CDSA Touts Significance of New App and Cloud Framework

With the launch of the site security assessment program through the Trusted Partner Network (TPN), the Content Delivery & Security Association (CDSA) board of directors immediately started work on the next phase of security assessments that included software applications and cloud environments.

At last year’s NAB Show in Las Vegas, CDSA announced its goal to release a common control framework that is scalable to the size, appropriate to the community and constituency of the TPN, but also mapped directly to the control framework and standards already being utilized within our industry. Via the groundbreaking work of two elections of CDSA’s Technology Committee, that framework has now been presented publicly.

One of the “original TPN aims” was to “try and prevent what was a kind of organized chaos with different audits taking place” at a high cost across the supply chain, according to Ben Schofield, CDSA project manager and TPN product manager.

Goals included improved content security in the studio supply chain, creating a common control set, efficient operations, shared audit reports for studios, reduced costs for vendors and the creation of a global talent pool for auditors.

In general, TPN wanted to try to get shared costs down and “try and get common practices going,” Schofield said, speaking last month at the Cybersecurity & Content Protection Summit (CCPS), held digitally as part of the NAB Show Express experience. “That’s been very successful,” he noted during the CDSA/TPN Update session “Introduction: CDSA’s App & Cloud Framework,” moderated by Schofield and featuring three tri-chairs of the CDSA Technology Committee.

However, “there’s been a bit of a change really,” Schofield said, noting that, “as audiences and revenues move online … there’s been this consolidation of the digital workflows [and] we’ve seen a very rapid shift to the cloud.”

In addition, the original controls that the Motion Picture Association of America (MPAA) put together didn’t cover all the use cases, he said, noting “they don’t necessarily cover” the new skills and new security culture required.

“So, really what we’re seeing here is an evolution” in which organizations are starting off with very basic security and then evolving to a “full, professional audit with a common set of controls,” he said.

Meanwhile, “at the moment, we’re not in the regulated space,” but with Europe’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), “we’re getting to that point where there’s big financial implications if there are security breaches.”

“There’s been this latent demand for … cloud controls, and this shift to cloud is really all about software,” he went on to say.

The TPN App & Cloud initiative launched to extend the original program to cover new use cases, and “a lot of fundamental work has been done over the last two years to try and bring that into a custom control set,” he said.

The intent is to not just provide security to the major Hollywood studios, but “get across a supply chain,” to a range of business sizes and types, he noted.

Effective security requires ongoing skills development and a consistent approach depends on the weakest link in the supply chain, he said.

And there is a need to establish a security culture from the CEO down. A new approach was needed that included: map controls from industry standards, with frequent updates; the leveraging of cloud platforms best practice and design patterns; the delivery of documentation in a usable format that is easily applied to any size of business; automated tracking and checks to reduce the cost of audits; and help developing new skills to build a security culture.

Noting that “we’ve been dealing with cloud and security for multiple years now,” chairman Micah Littleton said: “One of the things that we’re seeing is there’s a lot of inconsistent client guidelines that are coming in and some of them have a robust security program that they provide guidance to us and some of them are really asking us to provide what we’re doing to secure their content. So having that baseline is definitely something that would be very helpful.”

Right now, “we do not have an industrywide, mutually-agreed best practices for cloud and application security, which leads to… confusion,” noted chairman Mischa Roth. “Having an approved framework, which is adopted by content owners as well as service providers would help us to adapt to emergency situations much quicker than ever before,” he added.

And chairman Todd Burke told viewers: “If you look at how applications and services are being made, cloud is inevitable. And as a cloud provider, we look at how cloud services and capabilities can really make the creative process faster, more nimble … . Being able to better describe to each other in this industry how security works is paramount. So hopefully what we can do with this initiative is raise the level of conversation and make it clear what we’re trying to do by way of securing our platform.”

He added: “There’s friction involved in describing your approach to security as a vendor to a content creator.” The big question, he noted, is: “Do content creators want to spend their time filling out security spreadsheets or creating content?”

The key point is that “the more content creation we can enable by simplifying the learning about security and the communication about security standards adherence, the more content we get created,” he said, adding: “That’s certainly what I think those of us working on this are looking forward to doing”: giving everybody the ability to create more content securely.

Presented by Richey May Technology Solutions, with sponsorship by Akamai, Cyberhaven, Microsoft Azure, SHIFT, Convergent Risks, and the Trusted Partner Network (TPN), the Cybersecurity & Content Protection Summit focused on the latest cybersecurity and content protection challenges studios, broadcasters and vendors alike are facing during the ongoing pandemic.

Produced under the direction of the CDSA Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group, this year’s Cybersecurity & Content Protection Summit looked ahead at the challenges facing the security community in 2020 and beyond.

To view video of the presentation, click here.