The Enhanced Content Protection for Production provides a unifying set of recommended practices for those designing, building, configuring, or assessing the security of production workflows in the cloud
Motion Pictures Laboratories, Inc. (MovieLabs), a technology joint venture of the major Hollywood studios, has published the first version of the Enhanced Content Protection for Production (ECPP), providing a set of best practices for production services vendors, cloud services providers, studios and productions. Developed with input from studio security experts and leading technology companies across the industry, the ECPP can be viewed here.
The need for a common set of recommended cloud security practices is driven by the complex and rapidly changing world of media production and the migration of various parts of the workflow to the cloud. This results in multiple stakeholders with shared responsibility for securing cloud-based production workflows.
The goal of the ECPP is to provide a guiding set of high-level recommended practices for establishing and managing cloud security. It is specifically focused on the new or significantly different practices for the cloud. It is intended for those concerned with providing secure, cloud-based solutions and for people responsible for ensuring the security of their productions. The document, together with its companion “Executive Guide to the ECPP,” looks at the current state of the threat environment and addresses the most common attack vectors along with the most active threat actors. It then provides a set of global best practices that apply to all uses of cloud services and more specific best practices for IaaS (Infrastructure as a Service, for example major cloud providers), PaaS (Platform as a Service, such as integrated infrastructure and software stacks that can be easily deployed) and SaaS (Software as a Service, such as cloud–based collaboration services). Finally, as production workflows are already spanning multiple cloud infrastructures including private and public hyperscale clouds, the ECPP discusses the challenges and considerations of securing multi-cloud production.
Richard Berger, CEO MovieLabs, said: “ As part of our work to accelerate the evolution of media creation and the move to the cloud, we have developed the Common Security Architecture for Production (CSAP) on the premise that a different approach is required for securing production in the cloud, where the cloud is a resource shared across everyone working on a production. Additionally, while we work with the industry to implement the CSAP in support of our shared 2030 vision, we wanted to provide a guide for securing production cloud services in the way we are using them today. We hope that the different ecosystem participants across the industry can align their unique approaches to secure and assess cloud-based workflows and can benefit from the ECPP.”
MovieLabs ECPP follows a similar approach as the MovieLabs Specification for Enhanced Content Protection (ECP) originally published in 2013 which helped to establish the industry’s security practices for 4K UHD media distribution. That document helped accelerate rollout of 4K by aligning the various playback hardware and software component providers around a common set of security requirements and practices. The ECPP is positioned to serve the same function for media production as the industry moves to the cloud. The ECPP will be updated periodically and will help create a bridge to the MovieLabs CSAP.
Spencer Stephens, SVP Production Technology and Security added, “It became clear to us as we were developing these recommended practices that ensuring security of production workflows in a cloud environment where perimeter security is not applicable, would be far less complex if studios and their service provider/vendors implemented security in accordance with a common security architecture.”
The ECPP was intentionally not designed as a set of controls for assessing security but rather as guidelines for companies to help prepare them for their security assessments and to ideally make it easier for assessment programs by aligning the industry around a common set of cloud security best practices.