Current Security Solutions Don’t Work For Creatives…Here’s Why (Pt. 1)

When appointed the task of keeping digital IP secure throughout the creation process, one has many choices in their approach. However, there is an inherent problem with all of them: they rely on trusting the user, and users make mistakes.   

Whether an error in judgement, or an honest lapse in attention, it all costs the same. A total loss of intellectual property which cost your company a significant amount of capital to create. 

Let us cover some of the commonly used approaches to data security in the creative process and explain why they don’t work. 

1. A Plugin 

Plugins can encrypt data as well as provide a password wall to check the identity of the user trying to access the sensitive intellectual property. But after entering the password provided, the user can decide to export a copy of the material they are working on to any place they please, and not back through the plugin. Once the user has entered the password provided, much control and visibility are lost. This renders an organization back to having to trust the user.   

How do you prevent data leaks using a plugin? The answer is, you can’t. 

2. A VPN 

Sure, you can authenticate a user and perhaps log their actions, but once a user has connected to a VPN, there are numerous ways to exfiltrate data without being detected. You can monitor your network traffic and access to files, but you cannot monitor the local machine the user is engaging with to a level which will prevent them from creating a copy of the data for their own use.  

You can lock down capabilities, but in turn you will disable your user from performing work in a productive manner. Creators need to work the way they work, and each one has their own method. 

Also, a VPN is a tunnel into your network. You must trust the user to let them in, and, after that, your capabilities to prevent theft and data egress are very limited. 

How do you prevent data leaks using a VPN? The answer is, by restricting them from many of the actions they need to perform to do their job at their best. 

3. A Virtual Machine 

If you have ever used a virtual machine to do the simplest task like check email or create a document, you know that it is a pain. Anything you are trying to accomplish is hostage to network performance and the performance of the host machine. Even at a Fortune 500 company, the same frustrations exist.

Now imagine a creator trying to create a complex 3D animation using a virtual machine. Sure, it can be done, but it is a dreadful experience and drastically reduces their efficiency and creative flow. Also, a virtual machine is not fool proof. There are many means to exfiltrate data, and preventing those means puts your creatives in a place where they are essentially creating material for your company and are only allowed to use MS Paint. 

4. Physical Security 

Physical security is very basic when it comes down to it. Imagine being chaperoned by a bodyguard with a suitcase handcuffed to your arm. Or, imagine being green-lighted to travel to the best studio in the world to work on an amazing project, with the caveat that you will be locked in a room without internet or any other communication with the outside world for several months. 

Physical security can be great, since it validates who comes in and out and when. Most of the time though, a company will only hold up its physical security because they know an audit is coming or to meet the specification of a certain job they want to win. Once the auditors leave and time passes, it is a given that the ecosystem will find its own point of efficiency. This often means forgoing the original security procedures and process which were required in the first place. 

Also, physical security is based on trust. An individual can still exfiltrate data undetected if they are savvy and determined to do so… or even from an honest mistake. Someone can send a drive to the wrong address or drop a file in the wrong shared folder in a rush. What do you do to control the damage? How can you control your data once it has left your walls? Does an NDA solve this problem? (Hint: ask someone how useful an NDA is when your data leaks to China and your product is being manufactured before you have even gone to market.) 

5. Encryption in Transit 

Encryption in transit, meaning data which is scrambled for its journey to the next person, and, encryption at rest, meaning data encrypted when it not being used, are both great preventative measures when it comes to data leaks. The problem is, users need access to this encrypted data. This means at some point, once they are validated, the data is unencrypted and provided to them. At this point, the user can do what they please with the data. Whether as a purposeful bad actor or by mistake, your data in its unencrypted form can go wherever the user pleases.  

The question then becomes: how do you engage with a global workforce and produce your creations in the most efficient manner, while keeping your intellectual property safe at the same time? 

The answer is, your data needs to protect itself no matter where it travels. 

Whether it’s on a laptop at a coffee shop in Rome or on a PC at your studio in LA, you have to know what is happening, by whom and why AND you have to have full control and visibility over all of it. 

What is your solution for this predicament? 

Your comments are welcomed in this discussion. I have a solution, but I will save it for part 2.

2 Comments

  1. jon spindler on January 15, 2020 at 8:31 pm

    My solution to filling the gaps of a traditional “secured” network would be a Cloud Access Security Broker. I know of one specifically that does everything you mention.

    Visibility into access and usage of sanctioned
    apps on managed and unmanaged devices;
    unsanctioned apps (Shadow IT) on managed
    devices.
    Compliance with regulations and data residency
    requirements, by providing audit logs, encrypting
    sensitive data-at-rest to protect against breach,
    and enforcing data leakage prevention policies to
    control access to regulated data.
    Data Security policies and enforcement
    preventing unwanted activity based on data
    classification, discovery, and user activity
    monitoring. Enforcement is applied through
    controls such as audit, block,
    quarantine, delete, and encrypt/tokenize.
    Threat Protection preventing unwanted devices,
    users, and versions of apps from accessing cloud
    services



    • Partha Ray on January 18, 2020 at 2:29 am

      Hi Jon and thank you for your comment. Would love to hear your thoughts on how the CASB solution you mention handles applications which are not specifically supported such as a 3D Studio MAX or a Cinema4D.