How to Secure the Cloud as a Universal Production Resource?

Never trust anything

In the MovieLabs white paper The Evolution of Media Creation, we outlined a vision for implementing true cloud-native production workflows. In that vision media production moves outside of the security perimeters that protect individual facilities such as post-production and VFX companies and becomes a virtualized security system to protect all of those involved in production workflows. These workflows transcend organizations, and simply stated, protecting them requires a new approach to security.

MovieLabs releases new security architecture

The complexity of delivering security to cloud users far beyond the perimeters of any facility needs a new approach to security. That was the premise of the MovieLabs security model published in December 2019. The Evolution of Production Security – Securing the 10-Year Vision for the Future of Media Production, Post and Creative Technologies presented a model based on six key principles for the future of production security. Today MovieLabs is publishing a security architecture that takes that model a major step toward realization.

In other industries, we have seen conventional perimeter security fail in dramatic ways. According to Verizon’s 2020 Data Breach Investigations Report, attacks that target perimeter security—phishing and the use of stolen credentials—are the top two contributors to security breaches. Media production in the cloud presents security challenges that go beyond those of other industries. For example, most production personnel are hired only for the duration of the production, and many small companies with distinct security perimeters and policies work collaboratively in a typical production. To respond to those threats, the security architecture must go beyond keeping intruders out, which is the role of perimeter security, and instead rely on authentication with continuous trust inference, as well as dynamic policies that authorize activity and apply the principle of least privilege temporally as well as spatially.

A resource for everyone on the production

For us, the cloud is becoming a resource shared by everyone working on a production, and so should security. Sooner or later, copying data to local storage for processing on local compute will be a matter of choice rather than the de facto way of working. Security controls must be separated from the location of the data. The data, the compute, and therefore the processes that are the wheels of production, all will be in the cloud.

As the industry rose to meet the challenges of the pandemic, the explosion in work outside the protected walls of production facilities highlighted the urgent need for a new security architecture, because perimeter security cannot deal effectively with today’s threat landscape. But just as importantly, the shared cloud with its multitude of different types of users—the heart of production in the cloud—cannot be secured inside a security perimeter without seriously impacting the creative process. To attempt to do so would mean a security solution that is the antithesis of the security-by-design principle: keep security simple.

Trust nothing until it’s verified

The MovieLabs security architecture is a collaboration-oriented Zero-Trust Architecture (ZTA). It is concerned with securing and protecting the integrity of assets, processes, and workflows in the collaborative environment of media production. It is not concerned with protecting the underlying infrastructure, but instead is designed to protect production on an infrastructure that is not trusted.

The fundamental rule of a ZTA approach is that nothing is trusted until it has been authenticated. There is no concept of “inside the security perimeter” because no perimeter exists and nor is one needed. Anything can attach itself to the network, but that brings no assumption of trust. There are no trusted ports on the router; any user or resource attached to the network cannot engage in any activity until it has been authenticated and the activity subsequently authorized.

Authenticate, then authorize

Identity management and authentication are the core functions of the security architecture, and these apply to anything and everything in the workflow: the participant, the computer, the storage, and the application. Once something is authenticated, it can take part in activities for which it is authorized. Authentication and authorization are separated. Authentication is a prerequisite for participation in any potential activity; authorization is then required for an authenticated participant to engage in any specific activity.

In August of 2020, NIST published Special Publication 800-207, Zero Trust Architecture. The MovieLabs security architecture is congruent with 800-207, and in particular with three tenets in NIST 800-207 regarding authentication and authorization. These are:

• Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted, and it is granted with the least privileges needed to complete the task.
• Access to resources is determined by dynamic policy. This includes the observable state of client identity, the application or service, and the requesting resource. It may include other behavioral and environmental attributes.
• All resource authentication and authorization are dynamic and strictly enforced before access is allowed. This is a constant cycle of obtaining access, scanning, and assessing threats, adapting, and continually re-evaluating trust in ongoing communication.

Dynamic authorization

Authorization is only needed while an activity is taking place, and depending on how the security level is scaled, authorizations can be granted for only the duration of the activity (e.g., the security dial is set to 10) or for the duration of the production (e.g., the security dial is set to 3). When authorization is granted only for the duration of an activity, the principle of least privilege is applied temporally (how long is it authorized) as well as spatially (what is authorized).

Authorization is carried in the form of static and dynamic security policies. The dynamic policies are created in response to the workflow management system scheduling or initiating an activity. If the authorization service is notified of an activity, it generates a dynamic security policy that is sent to the security policy enforcement points, which are embedded in the components of the workflow and infrastructure.

Deploy today, be ready for tomorrow

The principles presented in the MovieLabs security model are built on security by design. Our fundamental message is that security must be designed into the methods of producing media when those methods are created. Security must be intrinsic to the workflow so that it does not interfere with the creative process, not an extrinsic bolt-on that gets in everyone’s way. While we designed the architecture with the 2030 Vision in mind, the proposed security architecture can and should be deployed today so that productions running in private data centers are secure, and also ready to meet the future challenges of seamless migration to cloud-native workflows.

We invite all those interested in securing the future of cloud media workflows to read and provide feedback on the security architecture released today.

It is available on our website in multiple parts zipped into one file for download. Part 1 is an overall description of the architecture. Part 2 describes the possible interfaces between modules. Part 3 presents a metric-based approach to scaling security.

Publishing this security architecture is only a beginning. We expect to learn from feedback and look forward to working with the industry to evolve the architecture and to facilitate implementations that will secure the next generation of production.

#MovieLabs2030, #ML2030Security