Production Technology

Production Security

A New Approach to Security

Professional Media Creation exists in a perfect storm of complexities – workflows are moving to the cloud, and in fact multiple clouds (public and private), there are an increasing number of cyberattacks and they are rising in effectiveness and sophistication. As part of the 2030 Vision, MovieLabs recommends moving content production workflows to the cloud and that therefore requires a new approach to securing production workflows. MovieLabs has created an architecture that supports this new approach and we call it the Common Security Architecture for Production, or CSAP for short. Before we get to that it may be best to cover some background…

you are here

Traditionally we have secured media assets and media workflows as assets move between vendors and down a pipeline by using Perimeter Security, where intruders are blocked from penetrating the organization’s infrastructure, is based on several assumptions:

  • The good actors are on the inside and the bad actors are on the outside.
  • Everything happens within a single, or a small number of fixed locations.
  • The organization’s infrastructure isn’t shared with vendors or contractors.

Those assumptions are not valid. The good actors are on the outside too working from remote locations, production is happening on infrastructure that is not on the premises and is shared with vendors, and security perimeters are demonstrably porous meaning you should not assume the bad actors are on the inside.

MovieLabs 2030 Vision Principle 7

“MovieLabs 2030 Vision Principle 7 highlights the difference between a facility using cloud resources to augment or replace it’s infrastructure and production in the cloud when the entire workflow is itself protected, regardless of the infrastructure it is running on.”

MovieLabs, “The Evolution of Media Creation”, 2019

Securing The New Production Workflows

As we started work on the 2030 Vision, we realised that a new approach to security was required, and shortly after the 2030 Vision was published, we followed up with The Evolution of Production Security.

The most significant proposal we made in this paper was that a professional content creation should move to a “zero trust security architecture”. We didn’t invent it, the principles have been around for a long time, NIST (US National Institue of Standards & Technology) published Special Publication 800-207 Zero Trust Architecture in 2020 and Google had started deploying BeyondCorp, its zero trust architecture for its corporate infrastructure, a decade before. But we felt that the Zero Trust model is perfectly adaptable to the sort of distributed, multi-vendor approach we have in professional content creation.

The pillars of zero trust include:

  • Assume the security of the infrastructure is in a state of breach.
  • Everything (users, devices, services) must be authenticated before it can take part in any activity such as joining a network.
  • All authentication is mutual.
  • All activity is authorised by an authorisation policy.

Movielabs Production Security Zero Trust Curriculum

MovieLabs has produced a series of videos, blog posts and papers that explain zero trust and what the core principles of trust, authentication and authorization mean in production workflow scenarios. We suggest watching/reading them in order to gain an understanding of this new approach:

Zero Trust and Protecting Cloud Production Video Introduction

MovieLabs Zero Trust Security Blog series is an introduction to the concepts behind zero trust and CSAP:

Then you can move on to the core architecture which we have designed for securing 2030 workflows…

The MovieLabs Common Security Architecture for Production

CSAP: Common Security for Architecture Production

MovieLabs has defined the Common Security Architecture for Production (CSAP), a zero trust architecture specifically designed for media creation. It is a zero trust implementation as might be used in other, non-media, organizations, with additional functionality designed specifically for media production.

CSAP has scalable security levels (100, 200 and 300), each of which has more granular security, so that productions and studios can adjust security levels for specific types of content, or even specific assets within a production, according to their risk assessment.

To help get to CSAP level 100, we introduced the CSAP Zero Trust Foundation. This is a zero trust architecture as might be used in any enterprise:

  • Identifiably separate sources of authentication and authorisation.
  • Authorisation controlled by authorisation policies.

We have divided the CSAP architecture into five parts to make it easier to read just the parts that are relevant to you (links will take you to the MovieLabs documentation site to read those sections).

Part 1: Architecture Description is the main architecture document.

Part 2: Interfaces describes the possible interfaces between the modules in a canonical form.

Part 3: Security Levels presents three security levels that are a metric-based approach to scaling security.

Part 4: Securing Software-Defined Workflow discusses how the security architecture can be applied to software-defined workflows that are managed using a service bus.

Part 5: Implementation Considerations covers different aspects of CSAP implementation in three sub-parts:

Part 5A, Starting Out, sets the stage for CSAP implementation and provides detail on the CSAP Zero trust Foundation.

Part 5B, CSAP Core, Section 2 discuss implementation considerations for CSAP core security components of identity and authentication, and authorization and authorization policies.

Part 5C, Approaches, covers using network configurations to implement zero trust, the ways to control access to assets and resources using authorization policies, and how the CSAP architecture can be used to facilitate end-to-end security on untrusted infrastructure.

If you prefer to read offline you can download the entire CSAP documentation set.

We periodically publish updates and additional parts to CSAP. The latest update was published in August 2023. Stay updated on latest versions by checking the MovieLabs Media Creation Documentation Site.

“The new security architecture must be designed specifically to protect cloud workflows and individual assets rather than the infrastructure it runs on”
MovieLabs, “The Evolution of Media Creation”, 2019

Recommended Practices

MovieLabs has published two sets of recommended practices in relation to security of content creation.

Enhanced Content Protection For Production (ECPP)

CSAP is designed to protect the workflows of the 2030 Vision where media creation will largely occur in the cloud and be based on Software-Defined Workflows. However, on their journey to cloud production, the first step for many organizations is moving all or part of their infrastructure to the cloud while keeping it private to themselves.

Recognizing that there is an immediate need for those wanting to secure cloud resources today, perhaps in a hybrid private cloud environment. MovieLabs and its member studios have developed a set of recommended practices for production security today. We refer to these recommended practices as the Enhanced Content Protection for Production (ECPP).

The ECPP Recommended Practices and the Executive Guide to ECPP are available for download to help you in planning the security for your use of cloud resources in media production right now.

Recommended Practices For The Deployment Of Zero Trust In Media Production

ECPP is the first step in securing cloud infrastructure and is focussed primarily on the security of cloud services and their use. The MovieLabs Recommended Practices for the Deployment of Zero Trust in Media Production adds zero trust security to the set of MovieLabs recommended practices.

This set of recommended practices is applicable to zero trust security however they are not CSAP specific and apply to any zero trust security deployment.

Specs & Resources