By Jonathan Abrams
Having previously used Fortium‘s MediaSeal, and seeing it as the best solution for protecting content, I set up a meeting with the company’s CEO, Mathew Gilliat-Smith, at NAB 2018. He talked with me about the product’s history and use cases, and he demonstrated the system in action.
Fortium’s MediaSeal was created at the request of NBCUniversal in 2014, so it was a product born out of need. NBCUniversal did not want any unencrypted files to be in use on sound stages. The solution was to create a product that works on any file residing on any file system and that easily fits existing workflows. The use of encryption on the files would eliminate human error and theft as methods of obtaining usable content.
MediaSeal’s decryptor application works on Mac OS, Linux and Windows (oh my!). The decryptor application runs at the file level of the OS. This is where the objective of easily fitting an existing workflow is achieved. By running on the file level of the OS, any file can be handed off to any application. The application being used to open a file has no idea that the file it is opening has been encrypted.
Authentication is the process of proving who you are to the decryptor application. This can be done three ways. The simplest way is to only use a password. But if this is the only method that is used, anyone with the password can decrypt the file. This is important in terms of protection because nothing prevents the person with the password from sharing both the file and the decryptor password with someone else. “But this is clearly a lot better than having sensitive files sitting unprotected and vulnerable,” explained Gilliat-Smith during my demo.
The second and more secure method of authenticating with the decryptor application is to use an iLok license. Even if a user shares the decryptor password, the user would need an iLok with the appropriate asset attached to their computer in order to decrypt the file.
The third and most secure method of authenticating with the decryptor application is to use a key server. This can be hosted either locally or on Amazon Web Services (AWS). “Authentication on AWS is secure following MPAA guidelines,” said Gilliat-Smith. The key server has an address book of authorized users and allows the content owner to dictate who can access the protected content and when. With the password and the iLok license combined, this gives the person protecting their content great control. A user would need to know the decryption password, have the iLok license and be authorized by the key server in order to access the protected file.
Once a file is decrypted, the decryptor application sends access logs to a key server. These log entries include file copy and export/save operations. Can a file be saved out of encryption while it is in a decrypted state? Yes it can. The operation will be logged with the key server. A rogue user will have the content they seek, though the owners of the content will know that the security has been circumvented. There is no such thing as perfect security. This scenario shows the balance between a strong level of security, where the user has to provide up to three authentication levels for access, and usability, where the OS has no idea that an encrypted file is being decrypted for access.
During the demonstration, the iLok with the decryption license was removed from the computer (Windows OS). Within seconds, a yellow window with black text appeared and access to the encrypted asset was revoked. MediaSeal also works with iLok licenses assigned to a machine instead of a physical iLok. This would make transferring the asset more difficult. Each distributed decryptor asset is unique.
For content providers looking to encrypt their assets, the process is as simple as right-clicking a file and selecting encrypt. Those looking to encrypt multiple files can choose to encrypt a folder recursively. If content is added to a watch folder, it is encrypted without user intervention. Encryption can also be nested. This allows the content provider to send a folder of files to
users and allow one set of users access to some files while allowing a second set of users access to additional files. “MediaSeal uses AES (Advanced Encryption Standard) encryption, which is tested by NGS Secure and ISE,” said Gilliat-Smith. He went on to explain that “Fortium has a system for monitoring the relatively easy steps of getting users onboard and helping them out as
MediaSeal can also be integrated with Aspera Faspex. The use of MediaSeal would allow a vendor to meet MPAA DS 11.4, which is to encrypt content at rest and in motion using a scalable approach where full file system encryption (such as\ FileVault 2 on Mac OS) is not desirable. Content providers who want their key server on premises can setup an MPAA Approved system with firewalls and two proxy servers. Vendors have a similar setup when the content provider uses a key server.
While there are many use cases for MediaSeal, the one use case we discussed was localization. If a content provider needs multiple language versions of their content, they can distribute the mix-minus language to localization vendors and assign each vendor a unique decryptor key. If the content provider uses all three authentication methods (password, iLok, key server), they can control the duration of the localization vendor’s access.
My own personal experience with MediaSeal was as simple as one could hope for. I downloaded an iLok license to the iLok being used to decrypt the content, and Avid’s Pro Tools worked with the decrypted asset as if it were any other file.
Fortium’s MediaSeal achieves the directive that NBCUniversal issued in 2014 with aplomb. It is my hope that more content providers who trust vendors with their content adopt this system because it allows the work to flow, and that benefits everyone involved in the creative process.
Jonathan S. Abrams is the chief technical engineer at Nutmeg, a New York City-based creative marketing, production and post studio.