Presentation to HPA Tech Retreat 2014 Accessing Encrypted Assets in Mac OS Mathew Gilliat-Smith, CEO Fortium Technologies
Content Security Severity of leaks and comment Studios don’t like to publicise breaches - privately its a continual battle the Tarantino script well known series premier leaked one month early from a special effects house Comments on social networking and physical leaks are a Post Supervisor’s worst nightmare – ‘it happened on my watch’ Concern in being connected to the internet Concern in Cloud workflows MPAA audits try and ensure facilities are secure & have teams to track leaked content but….. Proxy files in editing & authoring systems present a security vulnerability Files reside ‘in the clear’ for anyone on the network to access No encryption ‘at rest’ NBC Universal identified specific risk in professional editing systems and designed the MediaSeal encrypted video system Reduced Viewing Cost of piracy $$ Remarks on Social Networks
The Dilemma Mac OS does not support modified files types e.g. encrypted files – security solutions need to be cross platform Why don’t professional editing and authoring systems build in file security? Complexity Proprietary systems are not portable - what works for one system does work for another Other security solutions (encrypted drives & delivery systems) Encryption is removed for access & playback In the clear once copied How to create a reliable end to end encryption system
The Challenge To create a compatible encryption system that ticks all the boxes Centrally Managed File and application agnostic - transparent to the system it is running in No altering of file Handles everything from low end files to high end DPX sequences Suitable for closed network AND for cloud workflows Must not cause any delays or complications in the workflow Complementary to existing systems
Solution to create a File System Filter Driver for MediaSeal video encryption Technical description: “An optional driver that adds value to or modifies the behaviour of a file system” Log, observe, modify, or prevent Typical applications for filter drivers include antivirus utilities, encryption programs and hierarchical storage management systems. A kernel-mode component that runs as part of the OS Filters I/O operations for one or more file systems. Modify data that is returned to applications (editing programs) as the file is read Method gives full control how the file is processed on the OS Ideal for MediaSeal video encryption – not just video files, audio, docs, images Facilitated in Windows OS but it didn’t exist in Mac OS Collaboration
Where MediaSeal FSFD resides (File System Filter Driver) Storage Kernel Level User Level Extension FSFD Kernel Level Layer between user applications and hardware Removes complexities as it provides common interface for file operations - i.e. open, close, read, seek Example of User level is WinZip – once opened its in the clear Kernel Extensions Provides much more functionality & control Increase hardware support Expands capabilities of kernel USB Blue Tooth
Playback & Editing in ProTools
How FSFD enables MediaSeal During access FSFD recognises if file is encrypted User is prompted for authentication - by password, iLok key/soft key and by remote authentication Contents of file only decrypted into the memory buffer associated with the file read File remains encrypted at rest on disk – ability to revoke later Media Seal Not Present Incorrect Credentials Trusted Recipient Behaviour User Application Kernel + FSFD Extension Storage
How MediaSeal Works AES encryption - Security tested by NGS Secure Change DRM rules after transfer - set viewing criteria – who & when, sunset sunrise viewing For use behind the firewall with no exposure to the internet Recommended for protecting content in the cloud 1.Database Key Server 2. Encryption software 3. Decryptor license + iLok key
Step1: Log in to Encryptor & Set Up Job
Step 2: Import Files to Encrypt
Step 3: Key Server Select Trusted Users, Set DRM, Add Password
Step 4: Encrypt Files in Seconds
Access with Password & Key – File remains encrypted
Playback & Edit in ProTools
No Unauthorised Playback – Blank Screen
Reporting Analytics Sort by Who, What, When Title, Version, User ID, Code Granted/DeniedDate & Time Export to CSV User ID
Case Study NBCU Post Production Fast & Furious 6 Box Office Opening Weekend $97m US 24 May 2013 No Leaks prior to release Sound mixing, internal & external depts Endless Love
Cloud Workflows Cloud collaboration tools will give greater efficiency – faster, quicker, lower cost Typical production environments mean many more people need to work on the same assets, often externally to the production studios – means more exposure Integration into automated asset control Files do need to be downloaded to attach local content – this is the vulnerability – no end point security – files can be copied MediaSeal FSFD means files remain encrypted in the cloud workflow with cross platform cloud security The “Anywhere” Solutions
Cloud Based Collaboration Wrap your media with MediaSeal Encryptor Software Share your encrypted media safely using any common file sharing method Drop Box, iCloud, Google Drive, etc. Your collaboration team can access the encrypted media only when they have MediaSeal Decryptor software, have a registered iLok installed, and have permissions for the media. Apply encryption locally or in the cloud after transcoding
API Methodology for 3rd Party Solutions Encryption systems FTP delivery Editing Systems Authoring Systems Scriptable through command line
Further Information Support of MediaSeal in LA By Audio Intervisual Design N. La Brea Avenue, West Hollywood, CA 9003 Tel: