CDSA

By CDSA December 17, 2020

CDSA Provides Update on App & Cloud Control Framework

The Content Delivery & Security Association (CDSA) used a session at the Dec. 8 virtual Content Protection Summit to provide an update on its App & Cloud Control Framework that was designed to deal with some of the threats in the cloud space.

During the DLP, Accessibility & Framework breakout session “Top 50 Categories for CDSA’s App & Cloud Control Framework,” two of the tri-chairs of the CDSA Technology Committee presented the work CDSA announced at last year’s CPS event with an industry goal to release a common control framework that is scalable to the business size, appropriate to the community and constituency of the Trusted Partner Network (TPN), but also mapped directly to the control framework and standards already being utilized within the industry.

TPN is a joint venture between CDSA and the Motion Picture Association (MPA).

Offering a 2020 refresher, Todd Burke, one of the tri-chairs, said the CDSA board “elected to take the control framework and narrow it down while sort of mapping it to existing controls… rather than creating an entirely new control set” because they felt that “made more sense.”

April marked the start of the formalized Technology Committee with him and the other two co-chairs working together, he noted. In July, they “started to manage the task and utilize volunteers” and created “workstreams” (working groups) “to basically look at the key … portions of the control frameworks,” he told viewers.

Then, “through August and September, the workstreams were solidified and we conducted some initial workshops,” according to Micah Littleton, another of the tri-chairs. There were many questions asked and the committee wanted to provide guidance to the workstreams “to help us down this path,” he said.

There are some key points to keep in mind, Littleton noted:

  1. Writing and maintaining custom controls requires a huge volunteer effort and they “wanted to get something off the ground” to provide to the industry to get the initiative moving. They started by leveraging what was established and the plan was to grow organically over time.
  2. Cloud platforms are consistently innovating new products at pace and it’s hard to keep controls aligned. They felt it was important to leverage each cloud platform’s specific best practice and design patterns.
  3. Cybersecurity needs to be seen as a business risk, not a technical discipline. So the goal was to deliver documentation in a usable format that’s easily applied to any size of business.
  4. There’s consensus across the security community of the media and entertainment industry and ratification by studio security leads. “We want to make sure that we have a good example input from various vendors and various content owners and various people that actually work in the M&E industry to really provide a level of guidance to the big vendors, but also the smaller vendors down the road.”

There was a Security and Technology Committee meeting in September and “we did a lot of work in the last 90 days or so,” Littleton noted, adding: “We kicked off on the ground in September…. We knew that we got something out there. But there [were] a lot of questions being asked and we needed to make sure that we kind of implemented a form of a regular cadence.” At the same time, however, they wanted to “make sure that we were kind of delivering something by the end of the year,” he explained.

Instructional workshops were held to address any misalignment, clarify mappings and address general questions, Littleton said. “Lessons learned” were shared with other workstreams to answer questions they may not have had, he noted, adding that, overall, workstreams have risen to the challenge of balancing day jobs and the pandemic.

Everybody’s waiting for the next curveball in 2020,” Littleton told viewers, noting: “I just went through a power outage myself…. But the enthusiasm is definitely there. Everybody wants to take this industry forward on cloud and application best practices, and us overcoming the hurdles this year, I think, is a monumentous task.”

Although there are still some hurdles, the CDSA believes there is an overall positive result and a great deal of momentum has been achieved in a short period of time, according to the tri-chairs.

Burke then provided a cloud and application controls general update, saying:

  • “The top 50 categories are ready.”
  • Committee workstreams have been “refreshed” but more help can always be used from volunteers.
  • Training has been completed and mapping is underway.
  • “Progress reporting has been established.”
  • There has been a great blend of industry expert review and consensus.
  • Tough questions are being asked and the methodology is being challenged, which has prompted peer review and feedback.
  • “Thankfully, there’s been a keen interest in the cloud” although “COVID was a swift kick” and “that’s changed the dynamic to make what we’re doing here a little bit more urgent.”

Ben Schofield, project manager of CDSA and product manager of TPN, as well as moderator of the panel session, said: “We started this process [with] about two and a half thousand controls and we’re trying to get down to a target of around 500 controls.”

Burke then provided the latest statistics on mapping progress and said: “Because of COVID and other things, we’re a little bit behind on software development and cloud infrastructure, but we’re hoping to pick up steam through the end of the year and possibly into the beginning” of 2021.

Moving on to  discuss the next steps, he said they are looking to maintain momentum gained in the last two months by continuing to hold regular meetings with workstreams, driving to completion. They are also looking to deliver a portion of the Security Control Framework with mapping to the board by Dec. 31 for review.

They are “hoping to deliver on”  the People & Process and Site Security part of the framework by Dec. 31, according to Littleton. “If anything, we’re going to be delivering a component of this to the board,” he said, adding: “We’re really going to keep on track to try and get the Cloud and Infrastructure” component also, “but that could be challenging just given some bandwidth concerns that we have within that workstream, but we’re definitely going to try.” And the development component “could carry into Q1 2021,” he conceded.

“Frankly, this is a bit more of a complex project than maybe we had originally thought — but it’s extremely important,” Burke pointed out.

Concluding, Schofield explained: “We want to make sure that this is something that everyone can put their input into… We think what this prepares the industry for is to be able to improve the cybersecurity in what’s becoming a much more dynamic environment.”

Presented by Microsoft Azure, the Content Protection Summit was sponsored by SHIFT, Genpact, Akamai, Convergent Risks, Friend MTS, GeoGuard, PacketFabric, Palo Alto Networks, Richey May Technology Solutions, Splunk, Zixi, EIDR, Cyberhaven and Xcapism Learning.

The event was produced by MESA, CDSA, the Hollywood IT Society (HITS) and Women in Technology Hollywood (WiTH), under the direction of the CDSA Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group.