Effective strategies to keeping media content secure with HSMs

Media content is being created and consumed at a pace the entertainment industry has never seen. From TV and film, to services like Netflix and Amazon, media brands are using modern technologies to create and safeguard their projects.

The importance of security has kept pace with our growing global consumption of content, and fighting piracy and ensuring secure and flexible delivery options for subscribers (particularly with streaming and on-demand media), are key motivators for the media industry to look to other industries when it comes to cybersecurity.

How to keep those digital identities safe and to protect critical digital infrastructures and high value data assets – whether in the cloud or on premise – is top of mind for many media and entertainment executives. If content is gold, then it’s important that security play a key role in helping create the next program or movie to enter the pop culture zeitgeist.

One effective strategy is to incorporate a hardware security module (HSM) to protect key assets. An HSM is a physical device that generates, safeguards and manages digital keys for strong authentication and encryption. These modules provide crypto-processing and come in the form of either a plug-in card or an external device that attaches directly to a network.

Protecting assets before release

The recent breach of the upcoming season of the hit Netflix series "Orange is the New Black" is one recent clear-cut example where an HSM could have served as potential prevention. The hacker accessed the assets from a company in charge of post-production work, and had the company incorporated an HSM, it could have prevented access to the unencrypted files. Utilising an HSM would have allowed Lionsgate, the company that produces the series, to encrypt the files when they were being transporting and even while streaming it to the legitimate consumer, while providing keys that allow the files to be modified as needed, without compromising the assets. In fact, current technology where the HSM is accessed through the cloud would provide even more flexible access to a strong cryptographic tool to encrypt files, protecting data as it passes from one server to another.

Another recent example comes from the hack of HBO’s outdated systems, which could have benefitted from the use of encryption and HSM technology so that regardless of the system used, Windows or otherwise, the files and data would remain protected. If the former Sony and Netflix hacks have taught the media industry anything, it’s to always ensure that data files are encrypted, and the keys are kept safe.

When it comes to media piracy, the trend has been less about money and more about breaking through the hype created by the industry to deliver the much anticipated content for viewing before the original release date. What if assets show up on Torrent sites or the dark web? Applying some digital forensics allows the content owners to know exactly where the source of the breach occurred, which is where an HSM can help. For example, an HSM can create a digital trail of breadcrumbs deep in the media file that correlates to the specific person or organisation that gained access. Each asset can be tagged with unique data identified by the authorisation keys provided when accessed, which can enable a file to be identified and then pinpoint where the breach occurred.

Encryption on demand

Unlike static files, streaming applications require continuous encryption and decryption in real time to ensure a file cannot be compromised in transit, which can make encryption challenging for the media industry. Imagine encrypting 5-10 second segments of a 120-minute film. Each segment must be encrypted, and keys must be generated and sent ahead of the content to "unlock" the next section. To provide a seamless experience, latency can be a significant issue and HSMs are an effective way to quickly generate high-quality keys and keep up with the pace of today's media.

Another example of why an HSM is best suited to meet the needs of the media industry is the changing role of set-top-boxes (STB) and device identification. For pay video audiences, the home STB used to be the way customers were identified when accessing premium content at home. But the rise of online video streaming, via smartphones and other devices, means content owners and distributors need new ways to provide real-time defences against piracy. The right combination of hardware and software technologies allows consumers to securely access premium content from any device.

In the cloud or on premise?

Why bother using a cloud HSM? The growth and sophistication of cloud applications has enticed many businesses to move data to the cloud, but security and compliance concerns are a challenge when it comes to moving business-critical data, applications and activities. As the industry turns to the cloud to help store assets for easy access on large scale platforms like Microsoft Azure or Amazon AWS – there are additional layers of protection they can add as a best practice. One example, keeping the key encryption on premise or on a separate cloud device. This way, if there is a breach, the master keys that provide access to the encrypted files aren't stored in the same location. Cloud HSMs can provide more than just crypto-processing and key management functions. They allow companies to host secure software applications and APIs, giving customers the ability to securely host a company’s most valuable software. As awareness and demand for end-to-end security in the cloud grows, HSM as a Service will become an inevitable part of any cloud implementation.

An HSM enables companies to protect critical cryptographic operations and guards against intrusion attempts, ensuring digital media is secured with the best encryption technology. It can also ensure that unique cryptographic keys cannot be accessed by a third party. If the HSM is built on an open platform, developers can program their own algorithms into the HSM to provide a solid combination of hardware resilience and a flexible, open platform. As more companies move their assets to cloud-based storage systems, here are a few best practices for deploying an HSM system.

·         View security and compliance as priorities, not afterthoughts – While they are often afterthoughts, a system needs to be compliant with the existing enterprise security requirements to prevent piracy. This will ensure the system works to the best of its ability, including fail proof security. Cryptographic keys that are truly unique and cannot be accessed by a third party are an important part of this security solution.
·         One platform, one technology – The ability to have a tailor-made solution is key to the enterprise. Supporting a flexible, open applicable platform that can be programmed and designed by the company can help to ensure the security system works to the enterprise’s needs. This can in turn provide the enterprise with higher resistance against attacks and allow them to respond swiftly to the discovery of new threats.
·         Key technology to look for in an HSM – Multi-tenancy, master key back-up functions, optimised load balancing and remote management contribute to the setup of a highly secure and attractive cloud environment and service.
·         Ensure key management is on premise – Great encryption won’t do you any good if you have poor key management. Ensure key management is kept on premise for a secure way of generating, storing and managing cryptographic keys. Hosting the key management server in the cloud, as with IaaS or SaaS models, bears a risk from the cloud provider side.

HSMs are reliable, high-performing devices for securing an organisations' media content, applications and transactions. As HSMs continue to find favour in the entertainment industry, those which provide key management on premise and real-time defence against mobile, online and social piracy will best support the needs of the industry. With content being the industry’s backbone, an HSM is equipped to provide the type of end to end security that keeps it all safe. 

Malte Pollmann, CEO, Utimaco
Image Credit: Denys Prykhodov / Shutterstock