Bower: I find they’re very open to it. It’s the kind of information-sharing where it’s mutually beneficial. We’re helping bring up topics that maybe other studios haven’t see, and vice versa. It’s a partnership where we’re helping each other out.
Singer: That’s great to hear because I think that the industry — this is just a personal thing — could benefit from having an ISAC, an Information Sharing and Analysis Center. The financial services industry has it, and a bunch of other industries as well. There’s a cool opportunity for the game industry to do more to support one another.
GamesBeat: Our first question from the audience came in, and this person asks, does your company contribute to or collaborate with the RH-ISAC? If so, how has that helped you?
Singer: RH-ISAC, that’s the ISAC for the retail and hospitality industries. Obviously I’m not a developer. Akamai, certainly, works with them. I don’t know how much it really fits in with the game industry’s unique problems. Game companies are obviously retailers, but I think there’s a different set of shared risks that the game industry should be working on. That’s something interesting for anyone listening to this to explore, though, so I’m glad that was brought up.
Adams: A side note on that, no one that I’m aware of works with that group, but a lot of my experience is more on the payment fraud side. Mostly where I end up getting information and sharing information is at events like the Merchant Risk Council, where it’s mainly focused on payments and fraud around that, but we also end up talking a lot about other security aspects as well.
Singer: That makes sense. Criminals are organized, and so it behooves the industry to get organized as well, I would think.
Adams: Very much so.
Bower: Also, with the studios launching games on first-party platforms, in many cases, the developers are not directly tied to financial information.
GamesBeat: Where are web attacks headed? What will happen with cloud gaming and subscription services?
Adams: Attacks are just getting more sophisticated. The fraudsters move as fast as we do, and probably faster. Things that used to be more around the payment methods — now, as we just talked about, it’s moved, quite a while ago really, into account takeovers. We’ll see a lot more of that, and it will get more sophisticated.
As we go toward cloud gaming, that gets even more interesting. In some ways, it’s harder for the fraudsters, especially on the competitive integrity side. You won’t be hosting. On your PC, you won’t have any game code. In most cases, it will just be a video coming across, a video stream. On the flip side, if the cloud gaming platforms don’t protect themselves in a lot of the ways we’ve been talking about, there’s a whole lot more risk.
Bower: If I were to look at the future in terms of where we’re going with cloud gaming and subscriptions, from the studio or developer side, I don’t really see a huge change in how we’re launching games. As I mentioned in the previous question, we’re looking to a first-party publisher to release our games. On that avenue, it’s imperative that we foster partnerships with those publishers and keep those communication channels open so that we’re able to be notified of any new threats, or anything on the security side that they’re seeing. In turn, it’s our responsibility as studios and developers to address those threats through client code changes or changes on the server side.
Singer: In addition to publishers, and obviously the platforms fill this role as well — you need to be in touch with your platforms. If you’re a developer and you’re not sure what to do next from a security posture standpoint, go to your platforms and ask them what they want out of you. Sony, Microsoft, Nintendo, Valve. What do they want to see more of?
A lot of them see developers and publishers as the weakest link in their security chain. One really important game gets taken out with a DDOS attack and then everyone starts logging into the platform over and over again, and now the platform gets DOS’d by its own players and everything goes down. That’s a bad scene. Now no one can access their game. That goes back to the herd immunity topic. A problem in one game can affect everyone.
What are the best practices that your platform owners and major channel partners worry about? What keeps them awake? What do they want to see more of? That’s an interesting question to ask if you’re looking for ways to do more internal prioritization because I’m sure you can find someone there who’s willing to talk with you.
Bower: I’d also add that — this question asks what will happen with cloud gaming. I want to be cognizant of the fact that the paradigm shift of going from on-prem to cloud-based — in reality, I do believe that many of the studios, especially the indie studios, are cloud-borne. They’ve been building in the cloud for longer than what the larger studios are seeing as that shift from on-prem to the cloud continues.
GamesBeat: How do you message the importance of security to teams that you collaborate with?
Ragan: The easiest way to get the message across to other teams that you’re collaborating with about security or how things need to be co-aligned is to find out what they expect or what they need for the product and what they need for the life cycle of the product. Explain why security plays a role in that. Figure out how to partner with them.
A lot of times security is seen as adversarial, or it’s seen as a hindrance, something that blocks traditional play, traditional development, dev roll-offs, things like this. Instead of being that kind of hurdle, make security a part of the team, a part of the success overall. Figure out how to partner up like that. You’ll get more accolades, more support than you were probably expecting.
It’s like the old adage about how you catch more flies with honey. The fact of the matter is that security is still a hurdle for a lot of companies. You work it in to where you’re a partner instead of an adversary and you’ll find that the results generally improve for you overall.
Adams: In the fraud and risk space, I like to remind people that we have access to a lot of data, which a lot of areas of the company may not know. To echo the same thing, if you can find a way to help the other areas of the company that you need to communicate with, then often you can get better collaboration. Back to what I said earlier, if you can get a seat at the table, even embed somebody from security in different teams, then it’s easier to collaborate that way.
Bower: I’d agree with Scott. It’s important to communicate with the teams on the importance of security. Internally, it goes from things as simple as no tailgating when going into the building, to looking at the code that’s being deployed for the game and making sure that everyone involved in the development of the game understands the importance of security. And what the risks are if we are exposed.
Adams: One thing I’ve done in the past that helped a lot, whenever you have all-hands meetings, get someone from the security group to speak. Don’t just go up there and tell some technical story, but tell a fun story. A lot of the time the things we do can be secret or classified internally. But if you have a story that is interesting, you’ll get engagement from the company, engagement from people. I’ve done that at a number of companies, and I always get many more people wanting to talk by telling stories about how we overcame some problems or whatever it was.
GamesBeat: Looking at our second live audience poll results, our question was, “What is your biggest concern when it comes to online threats? The poll results are as follows. 16 percent said it was keeping up with evolving threats, 66 percent said losing the trust of our users, and 16 percent said tarnishing our brand. Any quick comment?
Adams: I love those results. That’s where we should be.
Bower: That makes sense. It fits in perfectly with the conversation we’ve been having since we started. We’re here for the users. They’re looking to us to provide them with an inspiring world to play games in.
GamesBeat: One more audience question. Do the GDPR laws in Europe impact how a publisher makes decisions about privacy and security?
Bower: We’re looking at GDPR again from day one. As you build your infrastructure, the schema should include the ability to address GDPR, even if you’re not planning to have a game deployed there. Everything could change in terms of where the game is being launched and how it’s being served. If you’re prepared for it on day one, you don’t have to put in a bunch of engineering changes to address it later.
Adams: Yeah, I totally agree with that. I do a lot of work around this stuff, and it’s such a huge thing. How GDPR works, it doesn’t really matter where you deploy your game. It’ll get played pretty much anywhere. If a citizen comes over from Europe to the U.S. and plays your game, enters their email address, they’re still a European citizen. You still have to make that impact your privacy and security, and you have to do it from day one. Otherwise, there’s almost no way to do it.
Singer: To be clear, GDPR is not the first of these types of laws. It happens to be one that’s capturing global attention, which is great, because if you weren’t thinking about it before as a game developer, and then you went out into the market and you tried to go global, you’re going to meet restrictions like this in a lot of different parts of the world. GDPR just happens to be broadly encompassing and highly specific. But if you’re thinking about security from day one, then it’s less of an issue.
Adams: A lot of states and other countries are working on or have already passed laws of a similar nature. We really just need to think about this anyway.
GamesBeat: One last question here. How do you more effectively partner with players to help them protect themselves?
Bower: Communication is key, making sure you’re engaging with the players. I mentioned earlier, talking about the situation of not handing over your controller or access to a stranger. Just really being clear about what something like that do to impact you as a player. If you think about playing a game where you’ve worked 20, 40, 200 hours to earn a certain emblem or a certain article of clothing in that game, by not protecting yourself as the user — those items are currency within the game. Those items are very valuable. If the game is exploited and everyone is then able to go get those items, then they become useless. It’s important to ensure open streams of communication with the players.
Disclosure: Akamai sponsored our session on protecting game companies. Our coverage remains objective.