Working with Netflix is – understandably – far from straightforward. As well as a variety of technical and content format requirements, they also impose stringent data compliance and security protocols which partnering production and editing companies must meet.
That poses a real problem for production teams and post-production houses, where data security is often not front of mind, there’s no IT department in-house, most staff are freelancers and move from job to job, and content is passed between devices, often in the cloud.
So, let’s decode Netflix’s recommendations:
Administrative security
Businesses must provide full details about their premises, clients, NDA-signed employees (freelance or otherwise), and all employees who will be handling Netflix content. You must also provide documented policies telling your employees about how to handle content securely, using personal devices, social media, and what to do in the event of a breach.
You must also handover copies of any previous security audits (such as MPAA or CDSA), details of any security vulnerability management programme you have in place, and copies of reports from penetration testing.
Physical security
At your premises, all entrances and exits must be secure, CCTV must be recorded for key areas (and stored for at least 60 days), and visitors have to be booked in and escorted while on site. For particularly sensitive areas, electronic access control should be installed and a log kept of who has access for at least 12 months. Alarms should be used, and unique codes given to each code holder. For any physical material, secure storage areas should be provided.
Information security
For networks, you’ll need to provide details about the type of configuration and the number of devices and users that have access to pre-release material. Regular vulnerability scans and addressing any vulnerabilities is highly recommended, as are host-based firewalls and state inspection firewalls on the network. Wi-fi networks must use strong encryption and authentication, and all devices must have their own unique passwords and multi-factor authentication (where possible).
Software should be kept up to date, with operating systems running one of the last two OS releases, with auto-updates enabled. At least once every quarter, you should also check that the security patches are being installed.
Screensavers should be activated after 15 minutes and require passwords to regain access. All external hard drives, thumb drives and portable devices must have full disk encryption, and internet access has to be restricted on any systems holding Netflix content. Remote access to networks that handle content must be tightly controlled, using encrypted VPN and multi-factor authentication.
Employees and contractors must only use approved encrypted file transfer platforms, like Aspera, and no files should be shared or stored on the cloud or open, public networks or platforms without specific approval. At the end of a project, any remaining content should be securely deleted at the request of Netflix.
Beyond the minimum recommendations
Netflix’s security requirements should be seen as a minimum – they also expect firms to demonstrate how they tackle the specific risks facing their business. That’s where we come in. We’re London’s leading managed service provider for creative businesses.
Led by Gary Marshall, who has over 25 years’ experience leading IT for EMI Music Australia, Lion Television and Metia, we know all too well the challenges that face businesses in film, TV, and beyond. That’s why we’re the archiving and digital workflow specialists, offering enterprise-level data storage and security for a monthly flat fee per user – everything you’d expect from a full IT department, on and offsite. We’re agile, flexible and there when you need us.
Get in touch to hear how we can help you get Netflix-ready.