The video industry is transitioning fast into the cloud and IP-based products and systems. Digital security requirements keep growing as a fundamentally important part of this new era.
In response to the increasing awareness of the need to secure production technology, Ross Video was motivated by several key trends to invest in a new focus on security. As a technology vendor whose equipment was primarily installed in locked server rooms and highly secured physical locations on separate networks, our security was previously partially taken care of by ensuring segregated networks.
“One of the challenges facing product technology vendors like Ross is solving how, why, and even whether to apply Zero Trust standards and rules to the technologies that make up the production operations fabric.”
-John Naylor, Director of Product Security
Key Security Trends
As early as 2017, thought leaders within the production industry began to raise concerns about the architecture and support for the secure control of these systems, as well as the transport and storage of the content. The increasing requirements in requests for proposals that we engaged with prompted the imperative to mature our cybersecurity. In a few short years, the questions related to security had gone from non-existent to mandatory considerations.
Ross responded to the increasing awareness within the production technology industry in February 2018 by forming the Product Security team. Their mandate is to ensure that Ross products meet best practice standards for infosec and privacy when installed on customers’ networks.
John Naylor and Gaurav Saxena comprise the core unit, with champions in each team.
“I want to make the world more secure and reliable, and what better place to do that than in a company that builds the backbone that delivers the world’s live content? Security as a capability is new to this industry, and I’m helping change Ross’s perception of it from a mere add-on to a product.
We take a broader view: security as a complete process.”
-Gaurav Saxena, Product Security Architect
For the past several years, the Product Security team has worked closely with Ross product teams to educate and elevate the understanding and need for security to be not only a priority but a fundamental building block.
The key achievements of the group include:
We are educating and supporting Ross in adopting the Microsoft Secure Development Lifecycle (MS SDL).
We are establishing and evolving the vulnerability response procedure, which keeps customers informed of any risks to Ross products.
We are establishing the Ross Security Framework, which assesses the rate at which products are maturing and the overall security of their products and delivery processes.
All products complete their quarterly product security checklists to help them mature.
“One of the biggest challenges of the Product Security team has been to support Ross in living up to the customer’s best interest where security is concerned. We’ve designed and implemented a rapid response procedure for handling emerging vulnerabilities that raises customer visibility and speedily resolves the security risks our customers are exposed to.”
Building a Secure Production Ecosystem
Protecting content and systems from slips and malicious actors has now become a critical part of product delivery within Ross. As our practices have evolved, we’re working to enable several vital shifts within the industry, as detailed below.
Emerging Interest in IP-based productions
Production technology expenditures are increasingly scrutinized by financial and operations staff across vertical applications – corporate, news and sports – and production technology teams are compelled to look at networking and content management approaches that their IT counterparts have used for years. This change brings a new focus on IP-based video transport and logical vs. physical routing of rich media content.
Once that content hits the network, it’s no longer as secure as when transported by physical cables linking the cameras to the router. It is critical to ensure that the packets of data remain safe, that production is not interrupted, and that systems continue functioning in the IP world.
Organizations like EBU and NABA are supporting the industry by publishing guidelines and recommendations and forming subcommittees to help guide production technology consumers to secure their content, software, and services.
The Benefits of Zero Trust Topologies
As IT departments embrace the zero trust philosophy, insisting that every stage of digital interaction is authorized becomes critical. The concept is causing many thought leaders within the production technology space to take note.
The complexity of large video production systems caused by various vendors, discrete platforms, and signal formats can make the aspiration to establish a Zero Trust environment sound impractical.
“The priority for product security is coming from the very top. Our CEO, David Ross, endorses and supports the vision for product security, and product teams must deliver on that vision. We all work together to mature and deliver on the product security framework. The product leaders at Ross understand and support the overall goal of providing a set of tools that work together securely.”
-Ashesh Sharma, Product Owner
Through sustained, incremental delivery, Ross is taking many small steps and working with other friendly vendors (code of ethics #8) to adopt shared standards that support our customers in having mixed vendor environments and multiple purchasing options.
Facilitating Secure Ground to Cloud
While the shift to adopt cloud-based production technologies has been slower than the industry expected, this is a trend that Ross is watching. The need to ensure that video signals and control data both flow securely between the hardware deployed onsite and the cloud is obvious but non-trivial to achieve.
For vendors creating new, exciting, and operationally efficient cloud-based technologies that solve production problems, paying attention to security has become top of mind. Relying on a network perimeter is no longer sufficient for vendors looking to offer technologies that work in cloud-hybrid infrastructure models.
Adopting Security Standards and Standardizing Our Language
Maturing the way that Ross communicates internally and externally with customers about security-related topics has been a big part of the Corporate Security team’s objectives.
Our sales and product management teams are now equipped to converse and provide solutions that address our customer’s needs as requests for proposals bring increased security requirements. If security incidents occur, Ross has processes that allow us to respond and address them quickly. We use both capabilities to ensure that we meet our customers’ needs and keep environments secure.
Exploring Zero Trust and IS-10
One of the critical areas that Ross has been ramping up on is our understanding of the publicly available standards for implementing Zero Trust topologies. A necessary part of this approach is to provide speedy authorization for any request. Gone are the days when physical access to the port guaranteed that you were entitled to make a request.
The IS-10 specification, being developed by AMWA, fills the global gap for production technology providers. It recommends the use of OAuth 2.0 and uses web tokens to identify and authorize systems making requests.
Incidents & Responses
As new threats emerge and we continuously discover new vulnerabilities, Ross has developed a robust approach to assessing these risks and communicating with customers. Building our understanding of the common terminology used within the security industry has been instrumental in ensuring that we use clear, practical language.
A great example of the response from Ross was the worldwide incident caused by the Log4j exploit we discovered in Dec 2021.
“Ross’s response to the Log4J incident taught us that we needed a trained response team. We were some of the first to respond amongst production technology vendors, but that response relied on people going above and beyond, which is the Ross way. With that said, we wanted to formalize the response capability so the organization is ready for the next threat. And we’ve spent the past year doing just that.”
-- John Naylor
As the industry transitions to interconnected and cloud-based solutions, digital security becomes paramount and part of the fundamental building blocks of our products. Ross stays ahead of the curve by proactively keeping our products and systems up-to-date with the latest security standards, zero trust architectures, and best practices.
Come visit us at NAB 2023!
Come visit us for a tour of our Corporate Solutions and book a demo to learn more about our products and how we can securely cater to your every video need, from the camera lens to your customer’s screen.
About John Naylor
John serves as Vice President of Enterprise Management and Director of Product Security. He spends his days shepherding the product management and delivery teams within Ross to mature the security of how they deliver technology. His days are spent gathering information, monitoring the production technology market, and working with other vendors on standards and guidelines.
John is an active member of the NABA Technical Committee Cyber Sub-committee, the SMPTE Study Group on Security in ST-2059 (aka PTP), and the advisory board for the TV Newscheck Cybersecurity Retreat for Broadcasters. He presented his paper, “Towards Zero Trust in Broadcast,” at VidTrans 2022.
About Gaurav Saxena
Gaurav serves as Product Security Architect within the Ross Product Security team. As a Cyber Security practitioner with 17+ years of experience, he has experience planning and delivering cybersecurity projects and applying his expertise in various security scenarios. Keenly interested in learning about new technology, Gaurav is excited to use his knowledge to secure the technologies transporting Ross customers’ content.
About Ashesh Sharma
Ashesh is a Product Owner at Ross, prioritizing product security features and testing. In his previous role as Security Champion, he worked closely with the Product Security team to build the team’s appreciation for security and the impact it can have on Ross’ customers. He is passionate about “secure by design,” “user data privacy,” and other security-focused initiatives.
Engage with us in the security community!
Check out the Living Live community to engage with us on other topics, questions, and concerns. We’ll respond!