The Content Delivery & Security Association (CDSA) has “made good progress” so far with its App & Cloud Framework, according to Ben Schofield, CDSA project manager and product manager of the Trusted Partner Network (TPN).
With the launch of the site security assessment program through TPN, CDSA’s board of directors immediately started work on the next phase of security assessments that included software applications and cloud environments.
At last year’s NAB Show in Las Vegas, TPN announced a goal to release a common control framework that is scalable to the size, appropriate to the community and constituency of the TPN but also mapped directly to the control framework and standards already being utilised within the media and entertainment industry.
In the July 2 security breakout session “CDSA’s App & Cloud Control Framework” at the Global Media & Entertainment Day event presented live, virtually, from London, Schofield explained the business situations and challenges that drove unprecedented collaboration across service providers and content owners, explained the importance of security audits, and provided an update on the framework.
“I think it’s been obvious over the last few years that there’s been quite a change in the media supply chain,” he told viewers. “As audiences and revenues are moving online, there’s been also a big change in the technology around production and distribution,” he noted.
In addition to audiences and revenues moving online, other new challenges for the sector include consolidation of digital production and distribution, and a rapid shift to cloud-based workflows. New skills and security culture are required, according to Schofield.
There are anywhere from 5,000 to 10,000 vendors in the current supply chain, he noted.
Pointing to the importance of security assessments, he predicted there will always be some sort of physical infrastructure — even if it is home broadband like we mainly have right now during the COVID-19 pandemic.
“The shift to cloud has really been driven by the economics,” he said, noting that one advantage of it is the idea that an organisation no longer has to invest in a physical facility. And advantages of shifting to the cloud include the fact that “you can spin stuff up and down very quickly.”
In addition, by shifting to the cloud, “you’re no longer making capital investments — these are now operating expenses,” he said.
However, “one of the inhibitors to moving media to the cloud has been this perception that it’s slow to move big, heavy objects … to the cloud and expensive with the egress costs to move stuff out of the cloud,” he pointed out.
But there is a “new philosophy now, which is that once you’ve contributed that content into the cloud, you can move the tools and skills to the work,” he said, noting that, “in the last four months, we’ve seen people moving their production, their distribution functions, their editing functions into the cloud.”
Significantly, what also changes with moving to the cloud is the frequency of audits, he told viewers.
“If you’re building an edit suite and you’re putting a lock on the door and alarms and badge access, you know that an annual audit and then maybe a network check every quarter is going to be sufficient because there’s not much change going on,” he said.
However, “if you’re in the cloud domain and you’re spinning up and down productions, you’re making changes all the time — there’s that agile approach — [so] you need to have that much higher frequency of audit to check that things aren’t being breached,” he stressed.
Pointing to three major studios, he said Disney may have 3,000 vendors in its supply chain, while Comcast’s NBCUniversal may have 1,500 and BBC Studios 500-600. And “you’d be lucky to find security experts in many of those vendors,” he said.
An organisation can’t just do its annual audit and move on anymore, he said, adding: “You’ve got to make sure that there’s a culture that’s been established that really looks at security all the time.”
Explaining the need for a new approach, he said: “I think the most important point here is making sure the security documentation is delivered into those vendors, into the supply chain, in a usable format that any size business can use.”
As part of this approach, “we’re going to take the controls that were originally ready and map them back to those industry standards,” he said. With that, he said, we will be able to “provide, depending on the use case, each of the vendors with a series of controls that they need to really develop a procedure for.”
Because of the pandemic, there was a great need to develop an audit process to look at media organisations’ data “remotely and give ongoing advice and guidance to the community” without physically traveling to facilities, he went on to say.
Building a control set enables individual organisations to build the procedures that they need too against the controls that apply to their service.
The detailed control set that is being published for organisations to use was narrowed down to the top 50 “to try and make this a bit more easy to digest,” Schofield said, noting it includes a spreadsheet with the detailed controls and the links.
Now, “we need to publish and promote this top 50,” he said, noting it was to become available after the July 4 holiday weekend so that the wider business community could become engaged.
The plan is to continue the detailed mapping of the current controls, which are now at about 800 controls, he said, adding: “We need to try and get that down to around 500.”
“I think we’ve made great strides in how we’re going to apply the … controls,” he said, but conceded there are “still some challenges.”
A lot of interest is being seen from the CDSA community, he said, but added: “I really think the most important thing here is to get the wider business community engaged with security, and not just think it’s a once-a year occasion that you can push off into a very narrow specialty within your technical department.”
The fourth annual M&E Day event, presented by the Media & Entertainment Services Alliance (MESA), featured mainstage panels and more than 15 breakout sessions, covering the latest it data, cloud, IT and security across the media and entertainment technology ecosystem.
The event was presented by Caringo, with sponsorship by Convergent Risks, Cyberhaven, Richey May Technology Solutions, RSG Media, Signiant, Whip Media Group, Zendesk, Seagate Powered by Tape Ark, Sony New Media Solutions, 5th Kind, ATMECS, Eluvio, Tamr, the Audio Business Continuity Alliance (ABCA), the Entertainment Identifier Registry (EIDR) and The Trusted Partner Network (TPN).