Using DLP to meet MPAA best practices
The entertainment industry has seen its fare share of leaks and hacks in recent years, with giants such as Sony, Netflix and HBO falling victims to attacks and having their private records and upcoming releases made public online. Movie studios in particular make for tempting targets as any cyberattacks they suffer will instantly make its perpetrators notorious and internet pirates rejoice. They are often not targets for profit as they are for fun. After all, even hackers can’t wait to see the latest season of Game of Thrones.
It is therefore no surprise that an organization such as the Motion Picture Association of America (MPAA) has issued comprehensive guidelines to secure digital film assets and ensure industry best practices are being met by third party vendors. While abiding by these guidelines is strictly voluntary, the MPAA performs content security assessments of vendors wishing to do business with any of the major studios that are its members. These include the biggest names in Hollywood: Walt Disney Studios Motion Pictures, Paramount Pictures Corporation, Sony Pictures Entertainment Inc., Twentieth Century Fox Film Corporation, Universal City Studios LLC, and Warner Bros. Entertainment Inc.
Understanding the MPAA guidelines
The MPAA’s Common Guidelines for Content Security Best Practices covers 48 security topics, built on industry-accepted security standards such as ISO 27001/27002 and NIST 800-53. At their core are four crucial principles:
- Content must not be lost.
- Content must not be stolen.
- If measures to keep content secure fail, studios must be notified of breaches immediately.
- Security measures should not disrupt production.
The guidelines recommended by the MPAA fall into three major categories: management system, physical security and digital security. Management system covers areas such as risk assessment, internal policies and procedures, human resources, incident response processes and procedures etc., all of which must be decided on at executive level.
Physical security addresses measures adopted to ensure the security of facilities, assets and transport. These include exit/entry procedures for staff and visitors, identification and authorization, the existence of alarms and cameras, inventory tracking, shipping, labeling and packaging etc.
The last category, digital security, predictably deals with more modern concerns such as companies’ network infrastructure, internet access, content management and transfer, mobile security etc. An additional six security topics are covered separately in the MPAA’s Application and Cloud Security Guidelines.
How DLP can help
Data Loss Prevention tools can help companies reach MPAA compliance in this last category of digital security. Among the solutions available on the market, Endpoint Protector is already the DLP product of choice of several prominent MPAA members.
When considering solutions for MPAA compliance, companies must first of all ensure that these work across all the platforms present in their network. A solution designed for Windows does not automatically work for macOS and vice versa, they must specifically be built for both. Endpoint Protector is considered the most advanced, comprehensive and reliable solution on the market for macOS. Offering feature parity between Windows and macOS, Endpoint Protector is the ideal choice for mixed environments, where the same kind of controls have to be enforced on both operating systems.
MPAA guidelines clearly require that, when in exceptional circumstances computers used for production or content/storing purposes are allowed to connect to the internet, digital assets be restricted from being transferred to or from a company’s system (DS-2.0). The attachment or insertion of restricted content types into emails and the transfer of files over 10MB should also be blocked (DS-2.1). All this can be done through content aware protection which lets organizations block certain file types or predefined content from being transferred outside the network, whether through emails or other popular content transfer services and websites. File sizes can also be restricted.
The MPAA advises that ports and portable devices be blocked on computers storing or processing content (DS-5.1). Through its Device Control module, Endpoint Protector offers the possibility of blocking, monitoring and controlling storage devices (USBs, smartphones, digital cameras etc.) and peripheral ports.
Another important point addressed extensively by the MPAA guidelines is logging and monitoring (DS-9) which has an entire section dedicated to it. Endpoint Protector offers file tracing through its Device Control module, which allows monitoring of any content transfer between computers and portable devices, which show what files were copied, to which location, at what time and by which user. File shadowing is an additional feature that works together with file tracing. It creates shadow copies of transferred files which admins can view and assess whenever needed.
Content Aware Protection, through its reporting feature, offers similar logs to file tracing, monitoring content users may have attempted to transfer through the internet, whether via email, applications or websites, and were blocked by policies.
The ultimate decision of whether a studio works with a vendor or not rests unilaterally on the MPAA member in question, but it is likely that a company flagged as not passing the MPAA’s content security assessment will be disregarded by studios in favor of more secure alternatives. After all, leaks in the entertainment industry can instantly jeopardize an upcoming release and cause studios heavy financial losses. A risk too high to take when there are better MPAA compliant vendors available.