M&E Journal: Compliance in Cinema

By Joel Sloss, Microsoft

If an authentic Picasso was stolen off your wall, would you care? If you had hand-restored a classic car from the frame up and a tree fell on it, would you be unfazed? Most people who invest heavily in something, whether it be financial or sweat-equity, feel a bit put out when something happens to it, and typically try to take steps to ensure they are protected from such eventualities.

But the artistry that goes into making original theatrical or television content is rarely afforded the same consideration. In fact, some of the very same people working on the development of those assets will proactively circumvent the protections designed to safeguard their efforts. Why is this so? Why do we seemingly not care when content is stolen, pirated, leaked, or otherwise ex-filtrated? It shouldn’t be considered the cost of doing business when it is in fact altogether avoidable.

Fade-in: the landscape: Too often, security is considered an impediment to freedom and simplicity. When the implementation is heavy-handed and arduous, users will invent their own workarounds—plain passwords, avoiding encryption or file permissions, even working outside of established systems (e.g., thumb drives, unsanctioned software or rogue servers). But when security is embedded and transparent, it becomes an enabler of collaboration and can even streamline processes to everyone’s benefit.

The problem is that this is hard to do. If you’re deploying and configuring your own IT platform, it is probable that you won’t have all of the budget, expertise, training or resources to enact every critical industry best practice. As a result, the risks in your environment increase, the likelihood of leaks increase, and your shareholder-value takes a dive.

Prolog: source

Imagine sitting in a theater at the height of current tech-perfection: 8K, stereoscopic 3D, HDR, 240fps with immersive audio, and maybe three-screen projection for good measure. Now consider the massive amount of data behind that scene—1TB per minute? Forget, for the moment, the hardware needed to present such a spectacle, and search the internet for workstations and storage big enough to process, edit, and encode a file that is larger than the Library of Congress.

Want some “special effects” shots with that? The cost of creating and managing such content on-premises will become insurmountable for most studios and production facilities, but you know it’s coming. Consumer’s insatiable appetite for bigger, better, and brighter experiences will only increase over time.

Act 1: film cans

So your internet sleuthing turned up a few options, ranging from renting IT crates, to application hosting, to the cloud. Renting a literal “datacenter in a box” is cost-prohibitive, as is building your own, and application hosting only fills a portion of the key gaps. Cloud provides economy of scale, pay-as-you go capacity, and access to tools you wouldn’t otherwise have. Cloud gives you flexibility and control like your own datacenter, combined with the selection of solutions available from commercial hosters. Win/win, right?

Once upon a time I learned how to thread a commercial projector. I wasn’t the projectionist (union job), but I did have to hoist the giant metal cans holding the film reels up the stairs. Were someone able to circumvent a myriad of physical security mechanisms in place and run-off with one of those incredibly cumbersome cans, they would have possessed a perfect copy of a full theatrical release. Today, no such herculean physical effort would be required, since a whole digital mezzanine file will easily fit onto a pocket-sized USB device.

Even in the days of film and clunky metal cans, there were certainly opportunities for theft to occur, however there were still some technical blockers to illegal distribution (the ability to process film, for example). The advent of digital media meant that anybody with a compatible deck could view and copy the content. When it all became computerized, files could be e-mailed, downloaded over FTP, or copied from hard-drives. Improvements to production speed and other efficiencies have been accompanied by the barrier to piracy being cut to almost nothing at all.

Act 2A: be practical

2001: A Space Odyssey was arguably one of the first great spectacles of cinematic special effects, which paved the way for decades’ worth of filmmakers to come. Cameras lovingly caressed the hull of the Discovery as part of a long list of practical gags committed to film and composited in the lab, and theft of visual assets would have been fairly constrained to the prop department. In most of today’s SFX extravaganzas, however, there’s not a drop of fixer fluid to be found.

At first, CGI was the domain of HP minicomputers, then Silicon Graphics workstations, then desktop PCs, and now farms of servers. 3D models are coveted and sensitive intellectual property: when a feature film such as 2016’s The Jungle Book is built almost entirely out of VFX shots that take thousands of hours to compute, the value of each scene’s digital footprint becomes a major production cost item.

The development effort, render time, and custom software components are all vulnerable to breach and exploit, which could cost the studio tens, if not hundreds, of thousands of dollars to recover. Early leaks of 3D models on effects-heavy blockbusters can also result in plot spoilers from character details, or even to counterfeit products flooding the market prior to a scheduled release.

Act 2B: put it on ice

A thousand years from now, the salt caverns beneath Kansas’s rolling grain fields will still be there. However, much like the scrolls of Alexandria, whatever is in them will have likely long since turned to dust (or mush, depending on global sea levels). Aging film assets grow more and more unusable every day. Magnetic tape and disks degauss or decay over time, rendering data unrecoverable. Even optical discs are projected to last only about 100 years before the laminated metal film oxidizes and becomes unreadable.

Technologies change too, and when the time comes to go back and read that old media, you may not have a player capable of doing so.

So, while it’s possible the next generation of archival storage will be DNA clusters encoded by altering the spin of Hawking black holes (what will people think of same-day video release when you can just inject a movie to watch it?), there is a clear and present danger with current mechanisms. The day is coming when you’ll have to decide how and where to transfer your data.


This is all pretty bleak. There will be exabytes of data (FWIW, 1 human brain = 2.5 petabytes of data, give or take), and not just moving pictures—everything that goes into content production must be stored and managed somewhere: photographs, sounds, music, models, scripts, contracts, call sheets, memos, email, and so on. It all should be retrievable, indexable, sortable, and available for processing, packaging, distribution, and reuse.

It also needs to be protected from breach and exploit, accidental deletion, and corruption.

IT staff, as usual, are overburdened as it is by day-to-day tasks, complicated by bring-your-own- device measures aimed at simplifying users’ lives. Yet they are expected to launch a production environment on a shoestring budget, with little support, and at a moment’s notice. Naturally, security takes a back seat to the driving need of just getting up and running.

But we still need to protect our content, even if those systems never get connected to the internet.

Act 3: the plot thickens

With expectations high, we plod forward into the digital age, “ROI” ringing throughout the hallowed halls of executive suites; nobody wants to be in the datacenter business anymore, and datacenters are rife with underutilized, depreciating assets. And what of security, which tends to be the least ROI-friendly activity; that is, unless you count the loaded costs of your average data breach?

Part of the problem is that these kinds of investments, and the needs for high performance computing and storage, outpace most studios’ P&Ls. The rigor required to build and maintain the infrastructure is not generally a core-competency of the Producers Guild of America—yet this is exactly what’s being asked of production executives. Let someone else do it, instead.

Security and content protection need to exist at every point, in every stage, on all content and by default through: encryption, watermarking, access control, monitoring, logging, and auditing. In addition, studios increasingly need to keep metadata synchronized and relevant across all assets in the value/production chain—which is much easier when data is centralized.

And who is accountable, anyway? When the production insurance underwriters come along and want to know who’s responsible, or an auditor looks at the balsa-wood door protecting your on-stage “datacenter”, where do you point? It’s so much better to say, “Them!” and know that the right things are being done; after all, it’s easier to recover if you plan for failure.

Commercial break

Protecting customer data is at the core of what we do in Microsoft Azure. Security is fundamental to the processes, operations, policies, and mechanisms that make up our cloud services; the results of which are clear in the broad range of industry, international, and government certifications held by the platform.

The truth is, running your environment in the cloud can actually enhance your security posture— particularly when that cloud is industry-accredited for media and entertainment by the CDSA and the Federation Against Copyright Theft (FACT), and formally assessed by the MPAA.

Moving to the cloud consequently shifts part of your overall risk profile to an organization ideally structured to handle it, with IT security and personnel investments running into the hundreds of millions of dollars annually. When combined with your own secure processes, risk management, and recovery planning, the likelihood of catastrophic loss drops enormously.

Finale: monetize!

Compliance leads to security, and security leads to compliance—they both improve your risk outlook and provide assurance to executives, producers, and investors that you did it right. Guidelines such as the CDSA CPS, MPAA Guidelines, FACT audit, and others put you in the right mindset for implementing secure systems and provide a methodology for testing, analysis and revision.

Make sure your cloud provider has these, because audits and assessments show they’re doing what they should, and what they say they are doing. The benefit to you as a subscriber is that you have assurance and contractual commitments regarding issues of security, isolation, transparency, data location, access control, privacy, monitoring, availability, disaster recovery and much more.

In the end, you’ll be able to extract value out of more of what you have, over longer periods of time, with less effort in the cloud. Following industry standards will require you to document processes and policies, which helps solidify your approach to make it repeatable and easier to identify problems.

No more film cans. No more tapes. And soon enough, no more wires either.

Click here to translate this article
Click here to download the complete .PDF version of this article
Click here to download the entire Spring 2016 M&E Journal