M+E Daily

CPS EU: CDSA App & Cloud Control Framework Aims for Accessibility

The Content Delivery & Security Association (CDSA) used a session at the June 29 Content Protection Summit Europe (CPS EU) event to formally launch its App & Cloud Control Framework.

During the darkest days of the COVID-19 pandemic, a group of 20 companies worked together to formulate a unique approach to addressing application and cloud security in the media and entertainment sector. The CDSA App & Cloud control framework extends its assessment community into the software-driven cloud domain with a goal of reduced audit costs and increased consistency in assessments across the future ecosystems of the industry.

The chairs of the CDSA Technology Committee and the technical director leading the effort across multiple workstreams and areas of risk management provided the update during the session “CDSA’s App & Cloud Control Framework.”

One goal was to make it accessible to small vendors, according to Ben Schofield, CDSA project manager.

“Rather than present 500 controls that most people aren’t interested in, we tried to break it down into different areas,” he said. That meant the development, executive, ops, security and tech teams could “all focus in on the set of controls they are responsible for,” he noted.

It took a group effort among volunteers to complete the control set review, he told viewers. It resulted in “strong foundations” and the achievement of framework alignment, he said. CDSA has “received great feedback” to the open source frameworks so far and is “publishing this for peer review,” he added.

Technicolor Take

Micah Littleton, VP of global content security at Technicolor, kicked off the session, noting that his firm “has its hands in many different service lines, spanning from visual effects, across episodic film, animation, gaming” and the advertising communities.

“One of the things that we had a challenge with – a little bit over six-seven years ago – [was] creating a form of a framework that would satisfy a lot of those industries,” Littleton said. “As you can imagine, being a vendor with the sheer number of customers that we have, every customer kind of came in and had their specific guidelines [for] how they want their content handled, even down to the level of ‘Well, tell me how you’re going to protect my content,’” he said with a laugh.

“Leveraging the baseline MPA best practices was a good start for us – and not only from an external customer point of view,” he said. “But us being a large organization, we have a responsibility to report up to our internal audit committee and identify risk and go through risk assessment on an annual basis. So those guidelines really proved very beneficial to get everybody comfortable in working across our different service lines and five different brands under the Technicolor umbrella.”

When talking about cloud and application best practices and configuration guidelines, a “very similar model kind of applies,” he said, adding: “We’re at a point right now where we leverage the cloud very heavily with regards to additional render capacity. We’re also doing internal software development. A lot of what we’ve built so far is based upon other industry guidelines, specific to the CDSA… We’ve really built a fairly good ecosystem. But, again, it’s something that’s pointing outside of our internal community.”

One of the “action items we had” was to “take the work that Ben Stanbury” of CDSA and his team had done and “see how we can kind of map back to those other industry guidelines based upon specific controls that are relevant to our industry,” Littleton pointed out.

The “fruits of that labor” are now being seen, he said, adding: “I firmly believe that once this gets accepted by the content owners and pushed out to our industry, it’s really going to serve as a helpful baseline for us to do a very similar self-assessment and get us prepared for any upcoming customer reviews. Really do a proper checks and balance within our environments on an annual basis just to make sure that we’re maintaining best practice and are exceeding best practice. We always go for the latter. But again it’s about leveraging that common solution and best practice that everybody agrees upon.”

CDSA knows it is “going to continue to go through many audits, especially outside of the direct media and entertainment community, with regard to film and episodic content,” he said.

When it comes to the gaming and the advertising community, for instance, “I feel like we have a really good opportunity there to start to bring them into this, as a second phase,” he said.

Adobe Take

It was important to “make sure that the process itself to communicate our security position is a bit more clear and more readily available,” according to Todd Burke, principal solutions engineer at Adobe.

The control set is an “interesting consideration that I think all the software creators need to address to make sure that the appropriate controls are in place for their packages to be utilized by whoever is taking advantage of them so that… the content supply chain is as secure as possible,” he said.

He was “really glad so many people came together and there was such great work across the board for all the volunteers that were looking at this rather monolithic spreadsheet,” he said, adding: “Being able to have a cohesive security framework that we can kind of all look at and agree upon and use in our discussions and, most importantly because I answer a lot of them, our security reviews, is going to be helpful to everybody.”

Microsoft Azure Take

“As a hyperscale cloud provider, I have to address all of Micha’s problems as a platform service provider, all of Todd’s problems as an application, plus all the customer concerns around how to build a secure environment fully virtualized in the cloud as opposed to trying to piece it together themselves,” according to Joel Sloss, senior program manager at Microsoft Azure and CDSA board member.

“So what that ends up looking like is Azure complies with, I guess, pretty much any standard and assessment that’s out there,” he said.

There are also “heaps of data privacy regulations” including General Data Protection Regulation (GDPR) so, “as a multi-industry platform, we try to drive as much consistency as possible – not just in the frameworks that we support and the controls we align to – but layered security services that will give customers not just assurance but the ability to customized,” he explained.

“So if you bring that back around to the controls themselves… it makes it straightforward for us to align with what the M&E community needs and provide specific guidance to enable those different workflows,” he told viewers.

As an example, for Adobe, that might be editorial in  the cloud, he said. “But there’s a lot of concerns that the framework has to address, such as even basic authentication and authorization, data encryption, multi-factor authentication that we provide as a service but then the application platform plugs into, the user configures, and the framework gives everybody a common set of guidelines to leverage,” he explained.

Schofield interjected to point out it was worth noting “how easy it’s going to be to find the right and the latest information” because “one of the key parts of this initiative is to provide people, in their tech stack, with that direct link into the best practice.”

“Absolutely,” said Sloss, adding: “There’s some work that we’ve done over the last few years in working with not just CDSA but other standards bodies in this particular industry so we have guidance that is designed for workflows such as editorial and that spans Adobe and Avid and others, VFX and animation and burst renderings… as well as remote desktop. So this is guidance that is mapped to the CDSA controls and Motion Picture Association guidelines and best practices.”

Content Protection Summit Europe was presented by Convergent Risks, with sponsorship by Richey May Technology Solutions, Synamedia, BuyDRM, Friend MTS, NAGRA, and X Cyber Group.

The event was produced by MESA, CDSA, the Hollywood IT Society (HITS) and Women in Technology Hollywood (WiTH), under the direction of the CDSA board of directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group.