Production Security

Traditionally we have secured media assets and media workflows as assets move between vendors and down a pipeline by using Perimeter Security, where intruders are blocked from penetrating the organization’s infrastructure, is based on several assumptions:

• The good actors are on the inside and the bad actors are on the outside.
• Everything happens within a single, or a small number of fixed locations.
• The organization’s infrastructure isn’t shared with vendors or contractors.

Those assumptions are not valid. The good actors are on the outside too working from remote locations, production is happening on infrastructure that is not on the premises and is shared with vendors, and security perimeters are demonstrably porous meaning you should not assume the bad actors are on the inside.

Securing The New Production Workflows

The most significant proposal we made in this paper was that a professional content creation should move to a “zero trust security architecture”. We didn’t invent it, the principles have been around for a long time, NIST (US National Institue of Standards & Technology) published Special Publication 800-207 Zero Trust Architecture in 2020 and Google had started deploying BeyondCorp, its zero trust architecture for its corporate infrastructure, a decade before. But we felt that the Zero Trust model is perfectly adaptable to the sort of distributed, multi-vendor approach we have in professional content creation.

The pillars of zero trust include:

• Assume the security of the infrastructure is in a state of breach.
• Everything (users, devices, services) must be authenticated before it can take part in any activity such as joining a network.
• All authentication is mutual.
• All activity is authorised by an authorisation policy.

MovieLabs has defined the Common Security Architecture for Production (CSAP), a zero trust architecture specifically designed for media creation. It is a zero trust implementation as might be used in other, non-media, organizations, with additional functionality designed specifically for media production.

CSAP has scalable security levels (100, 200 and 300), each of which has more granular security, so that productions and studios can adjust security levels for specific types of content, or even specific assets within a production, according to their risk assessment.

To help get to CSAP level 100, we introduced the CSAP Zero Trust Foundation. This is a zero trust architecture as might be used in any enterprise:

• Identifiably separate sources of authentication and authorisation.
• Authorisation controlled by authorisation policies.

We have divided the CSAP architecture into five parts to make it easier to read just the parts that are relevant to you (links will take you to the MovieLabs documentation site to read those sections).

Part 1: Architecture Description is the main architecture document.

Part 2: Interfaces describes the possible interfaces between the modules in a canonical form.

Part 3: Security Levels presents three security levels that are a metric-based approach to scaling security.

Part 4: Securing Software-Defined Workflow discusses how the security architecture can be applied to software-defined workflows that are managed using a service bus.

Part 5: Implementation Considerations covers different aspects of CSAP implementation in three sub-parts:

Part 5A, Starting Out, sets the stage for CSAP implementation and provides detail on the CSAP Zero trust Foundation.

Part 5B, CSAP Core, Section 2 discuss implementation considerations for CSAP core security components of identity and authentication, and authorization and authorization policies.

Part 5C, Approaches, covers using network configurations to implement zero trust, the ways to control access to assets and resources using authorization policies, and how the CSAP architecture can be used to facilitate end-to-end security on untrusted infrastructure.

If you prefer to read offline you can download the entire CSAP documentation set.

We periodically publish updates and additional parts to CSAP. The latest update was published in August 2023. Stay updated on latest versions by checking the MovieLabs Media Creation Documentation Site.

Recommended Practices

MovieLabs has published two sets of recommended practices in relation to security of content creation.

Enhanced Content Protection For Production (ECPP)

CSAP is designed to protect the workflows of the 2030 Vision where media creation will largely occur in the cloud and be based on Software-Defined Workflows. However, on their journey to cloud production, the first step for many organizations is moving all or part of their infrastructure to the cloud while keeping it private to themselves.

Recognizing that there is an immediate need for those wanting to secure cloud resources today, perhaps in a hybrid private cloud environment. MovieLabs and its member studios have developed a set of recommended practices for production security today. We refer to these recommended practices as the Enhanced Content Protection for Production (ECPP).

The ECPP Recommended Practices and the Executive Guide to ECPP are available for download to help you in planning the security for your use of cloud resources in media production right now.

Recommended Practices For The Deployment Of Zero Trust In Media Production

ECPP is the first step in securing cloud infrastructure and is focussed primarily on the security of cloud services and their use. The MovieLabs Recommended Practices for the Deployment of Zero Trust in Media Production adds zero trust security to the set of MovieLabs recommended practices.

This set of recommended practices is applicable to zero trust security however they are not CSAP specific and apply to any zero trust security deployment.