AWS for M&E Blog

Aligning AWS security services to MovieLabs Common Security Architecture for Production (CSAP)

In this blog post, we provide a primer on MovieLabs and its publications to date that focus on security, AWS’ take on the foundational concepts in the MovieLabs security architecture, and preview the remaining blogs in this series.

The media and entertainment industry is no stranger to disruptive innovation. One of the most significant transformations in the industry has been the move from analog recording mediums to digital. This change allowed for dailies workflows where post-production can happen earlier in the production process, reducing the time it takes to create a show or movie.

Today, Amazon Web Services (AWS) is helping media customers scale content creation in the cloud to meet consumer and business demands for new, original content. The cloud is the next disruptor for the media and entertainment industry and industry organizations recognize it. In 2019, Motion Picture Laboratories, Inc. (MovieLabs) penned a bold vision for the future of episodic, feature, and media productions where the cloud plays a critical role in achieving the vision.

Guided by 10 principles, the MovieLabs 2030 vision describes a future where all workflows are software-defined, security is built-in and non-disruptive to creative staff, and the cloud serves as the single source-of-truth for asset ingestion and the primary destination for production workflows. The MovieLabs 2030 vision serves as a roadmap to guide technology vendors and cloud service providers on the journey to create more cloud-native tooling that accelerates content production and enables creatives to do what they do best, create captivating content for film and TV.

As a first stop in the roadmap, MovieLabs double-clicked on security and published a whitepaper focused on the evolution of production security, which laid the foundation for a security architecture to support the 2030 vision. The Common Security Architecture for Production (CSAP) outlines a reference architecture that illustrates a way to securely build and operate production workflows in the cloud at scale. The CSAP is a 6-part framework that includes an architecture description, interface definition, security levels, software-defined workflow alignment, implementation considerations, and a policy description language. There are three foundational concepts that underpin the CSAP architecture:

  1. Zero Trust architecture
  2. Intrinsic vs. extrinsic security
  3. Authentication vs. authorization

These foundational concepts are not new to AWS and there are many ways customers can begin to adopt CSAP using AWS security services.

AWS security, identity, and compliance solutions broken down into 6 categories for identity and access management, detective controls, infrastructure protection, data

Zero Trust architecture

Zero Trust is a conceptual model and an associated set of mechanisms that focus on providing digital security controls around assets that does not solely or fundamentally depend on traditional network controls or network perimeters. Historically, an entity’s location within a traditional network would result in some level of trust within a system. In a Zero Trust system, these network-centric trust models are augmented by identity-centric controls. These controls refer to identity and access management systems that verify an entity’s identity and what they are authorized to do. The combination of these two types of controls, applied with a Zero Trust architecture, enables better-built, more flexible, and more secure software systems.

While the conceptual model of Zero Trust decreases reliance on network location, the role of network controls remains important to the overall security architecture of the system. The best security comes from the effective combination of both network-centric and identity-centric controls. For more information, please visit the Zero Trust on AWS documentation page.

Intrinsic vs. extrinsic security

Intrinsic security is an approach for securing existing infrastructure and integration points across the application, platform, and infrastructure layers. Security controls are built in to all aspects of a company’s network, hardware, and software rather than being bolted-on afterwards. Data and behaviors across organizations are seen in their total context instead of being siloed. As a result, any application, on any device, running on any enterprise system, is better protected.

AWS provides intrinsically secure services to customers – all AWS API calls require requests to be signed, all principals backing the signature have an access policy with granular permissions granted to principal, and all principals are implicitly denied access to services unless explicitly granted access. In the next blog in the series, we will describe how AWS Identity and Access Management (IAM) allows customers to design intrinsically secure systems using fine-grained access controls that adhere to the principle of least privilege.

Authentication and authorization

The security mechanisms that define and manage identity and access are critical for any organization operating in the cloud. They ensure only authenticated principals are authorized and allowed to access the target resource in the manner intended, and with least privilege. Inside of AWS, a principal must be authenticated in order to send a request to AWS. Upon an authenticated request, AWS will look at the request context and identify all applicable policies to either allow or deny the request. As outlined in the CSAP, treating authentication and authorization as separate functions allows sufficient flexibility to address a wider range of use cases. This delineation between authentication and authorization is present in AWS, as authenticated principals still need to be explicitly authorized to perform an action.


In the next blog in the series, we will discuss the various services within AWS that can authenticate entities and how least privilege authorization is achieved using layered policies. We will also discuss how these services align to the various identity components of the CSAP and how having a strong identity foundation on AWS helps customers secure production workflows in the cloud. The remainder of the blog series will focus on how to apply the security controls laid out in CSAP, using AWS services, to production workflows.

MovieLabs Spotlight

MovieLabs is a non-profit research and development joint venture founded by major Hollywood studios. Its mission is to define and evangelize innovative solutions to complex challenges in the media and entertainment industry.

Kim Wendt

Kim Wendt

Kim Wendt is a Solutions Architect at Amazon Web Services (AWS), responsible for helping global Media & Entertainment companies on their journey to the cloud. Prior to AWS, she was a Software Developer and uses her development skills to build solutions for customers. She has a passion for continuous learning and holds a Master's degree from Georgia Tech in Computer Science with a Machine Learning specialization. In her free time, she enjoys reading and exploring the PNW with her husband and dog.

Blake Franzen

Blake Franzen

Blake Franzen is a Security Solutions Architect with AWS in Seattle supporting Media & Entertainment companies. His passion is driving customers to a more secure AWS environment while ensuring they can innovate and move fast. Outside of work, he is an avid movie buff and enjoys recreational sports.