Henric Larsson (born in Stockholm) started the Chimney Group over twenty years ago – at a time, when a Flame Station was the top of the line in hardware and cost a quarter of a million dollars, rendering took four days and tape decks were still state-of-the-art.
Since then, Chimney has become a studio group with twelve offices and a veritable “Who’s who” of awards under their belt – from Oscars to Cannes Lions and pretty much everything in between.
DP: Hello Henric, what are you currently working on?
Henric Larsson: We are just delivering a Netflix original called “Quicksand”. We also are in the middle of finalising some exciting advertising projects with a lot of CG. We also just started working on a large game trailer for a new game being launched at E3.
DP: Some of those sound like they shouldn’t leak or be talked about in any meaningful way – how do you handle security of data and content at chimney?
Henric Larsson: The easiest way is that we just set up a separate department in the office space without internet access, no phones allowed, physical protection, cameras, alarm etc. The more challenging, larger projects need a much more complex and expensive solution, since we need to involve many different skill sets and services that can not be moved into one single isolated office location. Here we work with encrypted files, closed down sub nets, hardware lock on workstations, extensive monitor of traffic using different tools, special setup of firewalls.
DP: With studios in a few countries, how much data is pushed between the cities?
Henric Larsson: We are unique in the way that Chimney is not a network but ONE company with 60 partners being shareholders. Acting like one company we share a lot of work, and we have invested heavily in different tech to make it as smooth and secure as possible during the last 10 years.
DP: Which tools do you generally use, and where are the license servers for those?
Henric Larsson: Our most common tools are Maya, Houdini, V-Ray, Arnold, Nuke and of course Flame, Avid, Pro Tools, Resolve Studio etc. Sharing licenses has been all but forbidden by all suppliers for many years, so it is almost impossible to have one license server for multiple locations, which is not ideal.
DP: Many tools like DaVinci Resolve, Nuke Studio and the like offer team features – do those hold up to scrutiny from a security standpoint?
Henric Larsson: It is not really a problem as long as we keep it limited to only work in the subdivision we built for the show with no external access.
DP: So what steps is the Chimney Group taking to ensure data security?
Henric Larsson: As mentioned above we invested in huge storage that could also manage separation and encryption of volumes plus 4K HDR. We replaced most switches and a monitor software to identify strange traffic, new firewalls, electric locks with logging, cameras, etc.
From an operational point of view we had training for all staff on how to work and our obligations towards the studios. We even gave them all new employment contracts with programs regulating some security issues.
DP: Can you say more about the staff training? Are there topics that are often overlooked?
Henric Larsson: First of all, by contracts with our clients we are obliged to do continuous training, hence we need to have proper on boarding of new staff. I think smaller shops just need to look through the contracts and then create training sessions around each point defining their routines, their obligations and how those affect an individual VFX artist in their daily work and list what is allowed and what is not. Most shops do nothing in this area, not even larger ones, so I think a lot of facilities could improve immensely just by implementing a decent level of training.
DP: Which of these activities influence your actual pipeline?
Henric Larsson: I would say flexibility in general. With a less secure production we can have artists jumping into a project within an hour’s notice, have a sound designer do some temp mixes. With these jobs we need to have a long-term plan for staff and rooms / facilities, so we get a bit less flexible.
DP: Have you changed software packages because of a lack of updates or something like that?
Henric Larsson: No, we aren’t there yet. Maybe some smaller, less essential tools used only by some individuals, but nothing major. I guess Spotify is gone, since they don’t have internet access (laughs).
DP: So how is sound made available to your artists?
Henric Larsson: It is actually classic bought music from iTunes and sometimes CDs, crazy, but we can’t allow external streaming. Soon we have to buy some vinyl players as well!
DP: Let’s talk about the people actually working on the shots: How much does a modern understanding of security influence their work, and how much of retraining is necessary?
Henric Larsson: Almost to the positive I would say. The heavy investment in new IT infrastructure has improved performance in many areas, so they are just happy plus maybe also a bit proud that we take the projects they work on very seriously.
DP: Can you recommend any materials to study before tightening security?
Henric Larsson: Good question. We spent half a year researching, talking to the security departments at the studios, so there is not ONE source, but many.
DP: What’s your take on bringing in external tools like password managers, encrypted drives, VPNs and the like?
Henric Larsson: I actually love it. This is not just to please a client, but a sloppy colleague could implement a ransomware so all servers get encrypted before we set things up properly. I think 90% of the shops that don’t have MPAA and studio approval have zero protection for this and they can’t afford mirrored storage in a co-location
DP: When you started to up the ante, what surprised you by being more or less difficult than expected?
Henric Larsson: I would say separating subnets in a secure way without completely changing the way we work and still being able to use in-house tools like pipeline etc. But also physical security can be challenging at our larger offices, meaning limiting access but still not making it too complicated to move around in the office space.
DP: We have heard of some studios who switch to Pushing Pixels instead of data – having virtualized workstations, which are accessed via network without sending any actual data, just a screen share. Is that something you looked into, and, with your network of studios and freelancers and specialists, is that a viable option already?
Henric Larsson: We have not moved into using Google and Amazon workstations yet but instead centralised all our workstations in the server room and use remote access hardware from thin clients. This way we can keep the hardware more secure BUT it also allows us to work remotely, if we have to. And if we use artists at another office, they don’t need to be sent files, they use our render farms etc.
Next step could be to move more into the cloud, but up until now it has been costlier than building our own private cloud.
DP: Considering all that: How much security is strictly necessary for VFX productions these days?
Henric Larsson: If a few green screen shots leak, I am not sure that would be a huge loss. When editorial or sound facilities leak whole episodes, it is different. If one works on “Star Wars”, “Game of Thrones” etc., there is for sure a huge interest from bad people to try to get ahold of anything. We see peaks of strange traffic to our firewalls when we work on some projects, even music videos, so there are for sure some people out there trying to get access to the content we secure for the clients.
DP: Do you know where these attacks come from? And would you recommend for a younger team working on a first big job to change their communication of current projects?
Henric Larsson: The traffic comes from individuals and hasn’t been very sophisticated. We never talk about our involvement and use secret project names that don’t disclose the project or client, but they still figure it out. Often IMDB publishes info early.
The best protection is not to talk about anything, not even publish too many finished projects on the website since, if you show the world you continuously work on “Star Wars”, you will get the attention of some hackers.
That said, the website is your store front, but one also needs to be more professional than the competition, and we are not in the B2C market, so the 100 clients one wants to communicate with can be managed in a more private way. Nobody is just browsing the internet to find a website and award a huge show.
DP: With the research you guys have been doing, what is the most common thing one has to watch out for in a modern pipeline?
Henric Larsson: Human errors. Somebody sitting on a workstation without USB locked down that plugs in a drive with shit on it. Somebody transferring files in a less secure way that is faster. It is very hard to have IT eliminate all possible things a human can do, not even on purpose.
DP: And with a more general overview on VFX, animation, and commercials: What will be the topics we will be talking about ten years down the line?
Henric Larsson: Realtime game engines like Unreal with photo realistic quality, no render times, and digital actors.