Trusted Partner Network (TPN): Battling Illegal Streaming in the Age of Lockdown Piracy
It’s been more than a year since the COVID-19 pandemic first reared its head, and no part of society has been left untouched by its impact. In the entertainment industry, one pronounced effect of the pandemic has been a huge boom in piracy – with theaters closed and most of the population stuck at home, lockdown periods saw a 33% increase in illegal streaming across the globe.
Even before COVID hit, piracy was a huge drain on the industry, causing an estimated annual loss of $30 billion. The boom in illegal streaming under lockdown has made this loss even more severe, and is likely to only get worse as more and more studios move their content to online streaming services, adding even more security issues into the mix.
On top of illegal streaming, there’s also a continued battle to keep information about films and TV shows secret before their release, as consumers, data miners, and the media place ever more scrutiny on the production process to unveil plot details and spoilers on upcoming content. In the face of all this, content producers and vendors might feel overwhelmed by the task of keeping their content under wraps.
The Trusted Partner Network
Enter the TPN, or to give it its full title, the Trusted Partner Network. The TPN was formed in 2018 as a joint venture between the Motion Picture Association and the Content Delivery & Security Association, with a mission to improve security across the entertainment industry. The TPN is a global initiative, aiming to help companies make their content more secure.
The TPN’s goal is to raise security awareness, preparedness, and capabilities within the industry, primarily focusing on the growing number of third-party vendors now involved in the content production process. Vendors are assessed on their security measures and given assistance in developing protocols to prevent leaks, breaches and hacks of films and TV shows prior to their planned launch.
If vendors pass the Trusted Partners Network’s benchmark for security preparedness, they are then added to a global directory of TPN-accredited organizations. This allows entertainment companies to easily find collaborators who they can rely on to keep their content secure during the entire production and release processes.
How to Keep Content Secure?
The TPN bases its assessments and recommendations on the MPA’s security best practices guidelines, an exhaustive list of measures that third-party vendors can adopt to increase the security of their operations. The guidelines split measures into three broad categories: management systems, physical security and digital security.
Management Systems Security Measures
First and foremost is the matter of data residency. TPN guidelines prevent remote users from having physical access to media content on drives or locally stored on workstations outside of the office or data center. This is important, as having media outside of a well-protected network is a recipe for disaster. In my “2020 Security Transformation and Live Hacking Demo Webinar” I demonstrate how easy it is for hackers to move laterally from home computers or IOT devices onto corporate workstations of people working from home.
Since so many people are having to work from home due to Covid in person restrictions, M&E companies are forced to leverage modern remote access solutions include Software Defined Perimeter (SDP), VPN remote access, PCoIP, or a combination of technologies.
Beyond Data Residency, TPN Management Systems Security Measures point to the need to establish a specific information security management system which implements a framework for keeping on site information secure.
Part of this involves establishing a dedicated information security team, who should operate independently from the content production process.
This team should oversee the implementation and continuous review of other key security measures, such as formal risk assessments which identify the most vulnerable points of content production and establish additional measures accordingly.
Beyond the information security team, vendors should consider company-wide measures, including:
- Policies on social media usage – employees should not share their experiences or opinions of pre-release content or details of their work on current projects.
- Policies on mobile devices – rule whether employees can bring personal mobile devices into the workplace and define restricted areas with a blanket ban on devices with recording abilities. There should also be an established procedure for lost, stolen, and compromised devices to prevent content theft.
- Background checks on all company personnel and third-party workers.
- Confidentiality policies and NDAs to be signed by all employees and any third-party workers who may have access to content, such as freelancers, interns, or temp workers.
- Regular security training for all personnel involved with content.
- Anonymous piracy or security breach reporting methods, such as a designated email or helpline.
Physical Content Security Measures
Making sure a facility is physically secure is an important part of keeping content safe. The MPA guidelines place particular emphasis on who has access to content; one of the major recommendations is to physically segregate content production areas from other facilities such as administration. Vendors should also keep track of which employees are given keys or access devices for different areas of the facility.
Particular care should be given to controlling the access of visitors and third-party workers. A detailed visitors’ log should note the name, company, time in and out, reason for visit, and people visited by visitors, and photo ID should be requested to verify their identities. Freelancers and other third-party workers should be tracked in a similar way, and their access should be revoked once their work with the vendor is finished.
Other recommended physical security measures include:
- Security cameras on all entrances, exits and restricted areas; security guards on all entrances and non-emergency exits; and regular security patrols on variable routes and times.
- Motion detectors in restricted areas to automatically notify security when they are accessed; door prop alarms can also be used to indicate when a door to a restricted area has been held open for unusually long times.
- Segregation of duties, for example not giving any one person access to both mastering and replication facilities.
- Detailed tracking of physical assets, with regular inventories, secure storage, and a log of all shipments in and out of the facility.
Digital Security Measures
Digital security is just as important as physical security; if not more so, as COVID’s impact has left more people working remotely, introducing a host of new potential security risks to consider. One of the most important measures to be taken is implementing a firewall to separate internal networks from external networks and wide area networks, preventing unauthorized access to sensitive data and content.
The firewall should also keep detailed logs of all traffic, with regular inspection for suspicious activity. Antivirus and intrusion detection software should be kept up to date to patch any vulnerabilities as they emerge.
The way that content is stored is also highly important. Sensitive data should be encrypted or stored on pre-encrypted hard drives for added protection. If protected data is accessed via a password or PIN code, consider implementing systems to auto-erase the data or force a lockout if there are too many failed attempts to access it.
Furthermore, make sure the password itself is secure – you shouldn’t include anything to do with the content or project in question such as titles or keywords. This might seem like fairly basic advice, but poorly-chosen passwords can be a big security risk; take the example of a hacker accessing Donald Trump’s Twitter account by correctly guessing his password as “MAGA2020!”.
Among the other MPA recommendations are the following:
- Require two-factor authentication for any remote access to internal servers.
- Prevent all systems that process or store digital content from directly accessing the internet, including by email. Any exceptions should be handled by an internet gateway system to restrict content from being transferred to and from the system.
- Any remote access to content or production networks should be restricted to approved personnel, and only those whose job requires this access.
- Use a dedicated system for content transfers – editing stations and storage servers should not be used to directly transfer content.
- Create and maintain a list of users responsible for transferring content to and from the production network, automatically notify a production coordinator whenever content is transferred, and immediately remove data from transfer devices once sent and received.
How Shamrock Can Help Secure Your Content Through the Trusted Partners Network
The above security recommendations are only a selection of the comprehensive guidelines set out in the MPA’s best practices; the full list is far longer and much more in-depth. Understanding the security measures and actually implementing them are two different things, however, and you might want expert advice on how to meet each measure.
This is where Shamrock can help – we can offer you a comprehensive and objective analysis on your company’s current security status and technical advice on how to improve it. Our Enterprise Security Solutions experts have detailed knowledge of controlling and securing data and can help you to fulfill the MPA’s guidelines to protect content and achieve TPN-accredited status.