CDSA

Ben Schofield, technical director of the Content Delivery & Security Association (CDSA), used the Content Protection Summit (CPS) event on Dec. 16 to provide an update on the CDSA Control Framework.

During the Ransomware & Risk breakout session “The Evolution of CDSA’s Control Framework,” he reviewed CDSA’s progress to date on the Control Framework with the latest phase further mapping to industry best practices and collaborating with other leading control frameworks CSA, CIS and OWASP.

He also looked into the roadmap for future phases for real-time security and linking controls to incidents and risk.

CDSA previously launched its App & Cloud Assessment Program in 2021, extending its long-running security and assessment work into the world of software-driven cloud technology.

Challenges

“There are some fundamental problems with security controls,” Schofield said. “There are lots and lots of different security controls. When you actually start digging into them there are” many of them “across different industries,” he noted.

They are “all rooted in the same fundamental standards – the same basic principles – but they’re all interpreted in different ways,” he explained, adding that it is “very critical” that your organization has standards that are “aligned with the way you deal with risk and the way you respond to risk.”

However, he said: “The more time you spend in security control standards – the  more time you spend with any standards – you kind of forget that this is really, for most people, it’s an alien language. It’s something that the security geek in the corner will understand. But it’s a very different way of describing a series of things you need to do and for most people it’s too obtuse. They’re not going to be able to get into it.”

So that is one major problem, he said. Another problem is that “there’s been this massive shift towards digital and towards cloud, and that’s been evidenced in recent years with the growth of the big streaming platforms,” he noted. “They’ve been all using kind of common technologies, common devices, common kind of backbones. And what we see in the market is very fast consolidation of media operations and the very rich, big organizations like an Amazon or Netflix actually doubling down and putting a huge amount more money into streaming content.”

On top of all that, there is the global pandemic we’re still in the middle of that has “driven remote production and driven people working from home and driven consumption,” he noted.

“Given that backdrop, it becomes very important to make sure that what you’re doing is securing all your assets because some of the physical aspects of security don’t really apply when you’re doing that streaming,” he told attendees and those viewing virtually online.

Custom Control Issues

Historically, organizations have created custom controls because they are easier to write, Schofield said.

But they are difficult to maintain, he pointed out.

People also tend to bring their own perspectives to their creation that are, by their very nature, subjective, he noted.

So “there are some fundamental problems with custom controls,” he said, adding he learned that firsthand.

CDSA Start Instance Launch

He went on to discuss Phase One of the creation of the CDSA Control Framework.

That included initial mapping, committee workstreams and insight from practitioners, Trusted Partner Network re-alignment, a focus on new technology that was inclusive of site security, and the launch of the CDSA Start instance.

“Where we are after all those efforts is pretty close to launch in Q1” of 2022 for the CDSA Start instance, he said, adding CDSA has adopted a subset of the controls from Amazon Studios and is “using that as a starting point to get to launch.”

The Next Steps

Looking ahead, Schofield said that after the Q1 CDSA Start launch, one of CDSA’s goals is to drive adoption and it will address the tech stack, incident and risk, the shift to real time, and the security culture.

Last, he pointed to a list of five planned CDSA security controls:

• Specific selection of controls for media production and distribution, based on existing frameworks and vetted by panel of industry experts.
• Maintaining continuity with existing annual audits for site security.
• Evolution towards real-time security across the supply chain encompassing cloud infrastructure and new digital workflows.
• Support vendors with consistent best practices for the common tech stack to reduce cost of implementation and improve security culture.
• Intention to improve sharing of quantitative risk information through ISAC and incident analysis. (Netflix is likely leading industry with approach), need to democratize it across the industry out to the supply chain elements.

To download the presentation, click here.

To view the full presentation, click here.

The Content Protection Summit was open to remote attendees worldwide using MESA’s recently introduced metaverse environment, the Rendez.Vu-powered MESAverse, an interactive 3D-world that allows for hybrid live and virtual events.

The event was produced by MESA, presented by IBM Security and Synamedia, sponsored by Convergent Risks, Richey May Technology Solutions, PacketFabric, archTIS, Code42, INTRUSION, NAGRA, StoneTurn and Vision Media.