Your browser is not supported. Please update it.

12 December 2019

MovieLabs intros security concepts for vulnerable cloud media future

Cloud production has presented a remarkable opportunity to migrate to more efficient content workflows and in turn created an urgent need for a dedicated security architecture. It sounds daunting, yet most of the tools required are already readily available – primarily drawing from existing entertainment DRM systems and emerging cybersecurity systems.

We are in the middle of a cybersecurity war, warns MovieLabs in a new whitepaper, and the answer apparently lies in the following six simple security principles:

  1. Security is intrinsic and does not inhibit creative processes
  2. The security architecture addresses challenges specific to cloud workflows
  3. Production workflows, processes and assets are secure, even on untrusted infrastructure
  4. The content owner controls security and workflow integrity
  5. The security can be scaled to appropriate levels and can integrate
  6. The security architecture limits the spread of any breach and is adaptable

The way we see it, the 50+ page MovieLabs research (available in full here) really boils down to one security principle – Zero Trust – which is ultimately another way of saying ubiquitous security.

To achieve the 2030 vision presented by MovieLabs for securing the future of media production, the application of Zero Trust architectures to production workflows is a must – building on existing tools and practices by embracing new ones. Two new concepts are introduced – encryption key management services and authorized applications.

Both are rather self-explanatory. Encryption key management services are designed to manage the creation, storage and distribution of encryption keys, while authorized applications are exactly that. However, we must keep in mind that the application of Zero Trust architectures, which typically focus on enterprise networks, go well beyond that. Zero Trust embeds security in every piece of hardware and software in a system – shifting the security focus from the perimeter (firewalls, VPNs and web gateways) to endpoint security and traffic inspection.

This all-encompassing hardware and software approach allows companies to build upon existing security practices – meaning security controls defined by the likes of the Trusted Partner Network will continue to be essential in security new cloud-based workflows.

In the research, commissioned to Forrester, a number of Zero Trust platforms are identified and analyzed from the following vendors – Akamai, Check Point, Cisco, Cyxtera Technologies, Forcepoint, Forescout, Google, Illumio, MobileIron, Okta, Palo Alto Networks, Proofpoint, Symantec, and Unisys.

Let’s take a closer look at one in particular. Akamai is setting out its stall as an allrounder in the cybersecurity space by concentrating on threats inside client networks – not just those perpetrated by insiders but also malware and viruses that have penetrated firewalls, intrusion detection systems or other perimeter defenses.

These come under the banner of Zero Trust, with the aim being to detect, isolate and, where possible, eradicate threats wherever they arise, through a multilayered approach. One of Akamai’s goals here is to stop malware propagation after it has beaten initial defenses and penetrated deeply inside an enterprise network. This requires more granular access controls linked to specific applications, combined with techniques that make it harder for malware to propagate, or for an attacker to gain access to other corporate systems beyond the one targeted.

Under the same Zero Trust banner, Akamai has brought out tools to help prevent exfiltration of internal data, which has been the cause of various damaging breaches where confidential customer details have been leaked. The impact of such breaches through phishing attacks on, and identity theft from, the consumers whose data was originally stolen can roll on for several years. Akamai has countered with new adaptive access control tools designed to match trust with risk as the latter varies, the key being ability to assess when the level of threat has temporarily increased. Then controls can be enforced only when necessary so as to minimize impact on the user experience, although under Zero Trust security the default is to deny access and only ease restrictions when it is clear there are no threats.

What struck us most though about the Akamai announcements was the focus on attacks against APIs, which have grown rapidly in frequency with proliferation of apps themselves, driven by mobile services. For dedicated streaming vendors, APIs have been a major focus from the outset as they provide the front door to their ecosystem of microservices, which tend to come under three categories.

First are the upfront and back office services, such as free trials, sign-up and billing. Second are content discovery services including recommendations and search, while thirdly comes playback, where rights are enforced and security comes in.

MovieLabs reiterates that simply protecting assets is not sufficient. Going forward, it is imperative that processes and workflows be protected along with assets so they can be orchestrated as intended – securing against functions being subverted or outputs being redirected.

Shifting security certification to that of applications sidesteps the challenge of applying perimeter security models to cloud workflows, according to MovieLabs.

A benefit is that the two are complementary; the workflow enables the new security architecture, and the security architecture protects the new workflow. As such, the authentication services tie into audit systems that record potential activity, as well as general activity.

This latest research from MovieLabs is a follow up to the media landscape 2030 vision published earlier this year, conducted with Hollywood Studios, which identifies a number of opportunities in media production and creative technologies, covering security, cloud migration, software-defined workflows – and 10 specific principles for the future of media creation.

MovieLabs and its partners will be busy building the foundations of a dynamic and scalable security system over the next few years, capable of supporting future innovations in applications and workflows. An important point is that MovieLabs doesn’t see security features offered by cloud providers dominating this future security architecture – thereby enabling multi-cloud operation.

Come 2030, it envisages a virtualized production environment where workflows are distributed among remote workers, where a secure cloud environment can benefit the media landscape by allowing for participation of smaller firms or individuals without comprising security.