How to secure content production on Google Cloud with CSAP
Toby Scales
Security Advisor, Office of the CISO
Buzz Hays
Global Lead, Entertainment Industry Solutions, Google Cloud
Content production is increasingly happening in the cloud. While moving a creative process that spans three centuries into the modern era brings challenges and risks, MovieLabs is one organization that takes digital transformation seriously.
A nonprofit research and development group founded by a consortium of the major Hollywood studios, MovieLabs describes their mission as “exploring innovative solutions to industry challenges shared by both our member studios and the broader production, post-production and distribution ecosystem.”
In more than 50 pages of densely-packed ideas and principles, MovieLab’s The Evolution of Media Production lays out an ambitious and revelatory vision for streamlining media production in the cloud. The key themes are summarized in 10 declarative statements, which envision a new modality for media production by the year 2030:
All assets are created or ingested straight into the cloud and do not need to be moved.
Applications come to the media.
Propagation and distribution of assets is a “publish” function.
Archives are deep libraries with access policies matching speed, availability and security to the economics of the cloud.
Preservation of digital assets includes the future means to access them and edit them.
Every individual on a project is identified and verified, and their access permissions are efficiently and consistently managed.
All media creation happens in a highly secure environment that adapts rapidly to changing threats.
Individual media elements are referenced, accessed, tracked and interrelated using a universal linking system.
Media workflows are non-destructive and dynamically created using common interfaces, underlying data formats and metadata.
Workflows are designed around real-time iteration and feedback.
The four bolded statements above are further explored in a follow-up whitepaper from MovieLabs, The Evolution of Production Security, which likewise offers six statements about what secure production in the cloud should look like:
Security is Intrinsic and does not Inhibit Creative Processes
The Security Architecture Addresses Challenges Specific to Cloud Workflows
Production Workflows, Processes, and Assets are Secure, even on Untrusted Infrastructure
The Content Owner Controls Security and Workflow Integrity
The Security Can Be Scaled to Appropriate Levels and Can Integrate
The Security Architecture Limits the Spread of any Breach and is Adaptable
The key to understanding these two papers is repeated in their titles: Evolution. Neither document is meant to outline solely what’s possible today; rather they are beacons guiding us toward a future in which the movie business is truly transformed by the cloud operating model. That means a future where media productions run much more like software supply chains: with speed, agility, and scale, and without sacrificing availability or security.
The good news is that it is possible to deploy secure production workloads in the cloud today. Using some of the built-in security features of Google Cloud, content producers can achieve Common Security Architecture for Production (CSAP) “Level 100” security for their assets (using the CSAP scale L100-L300).
However, we think that “evolution” word is important. As many companies have learned, operating an infrastructure cloud can be costly and often presents new threat vectors for attackers. Our mission at Google Cloud is to provide scalable, reliable services for traditional IT functions and to accelerate the abilities of every organization to digitally transform its business.
We believe the era of the transformation cloud is dawning, and companies who have been successfully operating in the cloud for years are now looking for ways to reduce costs while maintaining the cloud-scale advantages of agility and global reach. This aligns perfectly with the evolutionary vision of the MovieLabs papers, which envision media workflows changing radically to embrace cloud dynamism without all the unnecessary asset movement and complexity.
An important part of that vision from Google Cloud is that cloud service providers should remain open and interoperable with other clouds and infrastructures.
Here is a quickstart guide to mapping the L100 CSAP requirements to Google Cloud:
As you can see in the diagram, external identity providers (IdPs) such as Okta or Active Directory can serve as core security components of a CSAP L100 architecture. Alternatively, Google Cloud services such as Cloud Identity or Managed AD could be substituted.
Next, Google Cloud’s Identity-Aware Proxy (IAP) can be used in combination with Access Context Manager (ACM) to act as the first Policy Enforcement Point. This is an optional step, since it is somewhat redundant with the routing and authorization function performed by the native HP/Teradici Connection Brokers. However, IAP and ACM are core components of Google Cloud’s BeyondCorp architecture, on which CSAP is based. Additionally, adopting IAP with ACM offers productions the ability to swap out the Teradici PCoIP protocol for an alternative, such as Unity’s Parsec, without sacrificing security.
The Teradici Connection Broker is also a Policy Enforcement Point, since groups and role membership can be used to enforce access to specific workstations.
Finally, the identity context for each user is passed through to the storage layer. For some productions, Google Cloud Storage (GCS) buckets may offer enough functionality; GCS offers an S3-compatible API which should make it easy to immediately adopt OSS tools built for S3. Other options for this include the managed NetApp Cloud Volumes and Dell PowerScale for Google Cloud services. Both of these are managed shared storage services which offer file-level access controls using standard SMB/NFS permissions. There are also a variety of third-party filers available in the Google Cloud Marketplace, such as Nasuni. You can read more about those here.
For added security, both NetApp and PowerScale should be configured to use the private services access model in Google Cloud. This effectively limits any external access to these resources by only allowing traffic from user-managed VPCs into the Google-managed and peered VPC.
Following this architecture, you can see how to achieve CSAP L100 compliance by using either only Google Cloud services or a mix of managed and cloud-first services. In either scenario, access is managed through a unified control plane and based on both user identity and role. Zero Trust principles such as context-aware access and dynamic rulesets could further be applied to the Authentication step using either Google Cloud IAP or the equivalent services from Okta, Active Directory, or others.
At this weekend’s National Association of Broadcasters conference, Google experts will be talking about the cloud and content production, and the intersection of AI and media. The journey to 2030 is only just beginning.