Building Resilience in Streaming: A Security Checklist for IP Media Workflows
Sergio Ammirata Ph.D., RIST Director and Chief Scientist, SipRadius
Security is a critical part of any streaming or remote production workflow. With valuable media assets and live events being delivered over public and private networks, there’s simply no room for complacency. Industry protocols like RIST have raised the bar for secure and reliable transport, but the responsibility doesn’t stop there. True resilience comes from ensuring that every layer is aligned to minimize risk.
It’s also a growing challenge. At the 2024 World Economic Forum in Davos, Accenture presented research revealing that the number of organizations with a minimum level of cyber resilience had decreased by 30%. Small and medium-sized enterprises, such as those operating in the media and production space, are often worse than average.
Here are some key areas to review when assessing the security of your streaming infrastructure:
Are you certain that the architecture, routing, hosting and operating systems are the most appropriate for this particular stream?
Should you be insisting that all devices that process media run a specialist, dedicated media OS rather than some general Linux flavor which may or may not have the latest security patches?
Are all the points that your stream will pass through secured?
End-to-end security does not mean the first and last devices are protected, it means that every device is safe. Virtual machines often run on Ubuntu, open source software with no-one taking responsibility for security and no guarantees that the latest vulnerabilities have been plugged.
At which points will the stream be decrypted, why, and how will it be secured?
Do you understand the architecture of the delivery network, and the technology employed at each point. The best way to protect content is not to decrypt it.
Is every device in the chain equally secure, or do some have backdoor access?
Not naming names, but there are well-known encoders on the market that store passwords in the clear. Backdoor access for system updates seems like a good idea, but can it also be used to access the user data on the device?
Is every point in the chain physically secure?
Hardware used to be kept inside a machine room, in the middle of the broadcast center, with multiple layers of card access protection. With remote production and ad hoc distribution, hardware can be anywhere. Compact devices can be left behind, so the bad guys can hack them at their leisure, learning all your IP addresses so they can disturb streams whenever they want.
Is the sign-on and password process robust?
Is access really restricted only to those who need it, and if one password is hacked does that open up the whole network?
Are your comms secure?
Intercom, text and document transfers are all part of remote production and delivery. Rather than a consumer-level system like Zoom or Teams, put them in the same secure stream as the content. Before someone asks for the destination IP address and someone else, in haste, replies in the clear.
Is all the production equipment security hardened?
Do critical pieces of kit need an internet connection to operate or validate licenses? Imagine waiting for the headline act at the biggest music festival of the year, and all the settings on the audio desk clear, and the PTZ cameras swing up to focus on the lighting rig.
Does any part of the production use open source software?
Have you evaluated it for security risks? Are the latest patches implemented and tested?
Have you tested and verified the complete system?
Then tested and verified again. Then developed a new testing and challenging protocol, and run that?
The reality is that vulnerabilities do exist across our industry, and the threat landscape continues to evolve. But with a clear understanding of the risks and a proactive approach to mitigation, media organizations can safeguard their content, protect their operations, and build greater confidence in their delivery chains.
Security isn’t something to be assumed. It’s something to be designed, maintained, and continually reviewed.