Zero Trust; the New Security Paradigm for a Multi-Connected World
Media and entertainment (M&E) companies are more global and collaborative than ever. We're connecting across more platforms, services and networks all the time and securing content or broadcast/streaming data has never been more important… and more difficult.By Jerome Athias | 03/01/22
At Dalet, we’ve always been a security-focused company, and in a world of more connections (and threats), our approach has evolved. Inputs are increasing, content assets are more valuable than ever, and bad actors are growing ever more organized.
It’s not a question of whether you’ll be attacked but when. That means you don’t just need good security practices, but security done better than the most damaging cyberthreat making its way towards you.
We’re going to need a whole new approach to security at the corporate network boundary, and at Dalet we think the principle of Zero Trust is the best way forward.
Under a Zero Trust framework, nothing is considered safe. Every incoming signal or connection is by default untrustworthy until it’s rigorously tested through various security checks to ensure legitimacy or authority to connect.
The assets produced by the media sector have always been highly sensitive, subject to very strict public release dates or IP legislation. Think of the financial and market impact on a Hollywood studio when a blockbuster movie leaks online before it hits theaters or streaming premiere.
But here’s what’s changed. More of us are working remotely than ever due to a global pandemic, and the multiple platforms and devices we use to connect with workplaces only gives the bad guys more ways in.
These bad actors have changed too. Cybercrime is about organized data gathering rather than just underground bragging rights. They’re coordinated, efficient, and getting harder to stop at the border of your organization.
As an industry, we have to work hard to keep up and need to ensure that every input or connection request complies with internal security policies, that they’re running on reputable platforms or that authorized agents are using them. Otherwise every VPN, smartphone operating system, marketing platform account or video call client is a potential threat vector.
The Zero Trust Strategy
As the threat landscape transforms, so are we. Dalet has evolved from being a software vendor to a SaaS provider, and Zero Trust is the lynchpin that will allow us to do so safely.
Under a Zero Trust security framework, nothing is considered safe. As a new signal or connection comes in from outside your network or organization, it’s initially blocked by default. It’s then interrogated based on any possible data point you can program for – identity, location, the operating system or security profile of the device, the workload the input requests and more.
After scrutinizing every resource, any changes in configuration and network or traffic activity is continually logged, monitored and rigorously questioned for anything suspicious.
There’s also a continual standard of access based on least privilege. That means the user is given the minimum resources or access needed to do their job and no more. If they need it, any further access request is subject to the same interrogation.
Both device/access architecture and management have to evolve to adhere to Zero Trust principles, and that will involve training, awareness and the ushering in of a new security culture. Methods like password-less access and physical devices like security keys are going to become more important.
The Zero Trust Practice
Imagine an editor receives an email from her production manager or the VFX supervisor asking for access to a sensitive file and happily complies.
What she doesn’t know is that a specialized group has done the social engineering – figuring out who she is and a boss or senior company officer she’s likely to respond to. Another has done the corporate hacking into the company’s email server and sent the request from her boss’ email.
Another group has written the malware to install on the network when she emails the link or credentials back, and yet another harvests her networks for sensitive information it can hold to ransom.
In a traditional network – where the editor has sent the link using approved credentials – the server would simply grant access. Under a Zero Trust model, the device used by the hacker, its location and the workload usually performed after such a request aren’t known to the network even though the login credentials were cleared, so access is immediately blocked and the attempt logged.
But it’s about far more than stealing sensitive files. Imagine you’re a broadcaster streaming content that’s interrupted or taken down through a distributed denial of service (DDoS) attack by a hacker group with a political or misinformation agenda. When online services combine live betting with real-time sport events, the liability alone could be crippling if your network or stream goes dark.
At Dalet, security has always been a cornerstone of everything we do. We consider it like the brakes of a car. You need to stay on the road and keep up the pace, and security isn’t there to block that but help achieve it by spotting dangers and letting you circumnavigate them quickly and efficiently.
My first act as CISO was to secure the company’s ISO/IEC 27001 certification, a testament not just to our experience and hard work securing clients in the past but our commitment to do so in the hyper-connected world of today and tomorrow.
Today, we’re extremely proud of our ISO/IEC 27001 and DPP Security Marks certifications, but we’re not by any means resting on our laurels, constantly developing an internal workflow called Secure Development Life Cycle (SDLC), which reduces the number of vulnerabilities in our systems.
Security needs a three-pronged approach;
People: We want our own people and customers to have awareness, to receive security training.
Processes: We want to constantly improve processes to better respond to incidents.
Technology: As technology has increasingly shifted from on premise to cloud and external systems and providers, security must remain the most critical part of the transition.
Following our heritage as an on-premises provider we have decades of experience monitoring systems, and as workflows using external platforms and multi-connectivity have evolved, we’ve grown up with it.
The Best in the World
Even more critically, the Media business is truly global, with suppliers and customers headquartered all over the world in countless different legal jurisdictions. And because data privacy law differs in each territory (most people are familiar with the EU’s 2016 General Data Protection Regulation or Europe’s GDPR), different users have different regulatory requirements.
But as well as evolving along with local standards and regulations wherever they are, we make a practice of applying the strictest regulatory frameworks we work with (including our own) and applying them everywhere our customers are found. Under my Dalet CISO remit, we will be implementing a Zero Trust approach to all our products and solutions, ensuring that every piece of data and content managed is well looked-after.
As a Dalet customer, we are sure you have better things to do than worry about security – that’s our job. So as you scale, remember that we’re growing with you, and Zero Trust is securing your borders no matter what cloud services, internet of things (IoT) or and bring your own device (BYOD) policies are used to interact with your organization.
You can’t take any risks with valuable media assets, but you have to expand your access rights to more players and collaborators than ever. Zero Trust provides the balance between the two you’re going to need in the near future.
Don’t just take our word for it. Some of the most respected technology and SaaS brands on Earth are realizing Zero Trust is the best way to secure a dispersed digital workforce in the future.
An international conference presenter (Black Hat and RSA) and security standards contributor (OWASP ASVS and OASIS STIX), Jerome Athias is an expert in IT and cyber security with more than 20 years of experience. He has helped numerous companies comply with laws and regulations and achieve a better security position. Jerome has helped organizations like Airbus build Cyber Security Operations Centers (SOC), operating the detection of cyber-attacks and fighting APTs. Today, Jerome manages all aspects of IT and cyber security, from compliance with industry standards (e.g., ISO 27001), awareness of employees, training, processes, and technology for Dalet.More Articles By Jerome