CDSA

CDSA: App & Cloud Framework’s What We Needed to Deal With Threats in the Cloud

The Content Delivery & Security Association (CDSA) App & Cloud Framework “has been a long time coming, but we now have a good mechanism to start to deal with some of the threats in the cloud space,” according to Ben Schofield, CDSA project manager and Trusted Partner Network (TPN) product manager.

With the launch of the site security assessment program through TPN, CDSA’s board of directors immediately started work on the next phase of security assessments that included software applications and cloud environments.

In a May 27 presentation at the Hollywood Innovation and Transformation Summit (HITS) Live event, Schofield discussed how the common control framework is scalable and appropriate to the community and constituency of the TPN, but also mapped directly to other control frameworks and standards already being used within the media and entertainment industry. His overview also looked at the business situations and challenges that drove unprecedented collaboration across service providers and content owners.

The original TPN aims were “about improving content security in the studio supply chain, and that meant creating a common control set” and also “having an efficient operation,” Schofield said at the start of the presentation “CDSA’s App & Cloud Framework.”

The “central promise was that instead of everyone having to have multiple audits for each of the different studios, they could have a common audit that was shared by those studios,” he noted.

“That was great in the early days but, in the meantime, there’s been this acceleration towards the cloud, with audiences and revenues moving online,” he told viewers, explaining: “There’s been a lot of workflows moving into that digital space. So people are moving wholesale their infrastructure into the cloud, both in film and television. And that means you’ve got to reapproach what you’re doing with security culture.” It means you have to “audit much more frequently,” he noted.

When it comes to content security, “what we’re trying to do is get people to move in the media and entertainment space up [the] curve” towards better systems, he said. “Although we’re not regulated,” as more companies launch their own content portals, including Disney Plus and HBO Go, they now must also “deal with the rules” of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which have “actual financial penalties,” he pointed out.

“Originally, the App & Cloud concept was that you would track the applications, track the cloud platforms, and then we have a new set of controls,” he noted. “But when you look at the cloud platforms, they’re inherently, physically incredibly secure [and] they are massively scaled,” he said. Cloud platform data centers also “tend to be in out-of-the-way locations, [where] there’s no signage [and] “armed security guards,” he pointed out, calling it an “impressive physical set of security”

Applications in the cloud tend to be very small, he went on to say. “In the shift to cloud, it really becomes all about software [and] so although there will always be an element of the physical side, it’s all about how you do your software control,” he added.

“People have got to realize that you’re only one release away from a problem,” he warned. “Unless you’ve got that rigorous testing – that you’re secure by design – you’re going to have potential breaches,” he noted.

So, although the economics are “really driving people towards the cloud,” he cautioned that, “every time you move stuff in and out of the cloud, it costs you money and it’s slow to move big, heavy media objects into the cloud.”

Also, he explained: “When you go to the cloud, because of the nature of the change and the frequency of change, you need to increase the frequency of the audit, and it’s not economical to do that with an external, professional audit all the time. No one can afford to have an auditor full-time to be on their payroll.”

It was also important to develop a consistent approach that makes sure “we tackle the weakest link” in the supply chain, he pointed out. Supply chain assurance also “needs to be embedded into the culture,” so it’s important to establish a security culture within an organization from the CEO down, he stressed, adding: “You can’t just do [an] exercise once a year and carry on serving and just basically prepare for the audit, get through the audit and then forget about it for another year. This is something that needs to be continually one a year.”

“So a lot of good work has been done on App & Cloud” thus far, he told viewers, adding: “We’ve taken a slightly different approach in the last few months” that includes: Map controls from industry standards, with frequent updates; leveraging cloud platforms’ best practice and design patterns; delivering documentation in a usable format that is easily applied to any size of business; automating tracking and checks to reduce the cost of audits; and helping to develop new skills to build a security culture.

By building a control set, “it means an individual company can build the procedures that they need to against the controls that apply to their service,” he explained.

The “very detailed” control set that has been developed is now about 2,000 lines, he noted, adding: “Our aim here is to try and reduce that down – to try and get that down to around” 500-600 controls, with about 150 at a top level.” CDSA is now publishing the top 50-100 controls so people in the industry can start thinking about it for their businesses, he said.

In summary, what CDSA has developed is a “very comprehensive approach [and] we’re in the first stages,” he noted.

Click here for the presentation slide deck.

The May 27 HITS Live event tackled the quickly shifting IT needs of studios, networks and media service providers, along with how M&E vendors are stepping up to meet those needs. The all-live, virtual, global conference allowed for real-time Q&A, one-on-one chats with other attendees, and more.

HITS Live was presented by Microsoft Azure, with sponsorship by RSG Media, Signiant, Tape Ark, Whip Media Group, Zendesk, Eluvio, Sony, Avanade, 5th Kind, Tamr, EIDR and the Trusted Partner Network (TPN). The event is produced by the Media & Entertainment Services Alliance (MESA) and the Hollywood IT Society (HITS), in association with the Content Delivery & Security Association (CDSA) and the Smart Content Council.

For more information, click here.