Production Technology
Production Security
A New Approach to Security
Professional Media Creation exists in a perfect storm of complexities – workflows are moving to the cloud, and in fact multiple clouds (public and private), there are an increasing number of cyberattacks and they are rising in effectiveness and sophistication. As part of the 2030 Vision, MovieLabs recommends moving content production workflows to the cloud and that therefore requires a new approach to securing production workflows. MovieLabs has created an architecture that supports this new approach and we call it the Common Security Architecture for Production, or CSAP for short. Before we get to that it may be best to cover some background…
Traditionally we have secured media assets and media workflows as assets move between vendors and down a pipeline by using Perimeter Security, where intruders are blocked from penetrating the organization’s infrastructure, is based on several assumptions:
- The good actors are on the inside and the bad actors are on the outside.
- Everything happens within a single, or a small number of fixed locations.
- The organization’s infrastructure isn’t shared with vendors or contractors.
Those assumptions are not valid. The good actors are on the outside too working from remote locations, production is happening on infrastructure that is not on the premises and is shared with vendors, and security perimeters are demonstrably porous meaning you should not assume the bad actors are on the inside.
“MovieLabs 2030 Vision Principle 7 highlights the difference between a facility using cloud resources to augment or replace it’s infrastructure and production in the cloud when the entire workflow is itself protected, regardless of the infrastructure it is running on.”
MovieLabs, “The Evolution of Media Creation”, 2019
Securing The New Production Workflows
The most significant proposal we made in this paper was that a professional content creation should move to a “zero trust security architecture”. We didn’t invent it, the principles have been around for a long time, NIST (US National Institue of Standards & Technology) published Special Publication 800-207 Zero Trust Architecture in 2020 and Google had started deploying BeyondCorp, its zero trust architecture for its corporate infrastructure, a decade before. But we felt that the Zero Trust model is perfectly adaptable to the sort of distributed, multi-vendor approach we have in professional content creation.
The pillars of zero trust include:
- Assume the security of the infrastructure is in a state of breach.
- Everything (users, devices, services) must be authenticated before it can take part in any activity such as joining a network.
- All authentication is mutual.
- All activity is authorised by an authorisation policy.
Movielabs Production Security Zero Trust Curriculum
MovieLabs has produced a series of videos, blog posts and papers that explain zero trust and what the core principles of trust, authentication and authorization mean in production workflow scenarios. We suggest watching/reading them in order to gain an understanding of this new approach:
Zero Trust and Protecting Cloud Production Video Introduction
MovieLabs Zero Trust Security Blog series is an introduction to the concepts behind zero trust and CSAP:
The MovieLabs Common Security Architecture for Production
MovieLabs has defined the Common Security Architecture for Production (CSAP), a zero trust architecture specifically designed for media creation. It is a zero trust implementation as might be used in other, non-media, organizations, with additional functionality designed specifically for media production.
CSAP has scalable security levels (100, 200 and 300), each of which has more granular security, so that productions and studios can adjust security levels for specific types of content, or even specific assets within a production, according to their risk assessment.
To help get to CSAP level 100, we introduced the CSAP Zero Trust Foundation. This is a zero trust architecture as might be used in any enterprise:
- Identifiably separate sources of authentication and authorisation.
- Authorisation controlled by authorisation policies.
We have divided the CSAP architecture into five parts to make it easier to read just the parts that are relevant to you (links will take you to the MovieLabs documentation site to read those sections).
Part 1: Architecture Description is the main architecture document.
Part 2: Interfaces describes the possible interfaces between the modules in a canonical form.
Part 5: Implementation Considerations covers different aspects of CSAP implementation in three sub-parts:
If you prefer to read offline you can download the entire CSAP documentation set.
We periodically publish updates and additional parts to CSAP. The latest update was published in August 2023. Stay updated on latest versions by checking the MovieLabs Media Creation Documentation Site.
Security Interoperability
Software and cloud infrastructure are playing a larger role in supporting creative work and are the foundation of the 2030 Vision. MovieLabs has addressed the need for security interoperability to make these workflows secure, and the security less complex to manage, in the white paper Security Interoperability in Media Creation.
Security interoperability means better security across diverse infrastructure while minimizing the intrusion of security into the creative process. It means interoperability between the security components and security management, which is difficult to define in a context where diverse systems are used. Defining the security architecture makes defining and implementing interoperability easier because the architecture defines what systems and services need to be interoperable with. For that reason, the MovieLabs white paper focuses on security interoperability in a zero trust security architecture and how it is a critical enabler for the 2030 Vision. Implementation of the interoperability principles in the paper can enable seamless security across a diverse set software tools, services, and infrastructure.
Recommended Practices
MovieLabs has published two sets of recommended practices in relation to security of content creation.
Enhanced Content Protection For Production (ECPP)
CSAP is designed to protect the workflows of the 2030 Vision where media creation will largely occur in the cloud and be based on Software-Defined Workflows. However, on their journey to cloud production, the first step for many organizations is moving all or part of their infrastructure to the cloud while keeping it private to themselves.
Recognizing that there is an immediate need for those wanting to secure cloud resources today, perhaps in a hybrid private cloud environment. MovieLabs and its member studios have developed a set of recommended practices for production security today. We refer to these recommended practices as the Enhanced Content Protection for Production (ECPP).
The ECPP Recommended Practices and the Executive Guide to ECPP are available for download to help you in planning the security for your use of cloud resources in media production right now.
Recommended Practices For The Deployment Of Zero Trust In Media Production
ECPP is the first step in securing cloud infrastructure and is focussed primarily on the security of cloud services and their use. The MovieLabs Recommended Practices for the Deployment of Zero Trust in Media Production adds zero trust security to the set of MovieLabs recommended practices.
This set of recommended practices is applicable to zero trust security however they are not CSAP specific and apply to any zero trust security deployment.