Exclusives

MovieLabs Previews Security Architecture 2030 Vision

As production continues to shift further to the cloud, a new security architecture is required to help the entertainment industry achieve new security goals, Spencer Stephens, lead technologist, production security for MovieLabs, said during an “Exclusive Preview of Security Architecture 2030 Vision” at the Dec. 8 virtual Content Protection Summit.

MovieLabs, a joint venture of the five major Hollywood film studios, is “working on a variety of technology challenges,” he noted.

But, “in this particular case, we’re talking about the next-generation production technology,” he said, noting MovieLabs has published three white papers on the subject, “starting with a 10-year vision of the future of production” in September 2019.

That was followed by a white paper on a new security framework and then the most recent one, on software-declined workflows, he pointed out.

“The key takeaway from the vision paper was that a new approach for security was needed when we start looking at production in the cloud and, of course, that led to the new security white paper,” he said.

“The vision paper postulates production cloud as being a global resource for everyone working on a production, and that cloud is outside of the security perimeter for any particular facility because the resources are outside of those perimeters, outside of those facilities,” he noted.

Today, if organizations have a facility using a hybrid cloud, they can keep their security perimeter around that because they “really own those resources – they’re an extension of their on-prem infrastructure,” he pointed out.

But production entirely in the cloud is different because “it is a global resource,” he said, explaining: “The workflows move into the cloud… and we’re now in a situation where everything is happening outside of the security perimeter.” There are many individual contributors and small vendors connected directly to the cloud and not working from a facility as part of this scenario, he noted.

That is “something that has become commonplace … in the last few months” especially, during the COVID-19 pandemic, he noted.

He went on to “break down” the anatomy of a typical production task/workflow, noting that a user is carrying out a task and will do it using a computing device, an application and an asset. “Today, that is happening on a trusted infrastructure and it’s trusted because it is within a security perimeter,” he pointed out.

However, “when we take that workflow and move it into the cloud… we’re faced with doing it on an infrastructure that can’t be trusted – you can certainly make it secure, but in this case, remember, we’re saying that this is a global resource, so trying to secure it within a perimeter becomes very difficult,” he said.

And “the solution to this” is that we “start using a zero-trust architecture” and an authenticated user — with authentication being an important component of zero trust after all – and performing authorized tasks on trusted devices with approved applications to protect an asset, he noted.

At the same time, the security perimeter is “shrunk down to the absolute minimum” and there is a perimeter for each part of the workflow, he said.

An important component of this solution is that we are protecting the assets rather than the infrastructure being used to store the assets, he noted.

This new Security Architecture is a dynamic, policy-based collaboration-oriented security architecture for production in the cloud, according to MovieLabs.

One goal that is “absolutely paramount” is that “the security does not interfere with the creative process,” Stephens pointed out.

Providing a “high level view” of the new architecture, he noted that there are four Core Security Components that are domain specific: Authentication Service, Authorization Service, Asset Protection Service and Policy Service.

Then there are multiple Supporting Security Components that are non-domain specific and include: Identity management, trust inference, continuous trust validation, Certificate Service, continuous monitoring and security operations, and threat analysis and intelligence.

And all of that is driven by the Production Management goals, which are workflow and asset management, Stephens noted.

For the Authorization Service, security policies are created that allow any work to take place and can include static policies based on preassigned permissions or dynamic polices based on assigned tasks, he said.

For the Asset Protection Service, access to assets is controlled using the encryption of individual files or granular access controls, he noted. And the Policy Service combines Authorization Service policies with global policies and breach/threat information, and acts on the result, he added.

Movielabs plans to publish the new Security Architecture in 2021, he told viewers at the end of the presentation. It’s expected early in the new year.

More details on the Security Architecture can be found at: www.movielabs.com/production-technology

Presented by Microsoft Azure, the Content Protection Summit was sponsored by SHIFT, Genpact, Akamai, Convergent Risks, Friend MTS, GeoGuard, PacketFabric, Palo Alto Networks, Richey May Technology Solutions, Splunk, Zixi, EIDR, Cyberhaven and Xcapism Learning.

The event was produced by MESA, CDSA, the Hollywood IT Society (HITS) and Women in Technology Hollywood (WiTH), under the direction of the CDSA Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group.