MovieLabs has published a recommended set of security practices for anyone that uses cloud services for production, writes Spencer Stephens.
MovieLabs latest set of guidelines are aimed at those creating and helping to create TV and motion pictures: production services vendors, technology and cloud services providers, the studios and productions themselves, and others who want to ensure the security of vendors and service providers. The Enhanced Content Protection for Production (ECPP) has been developed by the team here at MovieLabs along with our member studios - Disney, Paramount, Universal, Warner Bros and Sony Pictures - and in conjunction with security experts from across the industry.
The goal of the ECPP is to provide a studio-endorsed guiding set of high-level, recommended practices for establishing and managing cloud security. The ECPP guidelines are recommendations for anyone dealing with content to achieve an acceptable level of security in today’s cloud-based workflows and can be used across all stages of production.
The ECPP differs from the Common Security Architecture for Production (CSAP), which we published earlier this year. CSAP focuses on delivering a new security approach to support the 2030 Vision, while these ECPP guidelines are intended for use today and provide a bridge to CSAP.
The guidelines assume that on-premises security is managed correctly and only cover practices for production that are new or significantly different when cloud resources are used. Therefore, ECPP does not cover the many existing security best practices that also apply to the cloud, including for remote work, which today commonly uses on-premises infrastructure.
The ECPP was developed in response to the many stakeholders in studios and production companies involved in content production in the cloud. As the world of media production is rapidly changing and with the migration of various parts of the workflow to the cloud, there have been increased instances of disparate practices to keep content safe and secure.
Why is it important to you?
The ECPP is not a set of requirements, but studios and others contracting production services may choose practices from the ECPP when defining security requirements for their vendors.
MovieLabs has endeavored to help the industry navigate the complex issue of cloud security, and these guidelines aim to help you create resiliency and build a plan to respond to an incident. Security incidences and cyber-attacks are costly, both in revenue and reputation. These guidelines have been developed to help businesses develop a plan to respond to an incident and recover afterwards and are based on industry best practices.
We cannot consider the security of media production in isolation from the wider cybersecurity landscape. Our industry does not get a pass because it does not handle financial or healthcare data, and like those industries, threats to media production come from professional criminals as well as amateurs.
Theft of pre-release content and ransomware are both sources of income for criminals, and they are getting much more sophisticated with an extensive set of cloud offerings to draw upon, including targeting employees through various phishing techniques.
Uninformed staff are more likely to make mistakes, be phished and cause an incident or breach. Training staff in security procedures, phishing and social engineering is critical to the security of your operation.
How to start to plan a security strategy
Don’t start to plan in the security dashboard of your cloud services provider. You need a plan and methodology to create the plan that is not much different from the plan you had when you secured on-premises infrastructure. The difference is the tools you will use to go from plan to action.
There are five steps in the ECPP framework for making a security plan:
1) Identify and develop an organizational understanding to manage cybersecurity risk to systems and people.
2) Protect your organization by developing and implementing appropriate safeguards to ensure service delivery. Security tools and best practices from the cloud providers are designed to assist you in protecting your use of their services.
3) Detect the threat by developing and implementing appropriate activities to identify the occurrence of a cybersecurity event.
4) Respond by developing and implementing appropriate activities to take in the event of a detected cybersecurity incident. This plan must also be practiced to ensure lessons are learned and any updates and improvements can be made.
5) Recover from any breaches by actively developing activities to maintain plans for resilience and restore capabilities following a cybersecurity incident.
The tools to develop an effective security plan covering these five areas are covered in the ECPP and give a good basis for developing a plan specific to your organization.
Securing your content in the cloud starts with people, not technology. The ECPP examines best practices and gives guidelines to anyone creating content in the cloud to help them prepare and be ready for any incidences before they happen and is essential reading for anyone who has been charged with preparing their organization for potential security attacks. It is available for free download from MovieLabs.com, here.
Spencer Stephens is SVP, Production Technology & Security, MovieLabs