Announcing Zero Trust Recommended Practices

Posted on April 9, 2024
Movielabs’ Recommended Practices for Zero Trust Deployment in Media Production

Introducing the MovieLabs’ Recommended Practices for the Deployment of Zero Trust in Media Production

With the increasing number and sophistication of cyber-attacks against all organizations, including content owners and their vendors and partners, it is increasingly important that media supply chains are secured to protect critical assets and workflows. Consistent with the recommendations of US and UK government agencies, leading cybersecurity vendors and cybersecurity experts, MovieLabs recommends using a zero trust security architecture to protect media production: assets, workflows, production systems, and vendor ecosystems. Today we are publishing a high-level set of recommended practices for deploying zero trust security in media production. Click to download the new MovieLabs’s Recommended Practiecs for Deployment of Zero Trust in Media Production.


Zero trust is the foundation of the MovieLabs Common Security Architecture for Production (CSAP) and an approach to cloud based security being broadly adopted for securing the IT infrastructure of major organizations and governments worldwide.

The zero trust security architecture does not assume good actors are on the insider and bad actors are on the outside, instead it assumes that the infrastructure is in a constant state of breach. This is the only assumption that should be made because there is no longer a difference between “inside” and “outside,” and we demonstrably cannot rely on security perimeters.

The zero trust principles are that:

  • Nothing (users, devices and services) is trusted without first being authenticated.
  • All activity must be explicitly authorized by authorization policies.

The 43 recommended practices described in the MovieLabs document can be applied to any deployment of zero trust in media production, and they are specifically designed for the Common Security Architecture for Production Zero Trust Foundation (ZTF). CSAP ZTF is a zero trust model as might be used in any enterprise adopting zero trust. ZTF is the foundation for deployment of a full implementation of CSAP.


We have described the CSAP ZTF in Part 5A of the CSAP documentation, and all of the CSAP documentation can be found on the MovieLabs Production Security Website.

These Zero Trust Recommended Practices extend the earlier Enhanced Content Protection for Production (ECPP). ECPP is a set of recommended practices for the security of cloud services used in the production of motion picture and television content. The Zero Trust Recommended Practices require that recommended practices in ECPP are followed and do not repeat them.

It is worth stating that these recommended practices for zero trust are not intended to be used as the means of assessing or evaluating a deployment of zero trust.

Additional Resources to Learn More About Zero Trust

The document does not provide any background on zero trust or go into details about how it works because we expect that anyone applying the recommended practices to a zero trust deployment has a suitable understanding of zero trust architecture and how to deploy it.

However, we don’t anticipate those will be the only readership.

What we have done for those who want to understand more about zero trust to put a context around the recommended practices, or want to find out about potentially new concepts such as the protect surface1, is to include references to an excellent selection of information available on the MovieLabs website, on US Federal Government websites including the National Institute of Standards and Technology (NIST), the UK’s National Cyber Security Centre, the Cloud Security Alliance and a curated selection of information from security vendors.

You can start out you journey to understanding zero trust with the MovieLabs video, Zero Trust and Protecting Cloud Production.

And then what?

The first use of these recommended practices is in the deployment of zero trust security in general: both in media production and in enterprises that don’t make content. Earlier we stated that the CSAP Zero Trust Foundation is zero trust as might be deployed in any organization, and these recommended practices are not specific to media production.

The second use is taking the first step to a CSAP level 100 deployment. CSAP level 100 is the CSAP Zero Trust Foundation with functionality that does make it media production specific. The added functionality is, for example, specific to how production workflows are carried out.

Keep the Feedback Coming

We hope that reading this will help you as you deploy zero trust security and do so in a way that is the foundation for CSAP. If you have questions or comments on the new document, you can reach out to us at

[1] No, that’s not the same as an attack surface!

You May Also Like…