20 Information Security questions to ask potential post-production vendors
POV entering photo studio through cracked door
Main Image

Why Impact Sourcing is Good Business

Read more →
Main Image

How Outsourcing Can Take Your Business To The Next Level

Read more →
Information security—or the lack thereof—will never stop being a hot topic. The extremely cavalier approach major corporations can take to privacy and information security (infosec) has been shocking to many, with a wide-ranging impact.

If you can think all the way back to 2018, we can take it back to when the Cambridge Analytica and Facebook scandal broke. We all became very aware of how our personal data was being used by those willing to pay for it. Facebook didn’t intend to sell off as much info as they did to Cambridge Analytica —they just got careless. How exactly can a giant like Facebook be so careless? What was the chink in the $500 billion tech giant’s armor?

A third-party vendor.

There was no virus, no worm, no hackers breaking into their system. Facebook simply gave the wrong app developer too much access.

Vendor failures are your failures (So run a risk assessment!)

When you partner with a vendor, you can’t simply think of it as “us” and “them.” You’re taking on responsibility for that vendor’s handling of proprietary data. Their risks are your risks, and their failures—malicious or not—are your failures.

Breaches put corporate viability at risk in countless ways—exposing trade secrets, damaging brand credibility, violating contracts, breaking laws—and you should absolutely have an information security management system in place.

That means creating a vendor risk profile and giving it real weight in your vendor selection process, right alongside price, quality, and scalability. Set your bar high, and flunk out any vendor who can’t clear it.

No exceptions.

We’ve recognized the importance of infosec from the beginning and have always invested in it. Your security is critical to our operations: that’s why we have always kept to the highest possible standard (jump to Pixelz security setup).

What are the risks?

Consider the following risks of an outsourced post-production vendor:

Digital Asset Theft

Stolen assets may be sold to knock-off factories before you even have product listings up on your own site. Depending on your licensing agreements, you may also be liable for paying photographers, models, brands, retailers, etc. for use of the image—whether authorized or not. Don’t lose control.

Trade Secret Theft

Your photography and workflow techniques are proprietary. The props you use, the camera and lighting settings found in metadata, your naming schemes, your local digital asset management, and how your assets are edited—don’t let it be stolen.

Infection

Vendors without proper security get hacked and infected. Those infections can spread to your systems. Even if they don’t, vendors with good intentions become vulnerable to the aforementioned thefts.

Hacking

If an unsecured vendor is connecting to your proprietary systems, you don’t know who’s gaining access. If your own system isn’t completely firewalled, you’re creating a vulnerability ripe for exploitation.

Outages

Unsecured systems crash. They become infected, subject to DDOS attacks, or even fail because pirated software gets caught by legitimate antivirus. Insecure vendors are unreliable because their systems are unreliable.

Legal Liability

Due diligence requires you to perform a risk assessment, especially for publicly traded companies. If you’re working with a lax vendor and it burns your company, you may be legally liable.

If you’re considering working with an outsource vendor, be sure your risk assessment covers the following vulnerabilities.

Building a risk profile (20 questions to ask every vendor)

First, map out the process. Where are your assets going? How are they secured at each stage? Who has access to them? How is that access controlled?

Ask each potential vendor the following 20 questions:

  1. What hardware does your company use?
    1. Where is it hosted?
    2. Do you have redundancies for critical infrastructure? (multiple dispersed locations)
    3. What physical controls exist regarding access?
    4. What environmental controls are there? (in the event of fire, natural disasters, etc.)
    5. Who owns the hardware involved?
  2. What software does your company use?
    1. What is your server infrastructure?
    2. How do you keep it patched and up to date?
    3. How do you monitor integrity?
  3. Who performs IT support?
    1. What are their qualifications?
  4. What IT security products are in use? (antivirus, firewalls, monitoring systems, etc.)
  5. How often are vulnerability scans of your network performed?
  6. Do you have firewalls for local and remote connections?
  7. Who has access to your systems?
    1. On-site
      1. How is it restricted?
      2. How is it monitored?
    2. Remote
      1. How is it restricted? (2FA, VPN, etc.)
      2. How is it monitored?
    3. Mobile
      1. Who owns the devices?
      2. How is it restricted?
      3. How is it monitored?
  8. How is old equipment disposed of?
  9. What is your security policy?
    1. How are employees trained on it?
  10. Is there an up-to-date risk assessment available for review?
  11. Who is responsible for infosec at your company (name, title, contact)?
    1. Do you have a dedicated internal security/compliance department?
    2. Are they available by phone in the event of an emergency, 24/7/365?
  12. Do you have a security and disaster response plan?
  13. Is there background screening during your hiring process?
  14. Do third parties have access to systems and data?
  15. Do you use sub-contractors?
    1. What access is given to subcontractors?
    2. Repeat this entire profile for all subcontractors.
  16. How do you backup your data?
    1. Where is data backed up to? (local, cloud, third party)
    2. How frequently are backups performed?
    3. Are backups encrypted?
  17. What is your policy with regard to removable media? (USB drives, CDs, etc.)
  18. How do you encrypt data?
    1. In use?
    2. In storage?
    3. In transit?
  19. How do you secure your wireless network?
  20. Do you have insurance coverage for service interruptions?

How Pixelz secures outsourced post-production

We’ve developed extensive controls, policies, and plans so we can stay alert and respond rapidly to contingencies.

In simplest terms, we rely on end-to-end encryption, tightly controlled access, and extensive network and event monitoring. The idea is that only individually authorized people have access to partitioned portions of our system. We know everything that’s done with that access, and in the event of a worst-case scenario, all customer data is encrypted and, therefore, protected.

I’ll try to put our infosec management system into an acronym-lite format that doesn’t dissolve into alphabet soup on reading, but bear with me. It’s hard to get specific without also getting into technical jargon.

Pixelz SSL report card

Pixelz Platform (everything behind the login) scores A+ on SSL Labs security report, while our Pixelz website scores an A.

Please note that while the software and services listed are current at the time of writing, we update from time to time in order to provide the best possible service. That means, for example, that a firewall service named now may not be the one we’re using in six months.

End-to-End Encryption (AES-256 in the cloud)

We keep customer data securely encrypted during transport, storage, and caching.

Transport: All uploads, downloads, and management—like web account use—take place over a secure connection. That connection either occurs via HTTPS (web), SFTP (secure file transfer protocol), or TLS (when using our proprietary API). Using state-of-the-art SSL/TLS encryption ensures that your connection to Pixelz is certified safe.

Storage & Caching: Okay, you’ve safely uploaded your images. What happens to them now? At Pixelz, they enter into one of our AWS (Amazon Web Storage) layers. We have regional caches around the world, and move images between them depending on the editing steps they are going through. We encrypt all cloud data, regardless of location, with AES-256. That’s one of the most secure encryption standards, approved by the U.S. government for top-secret data. This is done using AWS KMS, so keys are protected with FIPS 140-2 validated hardware security modules. “FIPS” is another U.S. government cryptographic approval standard (the “F” stands for “Federal).

Firewall (WAF rapid patching)

Web Application Firewall (WAF): On-site firewalls can quickly become outdated, so we use a more responsive WAF. CloudFlare is a PCI-compliant, continuously updating firewall we use across our web properties. You’re probably familiar with PCI compliance if you’ve operated an e-commerce site, as it’s the “Payment Card Industry” standard.

In addition to rapid patching and protection of www.pixelz.com, CloudFlare allows us to restrict access to internal systems (like our CRM) by IP, security level configuration (so insecure devices even within our office are blocked), and other relevant settings.

Controlled Access (Managed devices, unique users, IP restrictions, VPN, and 2-factor auth)

We tightly control access to our systems and to customer data.

Secure Local Computers & Managed Devices: All photo editing steps performed by humans are done on managed devices in our offices. USB drives are disabled, preventing the exporting of files and installation of malware. The computers can only be accessed via Active Directory login, meaning all users are uniquely authenticated, permissions are strictly defined, activity is monitored, and PCs auto-lock after 5 minutes of inactivity.

Tablets and other devices used to perform QA, development, and related tasks have permissions controlled at the user level, are subject to the same network access restrictions as computers, and are forbidden to leave the office by company policy.

We use a host-based intrusion detection system to analyze the logs from all computers in our system and detect threats. It reads operating system and application logs, monitors the integrity of the file system, looks for malware and suspicious anomalies, and scans for compliance to company policy.

We tightly control access to our systems and to customer data.

Remote Access via VPN and Multi-factor Authentication: Remote access is necessary for developers and administrators who need to be able to respond immediately, at any time, to crises—whether from home, an airport, or the other side of the world.

Flaws in remote security have major repercussions; you’re opening up your system to the whole world rather than a few bad actors on the premises. At Pixelz, remote access requires multi-factor authentication with a VPN login, and we use a high-security VPN: OpenVPN and L2TP / IPSEC. That ensures anyone who accesses our VPN is who they say they are, and all activity is happening in a monitored and controlled environment.

Network and Event Monitoring (Logs, logs, and more logs)

We go to a great deal of effort to make sure all activity happens within our systems, where it can be monitored and audited. We use a variety of systems and software to monitor the different layers of our service

Cloud Monitoring: For our Amazon instances—like AWS, our cloud storage—we use CloudTrail. CloudTrail is an Amazon service specifically designed for logging and continuously monitoring activity across an AWS account. Whether actions are happening through the AWS web portal, command line, or software development kit, they’re tracked and analyzed. In this way, we can detect suspicious events that could indicate a security threat—whether malicious activity or a technical vulnerability.

We combine CloudTrail with CloudWatch, another Amazon service, to set alarms and automatically react to specific actions.

Local Monitoring: For monitoring of our local servers and computers—like the hundreds of PCs and servers in each of our photo editing offices—we use Wazuh. Wazuh combines OSSEC with the popular ELK stack (Elasticsearch, Logstash, and Kibana).

OSSEC is an open-source project that has exceeded common open-source limitations thanks to its acquisition by Japanese security multinational Trend Micro back in 2009. It is a top-of-the-line Host Intrusion Detection system.

The ELK stack is used to collect and analyze many different kinds of logs, like event logs, system logs, and photo editor client logs. It’s extremely useful for visualizing threat monitoring.

Rapid Response: The bigger and more successful you are, the more you become a target online. DDOS attacks and hacking attacks aren’t a probability, they’re an inevitability. The better your prep—software, hardware, training, and planning—the more easily you will handle the crisis when it happens.

We regularly weather spikes of 10x traffic to our website and see attempts to infect us with malware. Our preparation allows us to operate normally during such episodes.

We have alerts and rulesets for immediate threat response in the cloud and have similar functionality in our offices. For example, we combine real-time monitoring of logs with Microsoft Group Policies linked to Active Directory, enabling us to update every computer in our production offices within minutes. Rapid threat response minimizes the extent of damage.

External Penetration Testing: TWe perform ongoing external penetration testing to find any weaknesses that could be exploited. This allows us to fix any possible weaknesses before it becomes a real problem.

Contingency Planning (Be ready for things to go wrong)

When something does go wrong—and it will—having a detailed contingency plan in place will keep heads cool and the machine running as smoothly as possible.

Just as we advise you to perform a risk assessment of vendors, so do we perform our own risk assessments. We have extensive action plans to respond to natural risks like flooding and fire, technical risks like systems breakdowns, security threats, and internet disruption, and human resource risks like loss of key personnel.

One of the best parts of writing out 20 pages of step-by-step instructions for disaster response is discovering things you can do to mitigate risk right now. The ability to reduce or eliminate risk proactively is extremely beneficial. For that reason, Pixelz continuously updates our contingency plans with strictly defined implementation owners, communication channels, and effective dates.

Next Steps (Assessment and Mitigation)

After you’ve profiled your post-production vendor, the next step is to assess the risks. Determine the likelihood of occurrence, severity of impact, and mitigation possibilities. A quality vendor will work with you to mitigate risks—it’s in both their short-term and long-term interests.

Risk assessments and mitigation aren’t sexy (to most) and require a lot of detail-oriented communication and analysis. But if you value your company’s reputation, secrets, and performance, they’re a critical step in every RFP. If a vendor is not able and willing to answer your questions, why would you trust them with your images?

If you’d like to learn more about our security standards, policies, and procedures, just ask! We love to spread infosec love.