Working From Home Securely Webinar: TPN with Guy Finley & David Benson

Did you miss the “Working From Home Securely: Best Practices: TPN” webinar featuring Guy Finley (President, Content Delivery & Security Association) and David Benson (BeBop co-founder and CTO)? Here’s another opportunity to catch this webinar, we’ve uploaded a copy of the video here for you!

If you have any questions or would like to find out more about how you can integrate BeBop Technology into your existing editorial or VFX workflow after watching, please click the button below, fill out the form and one of our professionals will help you get started.

TRANSCRIPT

John Conroy:

Hello, everybody. Welcome to the daily BeBop Technology Work From Home Securely webinar series. We’re running these every day at two o’clock Pacific, variety of topics, and we’ve got a really interesting one going on today. I’m John Conroy, I’m Bebop’s VP of Communications and Market Development. Today, I’ve got two very special people I want to introduce. When we started this webinar series last week, during the first one, there were a very large number of questions related to TPN and working from home securely in terms of the Bebop solution and just working from home securely in general. So we thought it would be a great idea to have David Benson who is BeBop’s co-founder and chief technology officer, as well as Guy Finley, who is the president of the Content Delivery and Security Association, basically do a fireside chat of sorts to talk about TPN in the broader sense and help give some clarity as far as where that fits into working from home securely and overall workflows for media and entertainment. So with that I will turn it over to Dave and Guy to talk about TPN.

Guy Finley:

Thank you.

David Benson:

Thank you very much, John. So welcome, everybody. I’m Dave Benson, CTO and co-founder of BeBop Technology. Today, as John said, we’re going to talk a little bit about the Trusted Partner Network, the program that was created… I’ll let Guy give a little bit more detailed history, but generally created between the MPAA and CDSA to largely replace or evolve, I’d say, the existing MPAA site assessment or security program that’s been in place for many, many years at this point. So as John said, there’s a lot of questions that came out of our first webinar, a lot of them very much expected. So we wanted to have a very a dedicated and focused conversation about that with the man that can answer a lot of the questions and very honestly will answer some questions with intentions of things that are happening, things that are happening in the very near future.

There may not be explicit timelines on some of it, but the goal today is to get everybody as much clarity as they possibly can to help make decisions on what people are faced with literally today, tomorrow, and next week versus three months from now or two years from now. So with that, Guy, if you maybe want to give us a quick five minute overview of maybe just what TPN is, a little bit of history and the current of things and we can go from there.

Guy Finley:

Absolutely, thanks. And thanks, John, for the introduction and thank you, David, for the invitation. So the TPN, the Trusted Partner Network is a joint venture between CDSA, where I’m the president, and the MPA, the Motion Picture Association, the MPAA as we’ve always known it, but they recently rebranded last fall. Basically, we tried to combine our two separate assessment programs into one all-encompassing one industry, one audit program that’s driven by a platform experience and actually has three separate constituencies rather than just content owners and vendors. We also have this assessor pool of our qualified assessors as well. We’ve been in business for about two years focusing solely on site security assessments around the world. We’re already at about 600 assessments completed before this crisis really started to hit and impact our onsite assessment schedule.

And really, what it does is it provides a pretty seamless way for that content owner, that content creator, to develop and have a risk position around vendors out in the marketplace. It could be a VFX vendor in Kuala Lumpur, it could be a dubbing facility right down downtown Burbank. It’s meant to be broad, but at the same time, we aren’t a certification. This is the classic challenges. The old CDSA program, we certified facilities and basically said, “They’re approved.” We were an arm for a studio in terms of their approval process. But with the TPN, we have more content creators in the pool, so it’s not just the big six as we know them if you include Netflix in that big six of MPA member companies. It also includes content creators that may not necessarily be a studio. So people like Bad Robot and Legendary sit on the CDSA board and have had input around the creation and also the operations of TPN to date. It’s a voluntary program and that’s also what’s important.

So a lot of people come to TPN and send me emails saying, “Hey, how do I get certified? How do I get involved?” Ultimately, this is about each individual facility’s relationship with their customer, with their studio that’s providing their content. So we don’t get in the middle of that process. We just wanted it to be where if you did perform an assessment, it wasn’t a single snapshot from a single company because that was also the reason why we formed. It was like, “Wait a minute, I got a CDSA assessment, I’ve got an MPA assessment, and then I was visited by studio A, studio B, studio C, television network D and I also have things like ISO and I have PCI and I have all these other certifications around it.” Let’s try to get it straight and keep it straight for that relationship, again, between the customer, which is the content creator and that facility and the work that they do. So we’ve got a process that you go through; initial questionnaire, you pick your service types, you get a longer extended questionnaire, you negotiate with one of these qualified assessors.

We have about 50 qualified assessors of which I think 30 plus are up on our ttpn.org website. Essentially, you make that agreement with that qualified assessor. They assess on a certain date and then you have remediation items if those are evident that you work through the process, and we try to have it on a cadence so that you’re renewing every year. That’s the other thing that TPN brought to the table. We do have an annual renewal, but we do have options. It doesn’t necessarily have to be a site security visit. We do have a remote assessment option and this is particularly relevant for the crisis that the world is going through right now, where we can’t travel, we can’t do those in-person visits. But the idea is to get you in, get you through the process, get you up in the platform so that content owners can see that questionnaire, see the things that you’ve remediated and give that as a tool for them to continue their relationship with that individual facility.

We think that’s paramount, is that relationship, we’ve worked together for so many years. Site security also is, like you said, cleaning up kind of a 10 year path where everybody reacted similarly… not in concert, right? But where everybody understood different risk position and risk posture, including CDSA and MPA with our particular programs. And we wanted to make something that worked, worked for everybody, worked on a cultural level internally at a content owner, worked on the vendor level where everybody’s worried about time and cost, and what was essentially an onerous audit situation if they got audited 10, 12, 14 times per year. So when we tried to make it in digestible, easy-to-use language, but of course, as you go out around the world and as you deal with 30 content owner companies who are trying to achieve these objectives, there’s been question marks along the way. So we’ve tried to solve these as they have arisen, and most importantly, we’re also looking to our next phase, and we’ve talked about this for the last year.

We were actually going to debut it at NAB, which is also ironic that we’re not going to be at an NAB here in April. We are all going to have a virtual NAB or whatever. We’re still on track with that announcement, and that is specific… we call it app and cloud, so application and cloud security. We’ve been working in the background 18 months in terms of our control framework and business model on the CDSA side in conjunction also with our technology committee at CDSA. That’s a group of 15 vendor companies that get together and report up into the CDSA board and provide a vendor perspective, which we also think is absolutely critical in this dynamic marketplace that we’re in. So it’s really been a process, and if you think about those 600ish audits that we have performed, individually, CDSA did maybe 120, 150, MPA did anywhere between 60 and 120 depending upon the year and their service providers. So we’ve already essentially doubled our output because we’ve only been actually assessing since September of 2018.

That’s when we did our first TPN site security assessment, even though we launched in April. So that was a lot and I can- [crosstalk 00:09:12].

David Benson:

No, no. That’s totally fine. That was awesome.

Guy Finley:

… [crosstalk 00:09:16] few minute overview of where we were and where we are. I think it’s important for everybody to understand those major things, the voluntary, culturally acceptable, and also striving on the vendor sides to essentially make it less onerous and a less expensive process hopefully due to market demand.

David Benson:

Excellent. So you hit on a lot of stuff there obviously. The one thing I want to key in on and I think is especially critical and relevant obviously for what we are talking about today and what we’re all dealing with as of the last two weeks and foreseeable future right now, whether it’s work from home or just work, not… work in a distributed manner. I’ll say it that way. It’ll start from home, but as it evolves, it’s going to just be more distributed than it ever has been in the past and I don’t think anybody would argue that at this point. So when we move into those models, we’re talking less in terms of the participants that normally would be assessed, as you mentioned. We’re talking less about site security now and now we’re moving into, as you said, app, and I would say predominantly cloud.

So let’s talk a little bit about, I would say, really just the fundamental shift and approach and shift in understanding between a site survey or a site assessment paradigm that we all used to live to a cloud frame… you used the word framework, right? So let’s go back to that and maybe touch on what you mean by that and what’s coming for all of us just in terms of expectations.

Guy Finley:

Sure. So currently, let’s start currently. Right now, we work on a platform. The TPN is a platform that everybody logs into and is MFA’d and it’s secure and we test it and treat it like a secure application in any on-prem or cloud environment. It is cloud-based. But the idea there is that that application needs a control framework, a check box basically, so that when we go in and have an assessor visit a facility, there is an actual question that they are looking for an answer to from that particular facility. It’s interesting because that framework is not necessarily exposed on the site security side. It is interpreted through the MPA best practices. When you go to the TPN website, and then the FAQs, you can get to the MPA website or you can go there just straight through a link and we’d probably share it at the play out of this webinar at the end.

But it’s the best practice guidance that is the forward facing, this is what I need to do in order to get through my TPN assessment, right? I say get through, right? Because I can’t say approved or get certified through the TPN. So that guidance goes through a filter. So it is more black and white and a little less prescriptive on the best practice side, a little bit broader. And it’s been effective way because those MPA best practices have been around for years. The studio side has really put a lot of time, energy, and effort into making them right and making them so they were acceptable to all six of those MPA member companies that created them. So we’ve absolutely honored that and we’ve been part of also the best practices upgrade process. Every three months, every six months you’ll see a new version pop up that may have a different twist on a particular best practice, just because, hey, we’re out there, we see this situation arise or something pops up and we need to address it.

So we do have a really good body for that side on the MPA, very engaged and interested participants that are looking to provide more clarity into those best practices and evolve them. But ultimately, it’s that control framework. And so when we think about application and cloud, and think about control frameworks that are out there in the application and cloud space, it’s much more common. So a SOC 2 control framework, NIST, PCI, and actually there’s a couple of industry bodies, the Cloud Security Alliance and OWASP, that have done a very good job of mapping to ISO standards and existing other control frameworks. So we’re looking in the next evolution of app and cloud to just make the control framework something that is accessible. So what we were planning to do around April, and again we’re having conversations both this week and next… We have board meetings next week as well. We were planning to release that control framework on April 15th.

I wish it was February 15th because I think it would have certainly helped in light of this… the virus situation and the work from home situation. But the idea of being, you should also, if you are a facility there or an application or a cloud provider, you should probably have a lot of these bases already covered because it’s not as if our cloud infrastructure is the most insecure infrastructure. It already is pretty buttoned up. Everybody does want it to be secure. Nobody wants leaks, nobody wants things to break, right? So the idea being, when you look at this new framework, you should be able to map up and be like, “Oh, okay, I might so.” That’s all these frameworks. All right, we’re good there. “Oh, I’m this there. I’m SOC 2. Oh, we can, we can check those there,” so that it’s not as onerous going in and saying, “Oh, now I have another 500 question questionnaire that I need to fill out that essentially is duplicate duty to some of those other standards that you may already have achieved and even certified in some instances.”

So we wanted to make it easy and something that was relatable to those who are responsible to do this. I’m sure you’ve been through a couple of RFPs, Dave, in your lifetime. It gets onerous, it gets long, and we used to call it the NA NA NA NA. Right? If you are a cloud company getting a site security assessment, it was like NA NA NA. I don’t have doors. Right?

David Benson:

Well, it’s funny you say it that way because that largely was for BeBop. I can relay our experience going through the old MPA site security process. It was an interesting half hour to 45 minute experience and what came out of it was actually interesting. It was more discussion about, in this case, how BeBop and MPA could maybe start working together to develop the new program, and I’m dating myself, however long ago. This was in terms of how this could really be done and how it could be approached in a meaningful way, exactly how you’re saying. So one of the things I wanted to kind of touch on that you mentioned a second ago or almost inferred it, but this notion of compliance, right? Site security, as you’ve described, is not an easy thing by any means, especially when you’re in a very large facility, right? But you’re in a static environment largely. So ongoing compliance should be a manageable thing, it’s done every three months, six months, as you mentioned, right?

When you’re talking about highly, highly dynamic cloud environments where even a steady state production application that is… or platform that’s deployed in that environment, the nature of the flexibility that the cloud gives us almost dictates that those environments are going to have a constant state of flux. So with that requirement or that expectation, rather than that being the exception, we get into a very different world of how to manage ongoing compliance. So maybe talk about how the TPN Apps and Cloud piece of this is going to approach that.

Guy Finley:

Yeah. And by the way, when we start talking TPN, yes, I’m the chief executive officer of the TPN, but I am in a joint venture partnership. So I’m very cautious and careful about what I state about the TPN. Our board is CDSA and MPA, so I definitely don’t want to talk out of turn. It’s interesting because when you think about what we have now around site security, it’s a snapshot in time that really happens once, it’s a physical person that actually has to go. That’s why we want global assessors so they don’t have to travel from LA to Tokyo or LA to Kuala Lumpur. We’re trying to get it local, right? So it’s literally physical person going into a physical location and checking for these a lot of very physical things. app and cloud is going to be totally different. Now, I can’t say whether it’s going to be TPN or how they will adopt this, but the ideas that have been discussed on the CDSA side is to make it… in our technology committee with the actual vendors, some of which are major cloud providers.

But the idea is it’s not going to be an individual approach. Right now, we get one qualified assessor, they do a proctored exam in their locality. We’re certifying that one individual. That one individual may be part of a larger company. We have a couple of companies that have multiple assessors, but it really comes down to that one… Our qualified assessor program for site security is around that one individual. With app and cloud, we’re talking about a very different approach. And by the way, before we get there, it’s not really highly automated, right? Because that individual has to get on a plane or a bus and go over to that side of town and walk through with the- [crosstalk 00:18:51].

David Benson:

You just skipped ahead to where I was going. Keep going.

Guy Finley:

Yeah. There’s not a lot of automation or things that we can do. We’ve automated a lot on the ops side just to be able to push it through and to get to scale. Right. Our scale figure is around 2,500 facilities around the world and we want to make sure also that they’re on an annual cadence, right? So the idea is, we looked at that like there’s certain things we can’t automate and that we can. With app and cloud, entirely different. We’re looking at it as potentially being a company centric approach rather than an individual approach. We’re also looking at it to be… with pen testing and vulnerability scanning and also that ability also to either tweak and something exposes itself as a vulnerability or you tweak and it locks it up. We want to have a mechanism so that that comes back and forth from that individual application or that individual cloud environment or even from that site security facility.

This is the other thing that’s so important, and I know you wanted to jump on another piece, but site security is a critical part of app and cloud because we can talk to the application creator and see how they engineered it and architected it. But when it’s out in the wild, where is that out in the wild? Nine times out of 10, it’s through a site security visit. You’ve got a particular application in a particular cloud environment that’s being utilized in this secure facility. Now, covert has kind of changed our thinking around that, right? It may end up being remote, but it’s still the same concept where these things have to come back in and report more often than having one assessor- [crosstalk 00:20:34]

David Benson:

Would you agree that at this point… because I totally see what you’re saying, and I don’t disagree, but would you agree that the the site’s security burden almost is shifting towards the large “sites” which are the cloud providers at this point and maybe away a little bit from the traditional sites that had all of this process running on-prem? Right? And as that shift happens, you’re going to have more app and cloud people… Well, let me say this way, more participants in the app and cloud side and maybe less and massive participants on the site survey side?

Guy Finley:

Well, I mean, it’s hard also because when you think about those 3000 facilities around the world, right? And then you can pop the cloud people on top of that, right? Because that doesn’t even include… And by the way-

David Benson:

Well, maybe come both. That’s-

Guy Finley:

Yeah, ultimately. And I always bring up, and forgive me, this is the fictitious Danny Elfman’s living room, right? I brought it up so many times, right? I need to have a path for individual creatives that have a work environment on their own to be able to be assessed not only in an application environment, but also in a physical environment if that’s their workspace and that’s what… they built a home studio. Like I say, there is no Danny Elfman’s living room, Lord knows, I use it as an example. But it seems to encompass that idea where, “Oh, I get it. You’ve got somebody who’s a creative and does a very specific piece of the puzzle and wants to do it in their own environment.” That may not be just a laptop on the road, that may be in actual their own facility. We would consider Danny Elfman’s living room a “site” if indeed it did exist.

So that’s why I say, yes, will we see our industry evolve and will some of these things conglomorate? Absolutely. But our business has been built on all these small businesses providing so many great features and services in that, for lack of a better term, like a scrappy, like, “Hey, we want to be your partner and we’ll grow with you.” We’ve seen this business being built over the last 25 years. It’s not going to go away overnight. So we look at site security as actually a pretty important piece because we’re still going to have to go to that VFX place in Kuala Lumpur, that dubbing facility in London, as they still exist. We think those will still exist as smaller businesses.

David Benson:

Agree. So one thing I want to get to, and we’re we’re coming up on time here, and this was just a circle back almost to the beginning of what got us here, is the… on our original webinar that we started on about a week or so ago, whenever that was, the specific question came through a lot, is BeBop TPN compliant? Right? So I wanted to just hit that head-on and maybe dissect that a little bit because there… I saw you chuckle there. It’s not a one word answer certainly and there’s some context. So do you want to take a stab at that?

Guy Finley:

Yes. [crosstalk 00:23:34].

David Benson:

I think we both have answers, but that’ll be our final kind of piece of this as we wrap up. I think that was the key thing that I wanted to get for our audience today.

Guy Finley:

And it’s just so tough because some of it is just wording, right?

David Benson:

Exactly. Thank you.

Guy Finley:

There is no such thing as TPN compliance, right? You’re compliant with Warner Brothers’ specifications, you’re compliant with whoever you work with, Amazon, whoever it is, right? I mean, the idea is, that’s who you’re compliant to, it’s actually their specifications and they offer you the approval. It’s a very difficult hump to get over, and on the CDSA side, to be fair, we did certify and you were CDSA compliant in the past. So we understand that idea that it’s out there in the marketplace. Part of this is that ability to say, “Oh, I’ve been assessed, are you part of TPN?” The idea also is… and this is that, again, that couple month gap where we want to get out ahead of this and have people be assessed through TPN app and cloud, but we also don’t want to go out with a program that doesn’t take into account the entire constituency’s concerns. So if anybody says, “Oh, I’m TPN approved or I’m TPN compliant, or I got my TPN certification,” we send out a certificate, right? But that doesn’t say that you are certified as a TPN facility.

A little bit of it is the Abu Dhabi of names and like what it is. But the reality is, if you as BeBop have taken a look through those best practices and you are compliant to your customers, then it’s only a short leap to be assessed by the TPN and that’s what we’re hoping to spin up and get started at. We did the same thing with site security where we launched in April and then didn’t do our first assessment until September. We’re hoping that will be sped up. Honestly, I don’t think the virus had anything to do with that. We always looked at it like, “I’d love to get into beta early, get people in and onboard soon.” So once this starts to unroll, the idea is it should be a quicker path. So I hope that helped in terms of your setup, but I want to hear you.

David Benson:

Yeah. No, absolutely. And the way I would answer, just to add on to that, and then I agree with everything that you just mentioned is, BeBop as a company, as a platform, did, I would say successfully, go through the older MPA site survey project. As I mentioned, it was more of an enlightening experience than I’ll say a useful one. And that I think only points to the validity of the effort with the TPN and everything we’re talking about today. Having said that directly to answer the question of, is BeBop TPN compliant? To add onto what Guy just said, we’ve been working together with CDSA. Guy and I have been colleagues for longer than I’ll say on this webinar. And so suffice it to say is that we’ve been very involved and very closely following all of these, the TPN app and cloud, I won’t even say standards, guidelines and frameworks, right? Contributing where we can and we’ll certainly to do so.

In terms of BeBop being reviewed or TPN assessed, the way I would answer that to our customers today is that that’s going to depend entirely on how you decide to deploy your BeBop environment. So there will be one answer if you deploy into our managed platform that we enforce certain standards on. If you deploy into a private account or your account or some other types of deployment of which we support many today, the answer may be different. But that’s going to depend on the choices that you as the customer make, what things you allow and disallow and how you deploy things. But to Guy’s point, and the effort I think that we’re all trying to work towards here is to have a common set of… a common framework, if you will, just to use that word again, that the industry can kind of latch onto and to be a common just touchstone of minimum level standards that the industry as a whole has subscribed to that will allow you as either an individual, to Guy’s point, or the largest visual effects or editorial company in the world to do work for any of these customers.

And I think that is the underlying point in what we’re all working towards, both at BeBop, at CDSA, at MPAA, and everywhere else.

Guy Finley:

Totally. I mean, ultimately, this was a big cultural change also. So when we started the TPN and also me as CEO, this was kind of my mission, was this idea, and I’ve said it multiple times in multiple settings, right? Because this isn’t also just about film and television assets. We’re talking to local station affiliates, we’re talking to the broadcast community, or through our ISAC, right? Through CDSA’s meeting entertainment ISAC. We’re even talking to newspapers and publishers. People are coming out of the woodwork and saying, “Okay, where’s the leadership around this? What can we do to help and what can we do to get engaged?”

David Benson:

Exactly.

Guy Finley:

And honestly, the idea is, move from enforcement, right? Knock on the door, going to be there Thursday, you better be ready. We’ll have three people there with pen and paper [crosstalk 00:28:53], right? So the idea is, we need the feedback loop from the content owners, from the assessors, from those vendor facilities, from the application creators, from the cloud providers, which by the way, we have all the big cloud providers sitting in the CDSA Technology Committee and understanding this process. So I’ve been a big kumbaya person from the start. That’s kind of the heartbeat of MESA. I just wanted to extend that to the security committee and say, “Hey, we’re here. We’re here to talk.” This shouldn’t be like, “Oh my God, I got this giant questionnaire,” and then you run off and you don’t talk to us for four months while you scurry around and try to fix everything. That’s not the plan.

David Benson:

Yeah, you just hit it on the head, Guy.

Guy Finley:

Great.

David Benson:

I’ll just say this to close and I’ll hand it back to Mr. Conroy to wrap us up here. And we’ve talked about this for four years, right? It’s the difference between really encouraging and setting up the framework from the ground up to foster that ongoing awareness, right? That ongoing every single day. How am I doing this? Am I doing this the right way? If I’m doing it the wrong way, that’s really bad, I should stop doing that. Right? And that’s just part of moving to cloud. Just to say it at a very high level, no matter what part of it, no matter where it’s happening in your world, that is a big part of it. It’s getting used to… I’ve said this a lot because it’s a great line, and Netflix kind of made this concept popular, but you build for failure, right? You build whatever you’re doing and whether that’s workflow, technology, software, infrastructure, you build it expecting it to fail. And when you do that, then you win, it’s that simple.

Guy Finley:

Totally. And by the way, I would like to close also before passing it back to John. Talk to your studio. All right. Talk to your content creator who is your customer, to the facilities out there in the world. Talk to your assessor. The idea now is, that accessor engagement happens just after the initial questionnaire, right after the first 10 questions. So you can build a relationship with that assessor so that if you do have questions, there’s somebody to call. So communication and collaboration are what’s going to get us through obviously the global crisis, but also get us to the next level for our industry. So I’m excited to be even involved. It’s great.

John Conroy:

That was amazing. Thank you, Guy, and thanks, Dave. And thank all of you that tuned in or are tuning in on video on demand. We put these webinars up as soon as we can once we get the video processed and back. And so tomorrow we’re going to have Matthew Mazrol from the Foundry as well as BeBop VP of production and customer success, Michael Taylor, his deep experience in visual effects, talking about Nuke and Foundry products and visual effects workflows on the BeBop platform and as more part of this working from home security series. So thanks and everybody have a good and safe rest of the day. Thank you.

Guy Finley:

Thank you.

David Benson:

Thanks, everybody.

Guy Finley:

Thanks so much.[/vc_column_text][vc_column_text]