The days of keeping sensitive rights data onsite on spreadsheets or in legacy systems are gone. Security hacks kill revenue, and projects can miss theatrical windows because systems were compromised. As a result, in today’s evolving and competitive entertainment landscape, companies are looking for a greater degree of system security.
In the entertainment rights management industry, security involves:
- Protecting customer data privacy by limiting who can access customer data.
- Ensuring secure transactions involving financials and creative assets by keeping track of billing, receipts, currencies, exchange rates, and bank accounts.
- Maintaining company reputation and customer trust through enhanced security measures, advanced certifications, and seamless experiences.
- Preventing financial losses due to data breaches or cyberattacks by boosting cybersecurity and controlling access through multifactor authentication.
- Complying with industry regulations and standards like SOC 1 and SOC 2 certifications.
- Differentiating from competitors with solid security measures that are often overlooked due to cost or limited resources.
- Staying ahead of evolving security threats in the digital entertainment industry by adhering to stringent data loss prevention measures to protect sensitive client data.
Entertainment rights management systems possess a depth and intricacy that companies frequently ignore – until it's too late. As a result, organizations often make massive investments in these systems too late, which can be especially difficult for smaller companies with fewer resources.
An agile rights management platform minimizes security threats, protects company data, and increases productivity. The critical security-related components to look for in a rights management system include product, application, and organizational security.
Product security and application security are both important aspects of ensuring the security of a software product, but they focus on different aspects of security.
Product security refers to the security of the entire software product, including all its components, features, and services. This includes not only the application code, but also the hardware, firmware, and any other supporting infrastructure. Product security involves a holistic approach to security that considers all potential threats and vulnerabilities to the entire system.
On the other hand, application security specifically focuses on the security of the application code and its associated data. This includes identifying and mitigating vulnerabilities in the application code, ensuring secure data storage and transmission, and protecting against attacks such as injection attacks and cross-site scripting.
Organizational security is another important aspect of overall security that encompasses the policies, procedures, and processes in place to protect an organization's assets, including its people, facilities, and information.
This ebook provides an in-depth analysis of each of product, application, and organizational security, and how FilmTrack specifically handles these security choices.
Product Security
Product security involves the efforts developers undertake when they build a secure system, app, or software. When done right, product security is an integral part of creating a software system – it is not something that should be addressed after a product is launched or, worse yet, when an end-user wonders whether their software solution is secure. Instead, product security should be contemplated before a platform ever hits the market.
How does FilmTrack ensure product security? Our system records every transaction – who is getting paid and how much – and securely stores all this information in the cloud. In addition, we offer secure storage of all projects – including those still in production or awaiting official public release.
As a subsidiary of City National Bank, FilmTrack is required to run security scans on application code and do penetration tests on applications. We have code review and automated methods for that review that runs through everything our developers write, and programmers perform detailed security checks to correct potential flaws before the next software release.
We also hire rigorously vetted third parties to conduct penetration testing (including external and internal networks, cloud infrastructure, and especially web applications) that catches potential flaws in the software. While these are all best practices, smaller media companies often do not incorporate them. FilmTrack delivers risk mitigation to ensure our clients’ valuable data stored offsite is protected to the highest available standards.
Multifactor Authentication
Multifactor authentication (MFA) is a layered approach to data security and applications where a system requires a user to present a combination of two or more credentials to verify their identity for login. MFA enhances security because even if one credential is compromised, unauthorized users most likely won’t meet the second authentication obligation and will be prevented from accessing the targeted database. MFA is vital for larger or more sophisticated media companies because it provides multiple layers of protection against cyberattacks, protects an organization’s reputation, and keeps critical files and data safe.
MFA on internal systems is costly and something only some rights management solutions offer. But FilmTrack does. Whether you're a small media company without MFA established or an enterprise company already using random tokens like Azure, Okta, Ping, etc., FilmTrack has you covered.
Identity Provider
In addition to the security built into FilmTrack's platform, where clients can create user accounts and set up MFA, we allow clients to use an identity provider (IdP) to manage their users and enable access to the system.
For example, if a company uses Microsoft Azure Active Directory for its internal purposes - to keep track of users, put them in groups, and give them access within the organization - they can use that same system to authenticate users into FilmTrack. This allows for a more seamless experience for users. They can access FilmTrack via their regular work system without a separate login. FilmTrack becomes an extension of their work system.
Single Sign-On (SSO)
FilmTrack’s ability to tie into our clients’ authentication software allows them to manage their own users. For example, when somebody new joins the company, they don't need to set up a new FilmTrack login, because it happens automatically through their internal process. Similarly, if somebody leaves the company, as soon as they're removed from the client system, their FilmTrack access is cut off with one click, eliminating the issue of somebody leaving an organization but still having access to secure information. With FilmTrack integrated with an identity provider (IdP), it's "one and done".
When media companies are small, they may not have their own authentication standards. But FilmTrack can build this for them through our application authentication process that protects all the sensitive data going into it.
When companies become larger and more sophisticated, they often switch to their own authentication, whether it's Azure, Okta, Ping, or something else. FilmTrack can allow them to use their authentication within our app., essentially absorbing their authentication standard. This makes it much easier to manage staff who come and go.
Cybersecurity
Cybersecurity involves protecting critical systems and sensitive information from digital attacks. According to a recent Gartner Hotspots report, cyber vulnerability is one of an organization's most critical risks. The systems involved in FilmTrack’s approach to cybersecurity include:
- CSOC (Cybersecurity Operations Center) – FilmTrack’s line of defense against unauthorized network activity through monitoring, detection, analysis, response, and restoration.
- SIEM (Security Information and Event Management) – Our centralized logging solution sets up alerts for activity across all systems, threat intelligence, and ongoing system health monitoring.
- Data Classification – FilmTrack identifies sensitive files according to their level of sensitivity, the risk they present, and the regulations that protect them.
- DLP (data loss prevention) – Rule-based controls are employed to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.
- Penetration Testing – Authorized simulated attacks are designed to evaluate security by pinpointing weak spots in a system’s defenses.
- CIS (Center for Internet Security) – FilmTrack partners with CIS to apply approved benchmarks for security hardening recommendations on operating systems, cloud environments, and applications.
- NIST (National Institute of Standards & Testing) – We voluntarily align with the CSF cybersecurity framework of standards, guidelines, and best practices to manage cybersecurity risk.
- City National (City National Bank) – FilmTrack follows City National requirements for ongoing audits and regulatory compliance.
Applying effective cybersecurity measures can be extremely challenging because there are more devices than people, and attackers are becoming more creative. However, FilmTrack uses stringent data loss prevention measures (as required by City National) to protect sensitive client data. In addition, City National has a threat intelligence team that assists FilmTrack in monitoring active threats.
Role-Based Security
Role-based security, also known as role-based access control or RBAC, improves overall security regarding compliance, confidentiality, privacy, and access management to resources and other sensitive data and systems. RBAC systems simplify the user experience and offer superior data segregation by providing users with multiple roles simultaneously with specific permissions for each role.
FilmTrack provides role-based security configurable by the client, allowing them to parse data so that only certain people can access specific information. There are three significant benefits to our approach. We’re dedicated to the following:
- Simplifying the user experience. Individual users see only the information they need pertinent to their jobs so they are not overwhelmed, and data security is not compromised.
- Ensuring segregated access. With FilmTrack, only certain people can access specific data based on what they need to see. Our platform allows data parsing so that only the proper people can access it.
- Allowing configuration. If our clients have another company division with its own contracts and projects, some data can be shared across divisions, and some can be segmented; however, “Division 1” won’t see “Division 2's” data, and vice versa. Configuration is essential for global organizations with a production house. While operations in Europe and the US may share some common data, they can segment access to contractual terms or how they run their studios.
Application Security
At FilmTrack, our organization, internal systems, and people must be secure, meaning our application must also be secure. FilmTrack’s application security applies the architecture, hardware, and hosting required by the OWASP (Open Web Application Security Project) to protect access to information behind the screen (as opposed to role-based security, which prevents users from viewing particular screens) to not only provide access to data but also provide database level security that improves the security of the application itself.
The experience of someone who enters basic data in FilmTrack is very different from someone who is involved in reviewing the financial records within a contract. We built our security to create different experiences for those people and to segment the data securely so that somebody with access to basic data can get to it quickly without being overwhelmed by a bunch of other stuff they don't need. And likewise for people who need access to high-level financial information.
Entitlements and permissions determine who can see and do what. Many companies use an application with no sophisticated security – everyone is at the same level in the application. In other words, any user can see financial details or things they shouldn't be able to access. The FilmTrack app allows for the segregation of who sees what.
Differentiated Hosting
Differentiated Hosting refers to a hosting model where customers are provided with dedicated hardware or infrastructure resources for their specific use, isolated from other customers.
FilmTrack serves enterprise customers with vast data and performance needs, as well as smaller companies that require less resources. For example, someone with a million projects requires more from the app than someone with 100. That allows FilmTrack to put all smaller clients on the same virtual machine. While the schema is walled off for these clients, they share a server. A million-project client running a giant report will use a lot of server resources, which might slow performance down for other customers. But, because of this separation of resource requirements, this doesn’t happen with FilmTrack. Our enterprise clients have dedicated servers so they obtain greater performance.
FilmTrack is a multi-tenant platform; however, it doesn't feature a true SaaS multi-tenant structure. Instead, we have different application installations for every client. The security benefit: no client's data is in the same table as another client’s.
Why is that important? A true SaaS features a table with a list of projects, and all client data share the same physical database table as opposed to FilmTrack’s approach, where every client has their own schema. And we can further segment clients to having a dedicated database, with security and performance benefits.
There’s more to protecting your data than just locking it up. Other companies store your data on the same servers with other clients’ data, separated only by digital partitions. FilmTrack thinks your data deserves its own private island, so that’s what we provide.
Organizational Security
The importance of information security in organizations cannot be overstated. Companies must take the necessary steps to protect their priority information from data breaches, unauthorized access, and other disruptive data security threats.
All organizations need protection against cyberattacks and security threats. Data breaches are time-consuming, costly, and bad for business. According to Cybersecurity Ventures, the cost of cybercrime will hit $8 trillion in 2023 and grow to $10.5 trillion by 2025. Strong security reduces a company’s risk of internal and external attacks on information technology systems, protects sensitive data, guards against cyberattacks, ensures business continuity, and provides all stakeholders peace of mind by keeping confidential information safe from security threats.
“More than ever, bank-level security is an absolute must in the entertainment industry.” - Jason Kassin, CEO, FilmTrack
Bank-level Security
FilmTrack is a subsidiary of City National, which is owned by Royal Bank of Canada. When City National reviewed FilmTrack’s software, processes, and people, the bank determined that FilmTrack needed to meet the rigor and the standards of a $90B bank, and that’s what we have done.
FilmTrack is backed by the most respected financial institution in entertainment, Hollywood’s bank, City National Bank]. Through their investment in FilmTrack and other technology companies, City National Bank makes it possible to handle avails, royalties, participations, residuals, AP, credit cards, specialized lending and treasury management services together in the first ever platform for all things entertainment.
There are benefits to high expectations - if an organization lacks established security processes, they may take haphazard risks with data. For example, when a developer works on a bug on their laptop that stores customer data, it presents an inherent risk if the laptop is hacked, lost, or stolen.
Amazon WorkSpaces
FilmTrack developers work on virtual Amazon WorkSpaces, which enable them to securely download client data to debug issues. Unlike other rights management software on the market, there's no physical device to lose or get stolen. Or, worst-case scenario, if a developer were to "go rogue," their access can be immediately stripped because of the security level FilmTrack maintains.
Third Party Vetting
Any third-party products that go into the application must go through a strict process with City National Bank's Vendor Management Office (VMO) for vendor risk assessments to ensure such products are secure and the companies are reputable, financially viable, and solvent. Additionally, FilmTrack was one of the first software companies in this space to earn SOC 1 Type 2 and SOC 2 Type 2 certifications - before we were acquired by City National.
SOC Reports
System and Organization Controls (SOC) reports enable organizations to be confident that service providers (or prospective service providers) are functioning ethically. SOC reports help to establish credibility and trustworthiness for a service provider — an advantage worth the time and money required. SOC reports using impartial third-party auditors to scrutinize certain aspects of an organization, including:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
- Controls related to financial reporting
- Controls related to cybersecurity
SOC reports are governed by the American Institute of Certified Public Accountants and focus on offering assurance that the controls service organizations put in place to protect their clients’ assets (data in most cases) are effective. There are four primary types of SOC reports: SOC 1, SOC 2, SOC 3, and SOC for cybersecurity, each with subgroups. Although no formal obligations regarding SOC examinations exist, businesses increasingly demand them.
When enterprises rely on the controls at a service organization to effectively control their financial reporting process, as in the case of a company that depends on a payroll provider] for processing and management, they want to examine their SOC 1 reports for proof of their operating efficiency.
The main purpose of a SOC audit is to ensure the success of a business's internal defenses and controls with objective and practical feedback. The examination focus is the most significant difference between a SOC 1 vs. SOC 2 report.
SOC 1 Type 2
SOC 1 reports focus on services outsourced to service organizations relevant to a business’s financial reporting and also help financial statement auditors minimize their processes. Sophisticated service organizations also rely on them to confirm that all data and systems are secure and protected.
SOC 2 Type 2
SOC 2 reports are also an attestation report issued by an independent Certified Public Accounting (CPA) firm. It focuses on the operational risks of outsourcing financial reporting to third-parties. These reports center on the Trust Services Criteria, which include up to five categories: security, availability, processing integrity, confidentiality, and/or privacy.
FilmTrack’s SOC 1 Type 2 and SOC 2 Type 2 compliance and bank-level security ensure that technological enhancements made to the product are secure in the market.
Conclusion
Media companies that track royalties and the distribution of entertainment/educational media should be highly concerned about security, not only in the course of doing business but also when selecting a new rights management platform due to how critical product security is.
FilmTrack invests heavily in product, application, and organizational security and is committed to providing a secure rights management platform. To deliver bank-level security, our platform, people, and processes offer the following and much more:
- Product Security
Product security with the capacity to record every transaction – who is getting paid and how much – and securely store all information in the cloud. - Organizational Security
Organizational security of a bank - not a standalone software company – as evidenced by certifications that meet the standards of a $90B bank. - Application Security
Application security that protects access to information behind the screen to provide access to data and database level security.
FilmTrack operates worldwide and incorporates global standards. Our regulatory oversight dictates a higher level of standards than our competition employs. We maintain a dedicated office responsible for ensuring compliance with global standards like SOC 1, SOC 2, GDPR, and more to comply with the bank-level standards set by City National. The resources FilmTrack pours into security make us the perfect partner for safely managing rights.
If your company wants the peace of mind that bank-level security provides, request a demo to learn more about FilmTrack’s rights management solution today.
About Ed Evans
Ed Evans (Information Security Manager, FilmTrack) is an information security executive leader for a variety of industries and verticals with a passion for vulnerability management (VM). He has significant experience writing security policies aligned with the National Institute of Standards and Technology, creating and delivering security awareness presentations, risk assessment, VM and penetration testing, and compliance with Payment Card Industry Data Security Standard (PCI-DSS), Sarbanes-Oxley (SOX), and the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) requirements.
*This article is for general information and education only. It is provided as a courtesy to the clients and friends of FilmTrack. FilmTrack does not warrant the information contained in this article (other than factual information relating to FilmTrack) is accurate or complete. Opinions expressed and estimates or projections given are those of the author or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change.
* All trademarks and service marks are property of the respective owners.