Zero Trust for Hollywood

Can't make movies, huh?

I produce feature motion pictures.

I got an idea for a movie.

That's good, Raymond.

Yeah.

I like that.

Oh, you betcha, yeah.

Adrian.

No, please.

What's the matter?

Do we have to hear the kissing part?

Some day you may not mind so much.

The greatest trick the devil ever pulled was convincing the world he didn't exist.

I'm in love with you.

Snap out of it.

Hi, my, you're in luck. Mr.?

Bond.

James Bond.

Yes, yes, yes.

I'll have what she's having.

If you win, you win. If you lose, you still win.

I'll be back.

They call me Mr. Tibbs.

Steve Tran: Wow, every time I watch that, those are all good, I get the chills. MGM is such an iconic company and that clip reminds us of how influential the company has been in Hollywood. MGM turns 96 this year and that legacy continues. So today MGM's the leading entertainment company focused on the production and global distribution of film and television content across all platforms. The company owns one of the world's deepest libraries of premium film and television content and is home to two of the longest-running and most successful franchises in cinematic history, with James Bond and Rocky.

Steve Tran: And on the TV side, MGM is an award-winning producer and global distributor of premium content for television and digital platforms and has investments in numerous other television channels, digital platforms, and interactive ventures including ownership of their premium paid television network Epics. MGM also owns Big Fish Entertainment, Evolution Media, Harangue Pictures, Light Workers and United Artists Releasing. MGM television creates lasting platform-defining series and franchises that are important for key partners across network, cable and streaming. Those programs include the Emmy, Golden Globe and Peabody award-winning The Handmaid's Tale on Hulu, which unfailingly remains one of Hulu's most-watched shows. Fargo and Epics has won multiple Emmy and Golden Globe awards. And each of Fargo's seasons has attracted premier talent and been lauded by critics and audiences alike.

Steve Tran: The Emmy nominated historical drama series Vikings, was History's first foray into original scripted content and has cultivated a passionate and loyal global fan base over the course of its multi-seasonal run. The long-running reality competition series Survivor, on CBS, has regularly been one of the top 20 most-watched programs on US television. The multiple Emmy award-winning series was named by Time Magazine as one of the 100 greatest TV shows of all time.

Steve Tran: Shark Tank on ABC has consistently won Emmy awards for outstanding reality program and outstanding structured reality program, year after year. The wildly popular reality singing competition, The Voice on NBC, has been awarded Emmy awards and received more than 50 nominations to date. Big Shazam on Fox remains a popular summer programming draw for the network. Live PD on A&E is among the network's most popular series and has won multiple spinoffs including Live Rescue, Emergency Response, NYPD Police Patrol.

Steve Tran: As you can see, MGM still does a lot today in film and television. Thank you for attending this session and we are super excited to share our story with you on how we've implemented Zero Trust to help MGM continue its legacy. We hope you gain a lot of value from this session. So here's the plan for our presentation today. We'll introduce the teams so you can get to know us better. Then we'll talk about the idea and why we need a stronger identity than Zero Trust. Chris will talk about his journey working with us and what this meant to the business and his team. Rod will share what he's learned along the way, so you can avoid some of the pitfalls we've experienced. And lastly, we'll open up for Q and A, so you can ask us anything.

Steve Tran: I'll start off by introducing myself. My name is Steve Tran and I am the chief information security officer for MGM. I started my career in the mid-'90s, fishing for AOL accounts and I got hooked on security ever since. I got to do incredible work in the public sector before joining the private sector. I've been blessed to work with great brands such as Mattel, Deloitte, and Fox.

Steve Tran: When I worked at Fox, I got to work on cool projects and protecting events such as the World Series and the Super Bowl. That's when I really got hooked on Hollywood and I knew this was an industry for me. Outside of MGM, I'm really passionate about teaching students in the field of cybersecurity. And I want to give a huge shout-out to Cypress College in Orange County, California because I'm an adjunct instructor there as well. I joined MGM three years ago, during a time of great change and I'm really proud of what we've accomplished in the last few years to really springboard the company's media technology stack securely into the future. And you'll get to hear some of that from us today. So I'll hand over to Chris to introduce himself.

Chris Crook: Hi, everybody. Thanks for joining me today. Thanks Steve. My name is Chris Crook. I have a very long title here. I am the SOT post-production media technology for our worldwide branded services, which includes cable networks and digital properties. I have a pretty diverse background in entertainment starting on the production end of the world and running my own businesses, primarily servicing broadcast clients in the M&E space, and ultimately ended up joining MGM 12 years ago, and have been involved in multiple network launches for MGM branded services as well as involving myself in the acquisition of Epics, and integrating that into the overall MGM landscape. These days, I'm primarily focused on digital platforms, over the top streaming for a subscription DRD, advertising-related VOD and linear streaming. And I worked pretty closely with Steve and Rod on the security team to implement security protocols and frameworks around our content and our tech stack. And I'll hand it over to Rod next.

Roderick Santos: Hello everyone. My name is Roderick Santos and I'm part of the security operations team and I will help oversee the digital transformation initiatives at MGM studios. I've been at MGM Studios since 2018 and prior to MGM Studios, I've had the opportunity to work at Activision and at Disney. And now, I'll hand it back to Chris, to walk through the idea.

Chris Crook: So as Steve mentioned in the intro, and gave you kind of an overview of what MGM is today, as probably most of you know, we're a pretty storied studio and iconic entertainment brand. We have a library of over 6,000 movies and 30,000 hours of television programming. And IP licensing, you can see it's part of our business. We make a ton of content globally each year, to licensees and different distribution endpoints. But we also are actively producing new content, as Steve referenced in the intro, such as the upcoming Bond release, from our long-running franchise, Numerous scripted television shows such as The Handmaid's Tale for Hulu, Fargo for FX, and Vikings for History Channel, to name but a few.

Chris Crook: But we also have a number of sub-brands, subsidiaries that all sort of operate somewhat autonomously from the mothership and produce content, thousands of hours of content annually, especially on the unscripted reality show side, with Evolution Media and Big Fish Entertainment, under the leadership of Mark Burnett. We have Orion Pictures, which is a specialty brand that releases films theatrically and for the [inaudible 00:09:11]. United Artists Releasing, which is a joint venture with Annapurna Pictures and that is our domestic distributor. Pregame Movie Network and Epics, which has distribution on both traditional cable broadcast and digital streaming applications, as well as other MGM-branded broadcast cable and streaming properties that we manage and create content for.

Chris Crook: This is an extensive supply chain, supporting all of these different properties and subsidiaries, which is comprised of a complex network of vendors, which range from large companies with robust resources, all the way down to individual contractors with no resources. And particularly when it comes to original production, the new content that's being piped into the MGM ecosystem, it's particularly tricky because each new production operates much like a startup and throughout its life cycle has a high degree of variability in terms of personnel. A TV show, for instance, might have completely different staffing from season to season.

Chris Crook: Also, traditionally, productions have treated security as an afterthought. They're highly focused on the end product and meeting deadlines, under a lot of pressure, and implementing a robust and sometimes complex security protocols are typically out of the realm of their expertise. So when we're producing this high volume of content, obviously content protection is key for us. Much like any other business, protecting our data and auditing user behavior in relationship to that data is very important. So our IP for us is paramount. It's the foundation of our licensing. It's the foundation of all of the new distribution that we power. And that IP, has an entire content life cycle, from script all the way to screen. And so there's a lot of risk surrounding the handling of that content, the production of that content, from raw footage, all the way to completed episodes and features. Protecting all of that IT is really one of our highest priorities, and WASA protection is significantly impactful negatively on our business.

Chris Crook: So, how do we bring this complex environment that I described in the security framework that provides a frictionless gateway into business and media applications and services? For that, we chose Okta. Okta's our front door. And having a single identity platform that acts as source of truth for all of these different stakeholders is highly important to the only concern of our business.

Chris Crook: So what does Okta do for us? It gives us a holistic experience with SSO. Elagin can do multi-factor authentication. It gives us ultimate visibility in the user behavior in our environment, which includes tracking and auditing, and leads to much more responsive IR when there are content leaks or any kind of bad actors in our system. Workplace agility has been improved tremendously. And just this recent event of the pandemic illustrates that point beautifully because it was very, very easy to transition into remote work streams and working from home using Okta and other tools, which Steve can talk about more in-depth. Easy change management, Okta provides a consistent interface to the things that users need, be they inside or outside of our organization.

Chris Crook: Maybe less important but still important to the business is a branded experience, where everyone feels like they're coming in the same way to access applications and services. And then beyond that, we're exploring more advanced concepts. So we already have working prototypes for things like content watermarking, which pull identity from Okta and place the user's name and email address or any other kind of identifying information on top of real-time streams that are pushed out, either for business to business applications or direct to consumer, if need be. And factor sequencing, which has been a big hit in terms of using things like SMS passwordless authentication. Steve and Rod can talk more about that, as well.

Chris Crook: To wrap this up, the feedback since we implemented Okta and have rolled it out across the organization and in our subsidiaries and to outside vendors, contractors, as well, has been incredible. There's been very, very little friction around using Okta. We've had nothing but great experiences internally and externally by using this as our identity platform and gateway into our environment.

Chris Crook: So with all of that said, I'm going to hand it over to Rod now... Or is it back to Steve? No, it's back to Steve to go over the framework overview.

Steve Tran: Cool. Thanks, Chris. Like with everything Chris explained, these are the serious problems we face when you look at the globalization of a workforce. How do we create a perimeterless world? And that's why we felt Zero Trust was the best model to solve for that. We also felt that keeping this fluid and flexible with our application and user base without sacrificing security, we had to take a user-centric risk modeling approach, building stronger identities. With using Okta as our primary identity provider, played a significant role in accomplishing that.

Steve Tran: What's great about using Okta in an enterprise to enterprise setup is that we have a single source of truth across all our user personas, and then for third-parties, vendors and consumers, we have another Okta org dedicated to just CIAM, the consumer identity access management strategy that we have in place, to when it comes to our business to business applications, like Chris mentioned. Leveraging factor sequencing, [inaudible 00:16:09] SAML, OOF, noisy flows have made provision and office frictionless to all our resources. But ultimately, this is a component to our much larger Zero Trust model and architecture. We often refer to SP 800-207 to help build that architecture.

Steve Tran: Now, we'll talk about the various components that makes up the Zero Trust architecture. And overall, the user experience was greatly enhanced without sacrificing security, both from the user community and IT support perspective. And now there are excellent resources out there to learn more about Zero Trust architecture. But for us, again, we often refer to [inaudible 00:16:53] as a starting point, to really help us design and build. And this is a figure taken from a 800-207. Now, for the purpose of this presentation, we really didn't want to be vendor-specific in the discussion because every organization is different and there are a lot of great solutions out there to help achieve the Zero Trust model.

Steve Tran: These are the various components that could be used as part of the Zero Trust architecture and it'll be up to each organization to find a solution to fulfill the architecture requirements, and that way, to best tailored for that particular organization and its specific needs. And I also want to be clear that the Zero Trust architecture is not meant to replace and missing framework.

Steve Tran: So what Zero Trust complemented what we already practiced, so as an example, we didn't stop following CIS and miss best practices because of Zero Trust. We still complied with CIS top 20 and [inaudible 00:17:43] controls as an example. But we added Zero Trust as an addition to those frameworks. So you can take a look at this diagram right here on the slide. As an example for us, we use Okta as part of our policy enforcement point, specifically the policy engineering administered in the control plane that serves as our policy decision point, PDP.

Steve Tran: We took a user-centric risk modeling approach, so it makes sense for us to have Okta be our critical component of the PDP. I guess this can be looked at as an identity-based Zero Trust architecture because we'd rather grant access to resources based on stronger identities, than stick to a model that is rigid and inflexible to mobile workers. And when you look at the larger components on the left and right side, you'll notice that those are valuable components you probably already have. That data helps the policy decision point make the best decision possible when granting or denying user access to your resource.

Steve Tran: So this is the basic breakdown of how we incorporated Okta into our Zero Trust architecture. And I recommend everyone taking a look at this 800-207. It's filled with a lot of great information about Zero Trust architecture and we can't cover it all in this session.

Steve Tran: Now, let's talk about the deployment approach. There are multiple ways to deploy Zero Trust. And for us, when it came to our B2B portal, digital supply chain or application of systems, we took an enclave deployment approach because each of those is in its own secure enclave. There are many great solutions out there to serve as your agent and gateway. And for us, what worked great was enterprise application access, EAA. It was just an example of one of our many deployment approaches between on-prem and multiple sources.

Steve Tran: Now, this approach created a consumerized experience for our enterprise resources without publicly exposing our environment. It also helped simplified our network-gated design. Using Okta as a policy engine and administrator for our secure access service edge, SASE, really reduce friction and approved user experience and satisfaction without sacrificing security because of features like factor sequencing. And part of that could be a combination of using SMS, Okta Verify, YubiKeys because we love to take the UTF approach where we can. Okta Verify push is one of our preferred methods, internally. And once a user is granted access to our SASE, the SASE itself has granular policies to enforce things like the principles of these privileged to only grant access to users that are relevant to the job. Nothing more, nothing less.

Steve Tran: We also applied rules that only allowed access from specific regions. And the best part of the SASE is many of its securities are also augmented by the vendor. And it really becomes a team effort between us and our trusted partners. When you look at all the user profile attributes you can apply in Okta, it gives you great flexibility in how you can automate provisioning and authorization to enterprise resources. And it's all downstream from Okta.

Steve Tran: One of my favorite Okta features is when there is a finding that comes from a malicious IP address, an authentication request or a [inaudible 00:21:05] block, the user receives a fork(3) error page. I thought this was a strong feature to reduce our authentication exposure. It makes it harder for malicious actors to try and sign-in to our Okta applications or make social engineering attempts. And again, I highly recommend everyone who had missed the 800-207. We're sorry we couldn't cover it all in the session, but I hope this is an excellent introduction to Zero Trust and now you have something to look up after the session to get you started.

Steve Tran: Now, I'm going to hand this back over to Chris so he can talk more about the value of what we've done with the various user personas, business themes and user experience.

Chris Crook: Thanks, Steve. I mean, this matrix sort of describes a lot of what we've already covered in the presentation. You have different people acting at different levels, both inside and outside the org. And we have a single identity platform for even somewhat autonomous companies that are subsidiaries of MGM, that sort of have their own business processes and their own workflows that they manage, that we don't dictate. However, from a security standpoint, we needed to implement a paradigm, that kind of holistic overview of everything that was happening, both inside and outside the org.

Chris Crook: You've got all the way down from the personal to external productions depicted here. Obviously, our corporate users and then up to the VIP level. And that's an interesting one because when you get to that level, sometimes there are mandates from the business to make exceptions to rules to satisfy a business need. And a platform like Okta just gives us a very, very easy tool to do those sorts of things.

Chris Crook: Going down the line, obviously single identity for everything. We covered that. It's an incredible user experience for users to just log- in once, go to an Okta dashboard, have all of their applications is right there in front of them, and to sign into those applications just by clicking a chiclet. Adding u-provisioning or adding applications is incredibly easy. If there's any kind of incident that happens with an employee or they leave the company, taking them off of every application at once is a simple thing. And then adding applications for people is really painless.

Chris Crook: Strong security policies, as Steve mentioned, you can really box people in if you want to, using Okta and monitor their behavior, and make those adjustments in real-time as you sort of monitor what's going on in their environment. SSO, as I mentioned.

Chris Crook: Now the next one, on the fly watermarking is very interesting because we have a business-to-business platform that we're developing right now with a third-party partner who is powering a just-in-time streaming workflow. And the streams for full-length features and television episodes are constructed per user, dynamically, based on the session. So they log into the platform using their Okta identity. The platform polls their identity from Okta by API and injects their identity onto the stream and personalizes it just for them. And this provides us a very good deterrent for anyone that's coming into our platform, from sharing that content because their name is on it. So, if it gets out in the wild and shows up on a peer-to-peer platform like Victorn or something like that, we will know exactly who shared that stream. So that's been pretty great because developing against the Okta API and integrating into this third-party platform that does the streaming via an OOS has been pretty painless for us.

Chris Crook: In the passwordless experience, in relation to this business-to-business platform I was just describing, the key stakeholder in the business who's the sponsor of this platform, our president of distribution, the first time he saw the Okta password experience using SMS text, I mean, his face just lit up. He couldn't have been happier with that. So we expect that once we roll the platform out, the end-users will have the same kind of joy in using that as an authentication experience.

Chris Crook: Then onboarding and off-boarding using Okta has been great. In referencing this case study that I'm talking about with the B2B platform, we built a very elegant workflow using a Jira Service Desk to provide multiple levels of approval every time a new user enters the system. And that was all done by debiting against the auth-API using a third-party company that did the development work. From what I understand, we didn't have to use Okta support once in that, because the APIs are so well documented and constructed.

Chris Crook: All of this context just sort of gives you an idea of how well Okta is being used in our environment to control identity and control access to everything across the org. So with that in mind, I'll pass it off to Rod and he can talk a little bit more, since Rod was the guy on the ground, managing change management and the vendors and doing all this work. So, Rod.

Roderick Santos: Thank you, Chris. On our journey and through our retrospectives we identified these six lessons: Create clear messaging. Focus on communication; communication is key during this journey. Reduce friction by conducting kickoffs with key participants who could evangelize your message and link them in early and often. Develop clear outcomes of the journey and the message. Next, build transparency. Document how-tos and training materials. Screenshot everything from the user experience. Leverage FAQs. For example, we experienced users have big concerns about downloading Okta verifying and why it's needed. So based on that, we offered other solutions such as UTF, where we provided you the keys, or if you have a Mac, leverage touch ID. Also, engage with other IT groups like HelpDesk, to accelerate the adoption and change management. Leverage KPIs and metrics to monitor success. Next, pitch to the users. Our goal and our message was to enhance any user experience without sacrificing security. We involve the stakeholders and evangelists within our testing cycles and held multiple training sessions with them.

Roderick Santos: Have good developers. Have structured conversations with engineering, business, and application owners. Identify clear development outcomes. For example, how do you want the watermarking to work, or what is the factors sequencing experience to the user? And think about, how will onboarding or off-boarding work? Things of that nature, which both Steve and Chris have already alluded to. Have facilitated and productive working sessions. Whiteboard and document flows from end to end. Lead these sessions with tangibles. Keep it simple. Focus on the basics, focus on proof of concepts and use cases that you identified early on this journey.

Roderick Santos: Define user loading strategy. Define the application deployment strategy and identify environment and functional requirements. And lastly, be patient during this journey. Work through issues by simplifying the problem, reflect on the successes that you've had. We've reverse engineered problems by working backwards. Ask for help. And in our case, we didn't have to, but if you need to, leverage Okta support if needed. Now, with all that in mind, does anyone have any questions?