts, dictating what each person, specifically, was allowed to do on various company computers.
Implement strong authentication protections via MFA, SSO, etc.
Multifactor authentication should be deployed to all user accounts, which should each be limited to a single authorised user rather than all of those in a certain role.
Implement identity lifecycle management (e.g., onboarding and offboarding processes
Data Protection
Implement end-to-end data protection measures:
Encryption in transit
This could be recommended secure file transfer platforms like Aspera, Netflix’s Content Hub or Frame.io, which was recommended by Thomas Dalton in his article Studio Data Security And Working Remotely In UK Studios.
Or encrypted hard drives from hardware vendors like Lacie Rugged Secure, Lacie Mobile SSD Secure, Rocstor and Apricorn Aegis
Encryption at rest (file-based, database, disk-based)
Content-specific protections (DRM, watermarking)
Subtle measures such as visible watermarking and invisible file fingerprinting also deter screen capturing or theft and provide valuable forensic information if needed.
Physical Security
Implement physical access controls (e.g. cameras, card readers, alarm systems, etc.) around sensitive areas and where appropriate.
This is to make sure that people can’t plug a USB stick or a memory card into a computer and make an unapproved copy of anything.
This area should be an important part of your security audit, when you are looking for weak points and then checking a plan to deal with them.
Store sensitive physical assets (e.g. external hard drives, printed materials, etc.) in a secure physical location.
For example, your machine should be locked at all times and access limited to as few people as possible.
In Reid’s article on Content Security, Reid would only provide us with an image of his machine room under construction because if we were to show you the completed machine room that would violate the security guidelines he is working to.
Here is Reid’s short “greatest hits” list of what trust certification assessors look for…
Physical security (locks, cameras, alarms, card-access entry on all production rooms - no freelancers allowed in certain rooms (or at all);
Cameras covering every inch of the machine room and, indeed, almost all of your facility, bathrooms excluded, of course;
Cameras in some - if not all - of your production rooms (that’s a weird story on its own in California),
A DVR locked away somewhere (usually a secure machine room) that can record & hold 3-6 months of all camera data (8-50 cameras worth of data, depending on the size of your facility);
An archival system for footage that is older than 4-6 months;
Tight control over who has access to your machine room;
Onsite and offsite tape (LTO) backups of all content.
IT security (more coming up later on this)
Full background checks for all personnel
Yes, these are for what are called Disney Tier One facilities but it gives you a benchmark to aim for.
Ensure an appropriate chain of custody is in place for physical transport of assets
Visitors should be accounted for in sensitive areas (e.g. logged in, escorted)
This is made easier if you have cameras in the important areas, and a sign in and sign out system, which is maintained rigorously.
Working From Home
If you are working on a Netflix project outside of your established facility, Netflix has a dedicated set of security best practices and security guidance for home or remote workflows, which they recommend that you follow.
General Best Practices When Working At Home
In the event of a security incident, the Netflix Studio Information Security email should be an initial point of contact. Netflix has in place the resources to assist you with these matters.
Users should login to systems using a unique username and a strong passphrase. Non-internet facing systems (air-gapped offline editorial) should be kept disconnected from the Internet when internet access is not needed.
This is a real-world workable recommendation, that recognises the need to connect such systems to the internet to undertake software updates for example, but we recommend that under these circumstances, when you need to connect these computers to the internet you make sure that none of your media drives are connected whilst connected to the internet, effectively moving the air-gap to protect your client’s media.
In the event a user needs to connect to a remote workstation this should be done through a virtual private network (VPN) connection. Remote access to machines should be restricted and follow our recommendations.
VPN connections should require multi-factor authentication as part of the login process.
The VPN is configured correctly and disables all unnecessary ports and protocols.
All connected computers are running the latest software updates and patches.
Ensure that only people working on the project can access your client’s content.
We recommend that you consider having a separate network for work and not connected to the domestic network and internet connection.
The transfers of client material should use an approved secure transfer platform…
This could be recommended secure file transfer platforms like Aspera, Netflix’s Content Hub or Frame.io, which was recommended by Thomas Dalton in his article Studio Data Security And Working Remotely In UK Studios.
Or encrypted hard drives from hardware vendors like Lacie Rugged Secure, Lacie Mobile SSD Secure, Rocstor and Apricorn Aegis
Devices should have unique profiles for each user and should require a password to access the device.
Reid in his article on Content Security recommends the following where each person would have…
Their own partition on the content server;
(Possibly) their own sound effects libraries;
They would each need specifically-programmed access card keys allowing them entry to some rooms in the facility but not others (and a computer logging system to keep track of all the comings & goings);
Each individual would require separately maintained Active Directory accounts, dictating what each person, specifically, was allowed to do on various company computers.
This is for a facility, so is potentially overkill for a home studio setting, but we recommend you look at this and then do the best you can.
Ensure systems are running one of the last two available versions of the commercial operating system and are configured to auto-update for security patches. The user should check quarterly to verify that the device is patched.
For example, Apple only guarantees to provide security patches for the last two versions of the macOS. This means any computer running an older OS like macOS Mojave could provide a weak point for ‘hackers’ to gain access to your network.
Enable full disk encryption on the workstation.
Just in case a computer goes missing, Netflix strongly recommends that the hard drives be encrypted; on the Mac platform that’s called FileVault and on Windows, Bitlocker. There’s no impact on performance and whenever your computer is locked or powered off, your data isn’t accessible to anyone without your password. Netflix recommends using your Windows or iCloud accounts for ease of use and recovery.
On all Microsoft Windows-based hosts, enable Windows Defender with automatic updates enabled.
Disable remote connections to the workstation and enable the device firewall. Detailed guidance can be found in the Netflix Prodicle Help Center.
Note that this page needs updating because it still recommends Apple Mac OS X 10.14 Mojave, 10.13 High Sierra, rather than macOS Monterey and macOS Big Sur.
Here are some of the key points from this page…
Screen Lock & Saver - To make disk encryption effective, machines need to be locked when not in use. You’ll want to set a passphrase to log into your account, disable any automatic logins (Mac), and set your screensaver to turn on after 5 minutes of inactivity (Windows, Mac). Make sure a password is required to unlock!
Firewall - Both Windows and Mac have built-in firewalls to prevent anyone from connecting to your computer. Windows has this turned on automatically, while Mac users should turn it on immediately.
Antivirus - Both Windows and Mac contain antivirus capabilities to protect against malware. We do not recommend the use of third party antivirus programs as they can cause conflicts with the integrated tools and offer little to no added protection.
Remote Access - While it can be handy to log into your computer from another, using programs like Remote Desktop (Windows), Remote Login (Mac), or Logmein, it also allows an attacker a way to do the same. We do not recommend the use of any such programs. Please contact us if you see a need.
Guest Accounts - On Mac, ensure that Guest Users cannot log into your machine.
Lost/Stolen Devices - Any lost or stolen computer containing production data should be reported immediately to Netflix Studio Information Security. This includes those issued by Netflix and our Production partners, as well as personally owned (“box rental”) machines used for work.
On Macs, Netflix recommends using Find My, which helps to locate or wipe a missing device.
Secure physical assets (e.g. external hard drives, scripts) in a lockable container like a cabinet or safe.
This also helps with security when you need to connect your work computers to the internet, make sure all the media drives are unplugged from your computer and are safely stored in the lockable cupboard or safe.
Additional Considerations From Netflix
Personal machines (system(s) owned by the user) should not be used in place of company-issued machines when available.
Obviously, as a freelancer working from home, for a Netflix partner, you are more than likely going to be using your own computer. We recommend using this article as a basis to make sure your home-based studio is as secure as possible both physically and digitally.
Limit viewing of work in progress content to anyone who is not a part of the project. When working from home we understand that family or partners may view projects, however, they should also keep project information confidential. An NDA can be used if deemed necessary.
This is another real-world example from Netflix, which recognises you may not be working in a dedicated room or that family members do enter the studio, maybe with a welcome cup of tea or coffee.
Secure all external entry and exit points where content is stored or worked on.
This makes sense from a physical security perspective too. Insurance companies often require a certain standard of security before they will insure your studio and equipment.
Consider a security camera system that covers entries and exits.
Again this makes sense but please be aware that the digital security of a lot of IP connected cameras is not good at all. You might want to check out this article The smart video doorbells letting hackers into your home from The Consumer Association - Which here in the UK. It makes for concerning reading and highlights that the growth of the internet of things, unfortunately, provides the hacker with many more weak points in user’s digital security. So consider these types of devices carefully and maybe rely on cabling, rather than wireless and even think carefully before connecting the PVR to the internet, unless you can be confident it is secure.
Securely delete content and return external media upon project/task completion or at the request of Netflix.
This makes sense too, but you will need to establish who is responsible for making archive copies of your work.
Sources Of Information And Advice
Here are the details of the source material used in this article which will also enable you to dig in further than we have been able to cover in this article.
Content Security - If You Work In Film And TV Post Read This Now
Streaming Services Asset Security Certification - Is It Worth It?
Avid - How to Tailor Post-Production Security Protocols to Fit Our New Normal
Motion Picture Association Content Protection Best Practices
Conclusion
The reality is that no system will ever be 100% secure. As Reid discusses in his article Streaming Services Asset Security Certification - Is It Worth It? it is about risk reduction…
“Most facilities, no matter how big or small, cannot meet 100% of TPN's recommendations, and almost none do. Even the biggest post companies and studios are not 100% compliant because it just costs way too much. And once you actually get there, it starts falling apart very quickly.
For the average-sized post-production facility in a pre-COVID world, if you could get to 80%-90% compliance, then you were probably good for the certificate and the little plaque to put on your wall, which will probably suffice for your major network or studio client. Then the pandemic came along…
Post-COVID, that compliance number came down to 70%-to-80%, a slightly easier target to hit.”
As you can see, no system is entirely secure from cyberattacks, even if you spend a lot of money employing very expensive consultants/politicians, to walk you through the trust-certification process. But the good news for people who don’t need trust certification, as well as those who do, is that each line of defence adds up. Post facilities, living in the real world will need to make strategic decisions about where to deploy their limited resources to best improve their security, whether it's through a cutting-edge piece of tech or time-tested security practices.
There is no doubt that the culture of security brought on by a zero-trust approach is a good place to aim for, but improving security is always less costly in the long run than the potential loss of business after a hack, as the LA-based facility, which got hacked and various assets of a show called Orange Is The New Black were stolen from their servers via the Internet, apparently by way of an unsecured Windows 7 or Windows 10 server, found to their cost when they had to close 18 months after the hack.
The takeaway from this article should be that simple tools and foundational security strategies go a long way. Things like correctly configured VPNs, multi-factor authentication, separating home and work networks and devices, and developing logging and monitoring capabilities such as file chain of custody logs can all help make your networks more secure.
Remember that the first line of defence is the staff and freelancers at the coal face. They move in, out and between different facilities, as well as working from home making remote workflows the riskiest element of post-production security. But with the right tools and knowledge supporting them, post professionals with an eye toward cybersecurity, having been trained and understanding the issues, can protect themselves and their clients in this remote-workflow world of post-production.