HITS

Secure application programming interface (API) development and having a “prevention mentality” can go a long way towards better safeguarding valuable data, Lou Powell, partner and head of PK’s API Practice, said Oct. 20 during the online Media & Entertainment Day event.

In the threat environment being faced today by the media and entertainment industry, data security throughout the content value chain is of paramount importance, and the focus of strategy and budgets globally.

API security is especially important, yet this area is often overlooked in the development of data protection planning, according to PK. As a result, APIs have become attractive targets and are a major factor in many recent data leaks. However, in many cases, there is insufficient understanding of their importance and many companies are at much greater risk than realized.

Powell’s team at PK are experts at developing enterprise-level, “bulletproof” APIs that have been relied upon in critical applications where data breaches are simply not an option.

“The interesting thing that we’re seeing is that the pandemic, in many industries, including healthcare, telecom and media, has made some remarkable accelerations in the direction that the technologies were already moving in,” he pointed out during the Distribution & APIs breakout session “Innovate Fast without Sacrificing Security: Employing Bulletproof APIs to Safeguard Data.”

He pointed to Disney’s shift from focusing on production to distribution with its Disney Plus streaming service as one example of the change being seen in the M&E sector.

“What we’ve seen is this rapid acceleration of digitization…. We’re seeing that we are now strongly moving in this direction of streaming and it’ll be exciting to see how all of the folks participating in the industry are going to respond to that,” he told viewers.

“As we look at going to digital and moving into these online value exchanges, a lot of companies are trying to shift from older ways of doing business to these new and digital ways of doing business,” he pointed out.

“And the media and entertainment industry is really interesting because you’ve got digital natives who live in this industry and then you’ve got folks that have been around for decades that have been producing and participating in the industry,” he noted, pointing to them as “bookends of the spectrum.”

However, there are “a lot of folks that are not those digital natives that are trying to get to that new digital delivery paradigm,” he said. “And the things that they’re struggling with [include] how they become more agile – how they accelerate delivery from how they currently do things to this new way of doing things,” he noted, adding: “As they move into these new ways of delivering value to consumers in a digital fashion, how do we do that without increasing risk, but  [also while] decreasing risk? And then how do we transform without introducing all of these new risks?”

There are “four areas that companies are now really focused on” as they try to  “adapt to this new market reality.”

Those areas are:

• Becoming agile: Creating an organization, processes and practices that embrace quick turns and changes in direction.
• Accelerating the delivery of new channels of engagement, accelerating creation of new capabilities, and accelerating integrations into core business platforms.
• Reducing risk, which is a balance of just-in-time (JIT) systems, services and oversight that enable safety and speed.
• Transformation: Be intentional about enabling the success of these new digital practices by implementing the right organization, funding, incentives and delivery paradigms.

Meanwhile, “we’re starting to see a lot of compliance and government regulation around consumer privacy and consumer data management and practices, and we’re also seeing a lot of companies that are looking at it from the perspective of concerned consumers who are looking for the companies that they deal with to act in a responsible fashion,” Powell pointed out.

We are seeing not only the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the U.S., but also seeing companies that are “proactively going after [and] trying to be really, really thoughtful about how they manage all of this data that they are starting to accrue from their consumers from the perspective of transparency and ethical AI and ethical data management,” as well as ethical usage and hyper-personalization, he said.

He added: “As we move into this hyper-digital world, we’re starting to create a lot more data. So we’re collecting more data and we’re distributing more data.”

Studios, networks and streamers alike are proactively focusing on the collection storage and use of consumer data to increase trust and gain loyalty, according to PK.

“And this is what we know: More digital means more data and more data means that we have more risk,” Powell said.

So the question is: What do we need to be doing to manage that risk? A recent ScreenMedia report found 28% of media organizations admitted to having experienced a cyber attack of some type or another, he noted. He also pointed to an Akamai report that said “API traffic surprised us by revealing that 83% of the hits we see are API driven,” up from only 47% in 2014.

“The outcome of that is that it creates another risk” with “significant security concerns because when you start looking at how to secure typical web traffic when it comes to content, it’s very different than how you secure data in a direct data consumption experience,” he said.

Common API breaches are due to the shift from a tightly-coupled integration world to APIs that are loosely coupled, and failing to modify architecture and security practices to match this new paradigm, according to PK.

And the top 10 Causes for API breaches, it says, are: Broken Object Level authorization, broken authentication, excessive data exposure, lack of resources and rate limiting, broken function level authorization, mass assignment, security misconfiguration, injection, improper assets management, and insufficient logging and monitoring.

How API security is typically handled is detecting and then treating it, Powell noted, but pointed out the problem is that, by then, “we’ve already incurred some damage.” So that is “not necessarily the most desired approach,” he said.

That is why PK endorses the prevention-focused approach of “shifting left in the development process to create more security but also to create acceleration,” he went on to say.

As part of this system, you create standards and set up a set of development practices. Then, during the development process, you create “pre-built, pre-approved components” and conduct continuous testing, Powell noted. SecDevOps is then employed with risk-based automation and a certification process, followed by security monitoring/detection practices including a manual audit.

This “prevention mentality” means that instead of “finding and eradicating security breaches, we are going to prevent them altogether,” he concluded.

Click here to access the full presentation.

M&E Day was sponsored by IBM Security, Microsoft Azure, SHIFT, Akamai, Cartesian, Chesapeake Systems, ContentArmor, Convergent Risks, Deluxe, Digital Nirvana, edgescan, EIDR, PK, Richey May Technology Solutions, STEGA, Synamedia and Signiant and was produced by MESA, in cooperation with NAB Show New York, and in association with the Content Delivery & Security Association (CDSA) and the Hollywood IT Society (HITS).