April 29, 2015
On April 15, at ETC’s Media Management in the Cloud conference held at the NAB Show, John McCoskey, EVP & CTO of the Motion Picture Association of America, and Jim Reavis, executive director of the Cloud Security Alliance, delivered the MPAA keynote updating the audience on the MPAA’s first cloud security standards, which are continuing to progress and may be launched later this year. They encouraged media industry professionals interested in cloud security to implement the CSA’s Cloud Controls Matrix.
The CCM provides cloud vendors and customers with detailed security principles.
The keynote presentation highlighted that the M&E industry had special considerations about cloud security including managing highly sensitive intellectual property, large scale and unique data challenges such as video rendering, and supply chains of major corporations that also include small businesses.
The speakers noted that despite anxiety in the industry about the novelties of cloud security, most security breaches — whether cloud-related or not — still happen due to basic problems such as aging legacy IT systems, too-simple passwords, insufficient use of encryption, and hackers deploying social engineering tactics.
They also explained that while Tier 1 cloud vendors had very reliable security, smaller companies in studios’ supply chains which might use less capable cloud vendors and IT systems were vulnerable. The biggest challenge in cloud security, it was noted, is educating small players.
For all companies, annual security audits are seen as insufficient — there must be real-time monitoring of changing security standards, given the rapid ongoing development of cloud technology. It was also emphasized that cloud tenants, cloud vendors, and consumers shared responsibility for security.
One highlight of the Q&A session that followed was the question of when third-party enterprise service and product providers would be allowed to operate within their clients’ clouds, creating lower costs for both sides. There was no definite answer about this possible future development, as it depends on the decisions made by specific cloud vendors and tenants themselves.