FTP Replacement May Be Essential to Securing Content Supply Chains

A large city at night with 4 spaceships hovering over it and one of them is destroying the buildings below it with a laser.

For decades, FTP has been used in the Media & Entertainment industry to move files between servers and for distributing them around the world. And for just as long, cybersecurity experts have been warning of its potential threat to network security, intellectual property and privacy. Nevertheless, FTP has persisted.

Security reports continue to warn about FTP

A 2015 study called FTP: The Forgotten Cloud conducted by the University of Michigan revealed more than 13 million FTP servers in use, with 1 million configured to allow anonymous access, potentially exposing sensitive files and network access. And that number has only grown over the years.

A 2019 report by Digital Shadows’ Photon Research Team examined data exposure on the most common file sharing services across the Internet. They found 750 million more files exposed than last year, representing more than a 50% annual increase. FTP services accounted for 20% of the total.

“Our research shows that in a GDPR world, the implications of inadvertently exposed data are even more significant. Countries within the European Union are collectively exposing over one billion files – nearly 50% of the total we looked at globally – some 262 million more than when we looked at last year,” said Harrison Van Riper, a Photon Research analyst.

Considering the proliferation of FTP throughout the media, loads of that data are probably high-value media assets. We all probably recall the 2017 HBO, Netflix and Disney security breaches. According to Alex Heid, Chief Research Officer at Security Scorecard, those can likely be traced to hackers exploiting FTP used by third-party post-production companies.

“A lot of the time the people doing the editing have access to confidential, highly secure information just so they can access files they need quickly,” said Heid in an interview with Polygon. “The hacker underground has figured out how these transfers are being done and how to get into a company’s main database through that.”

“Using an FTP goes back to the beginning of the internet,” Heid continues. “It’s not a very secure method… There may not be any password in place. But once an attacker has that, they can essentially log in to the entire network.”

Industry leaders push for higher security and performance standards

In response to all of this, some major media enterprises have completely replaced FTP internally and refuse to work with partners who use it, insisting that all media providers use secure, accelerated transfer solutions. They know that the media industry’s content supply chain is inherently interconnected, and they are not alone in that understanding.

Pushing for higher security and performance standards across the industry in Europe, the DPP is one example of a regulatory agency that is taking on the problem. The newly formed Trusted Partner Network (TPN), a joint venture between the Motion Picture Association of America (MPAA) and the Content Delivery & Security Association (CDSA), is another.

In order to stop what Alex Heid called an ongoing series of “repeatable attack scenarios,” security needs to be everyone’s concern and that very well may hinge on a secure FTP replacement. 

Suggested Content

Essential security considerations: Get everyone on the same page and work together. Your first step, and best place to start. Educate yourselves, your clients, your coworkers and management on the risks and options. Recognize that every production is different and unique. Access, functionality and security are all important. Success requires all three, not just two. Recognize there is a technical side and a very big social side. Recognize that security protocols cannot hinder productivity. Put teams together that collaborate well. There will be a lot of learning on both sides. When choosing technology, first find a partner with a security-first mindset.

M&E File Security is a Team Sport

If security measures become too much of a roadblock for people trying to get a production done, then your...
RTV branded Media Shuttle portal

RTV Slovenia Jumps Over Satellites and FTP, Lands on Signiant

National public broadcaster, RTV Slovenia, upgrades its Olympics workflow with Signiant.

Metadata Everywhere: Chain of Custody

In this final installment of Signiant’s 11-part series Metadata Everywhere, we look at chain of custody. Chain of custody...