Microsoft business cloud services and media and entertainment
Helping to keep media’s most valuable asset—intellectual property—safe in the cloud
In the media and entertainment industry, content is protected by two separate yet equally important tools—security, which protects the assets, and compliance, which ensures their integrity.
The production process has become digital as studios seek to reduce costs, improve time to market, and support the latest in high-definition technology. However, this comes at a potential cost: Assets may be more accessible to thieves, thanks to the number of file-based assets—dailies, rough cuts, trailers, soundtracks, and visual effects (VFX) materials—spread across a global supply chain from location shoots and studios to post-production facilities that may not be staffed with cybersecurity expertise. Portable storage devices, removable hard drives, and smartphones represent additional threat vectors as they are increasingly used to store and distribute assets associated with the creation of original content.
Microsoft Azure employs multiple mechanisms for protecting media content at all points in the supply chain, establishes privacy policies to maintain confidentiality, and implements comprehensive global controls validated by independent compliance audits.
Azure helps ensure the security of media assets
Azure was the first global hyperscale cloud service to be certified by the Content Delivery and Security Association (CDSA) based on how securely it handles content creation, production, distribution and exhibition workflows. Running applications and infrastructure in Azure gives a direct path to compliance for customers who require adherence to the CDSA Content Protection and Security (CPS) standard. Also, Azure was the first hyperscale, multitenant cloud service to successfully complete a formal assessment by independent MPAA auditors.
Post-production houses, VFX creators, editors, and distributors that use Azure Media Services don’t need to deploy costly and complex dedicated resources for new projects. Instead of rolling a new server rack into a studio back room for a three-month shoot, producers can directly benefit from the availability, scale, and security of Azure’s pay-as-you-go model. Simply provision resources as they are needed, and work with any of Azure’s many global ISV partners for an end-to-end solution. Then, when a project is complete, just turn off the virtual machines and distribute your creation, protected with embedded encryption and digital rights management.
Azure Media Services helps you safeguard your media assets:
- Exchange content throughout production and across the post-production supply chain with enhanced security by moving content directly to Azure Media Services. HTTPS, ExpressRoute, and Azure Virtual Private Network (VPN) also help protect content transferred between the studio datacenter and Azure.
- Improve content security and storage management through:
- AES-256 encryption of data at rest.
- The ability to push content and encryption keys to two or more different Azure datacenters simultaneously.
- The geo-redundancy of Azure Storage, which replicates your data to a secondary region hundreds of miles away from the primary region, helping to ensure that your data is durable even if there is an outage or disaster in the primary region.
- Take advantage of secure, highly available streaming services for broadcast media that offer failover: PlayReady, FairPlay, and Widevine Digital Rights Management; and Apple ProRes and Google HLS support.
- Access highly available archive and indexing features for media libraries protected with AES-128 encryption.
Azure helps protect the integrity of media assets through comprehensive compliance
With more compliance offerings than any other cloud provider, Azure meets a broad set of international and industry-specific standards, including those for the media and entertainment industry.
- CDSA Content Protection and Security (CPS) Standard. The CPS Program certification is an important part of media and entertainment supply chain security practices, providing a standards-based method of assurance to content acquirers and producers looking for a worldwide exchange of original digital content using secure channels. Azure has been independently audited and certified by the CDSA against the 311 security controls of the CPS standard, which include an audited risk assessment, secure management of physical data centers, hardened cloud services, and storage facilities optimized to handle the most sensitive intellectual property.
- The Motion Picture Association of America (MPAA) offers guidance and control frameworks for studio partners to help ensure the security of digital film assets. Azure complies with all three of the MPAA content security best practices frameworks: Common, Application, and Cloud Security guidelines. Additionally, Microsoft has mapped Azure’s content protection controls to the MPAA’s Content Security Model to enable customers to conform to that framework.
- The Cloud Security Alliance (CSA) maintains the Security, Trust & Assurance Registry (STAR), a free registry where cloud service providers (CSPs) can publish their CSA-related assessments. STAR consists of three levels of assurance aligned with control objectives in the CSA Cloud Controls Matrix (CCM).
For the CSA STAR Self-Assessment, Microsoft publishes a CCM-based report for Azure, as well as the Azure response to the Cloud Assessments Initiative Questionnaire version 3.0.1. These cover the most commonly asked questions regarding security and privacy domains, and Azure’s responses articulate the many features, processes, and policies in place to protect customer data. In addition, Azure has been awarded CSA STAR Attestation and CSA STAR Certification at the Gold level, both of which involve a rigorous third-party assessment of Azure’s security posture.
- The Federation Against Copyright Theft (FACT) in the UK developed a certification scheme based on ISO/IEC 27001 that focuses on physical and digital security to protect against theft of intellectual property. Azure was the first multitenant public cloud to achieve FACT certification.
- ISO/IEC 27001 and ISO/IEC 27018. Azure undergoes annual audits by BSI for conformance with the ISO/IEC 27001 standard that defines internationally recognized information security controls. These include best practices for data privacy encompassed by ISO/IEC 27018, which covers privacy protections for the processing of personal information by cloud service providers. Microsoft was the first cloud provider to adhere to the ISO/IEC 27018 code of practice
- Payment Card Industry (PCI) Data Security Standard (DSS) 3.1 is a global information security standard designed to prevent fraud through increased control of credit card data; Azure completes an annual PCI DSS assessment using an approved Qualified Security Assessor (QSA). Azure is certified as compliant under PCI DSS version 3.1 at Service Provider Level 1 (the highest volume of transactions—more than 6 million a year), so when you need a solution that extends from license distribution to payment systems, Azure covers you from the standpoints of both traditional IT security and new media workflows.
- Criminal Justice Information Services (CJIS) Security Policy. Whether it’s surveillance video, body cameras, or court proceedings, the integrity and confidentiality of video content created by and for law enforcement are absolutely critical. Azure Government provides contractual commitments to the security standards put forth by the FBI under the CJIS program.
- Health Insurance Portability and Accountability Act (HIPAA). Healthcare data isn’t just statistics and images. Increasingly, doctors and hospitals are using advanced digital tools that output video streams such as ultrasounds, functional MRIs, and more. Azure enables customers to comply with applicable HIPAA regulations, and includes the HIPAA Business Associate Agreement (BAA) as a standard amendment to our Online Services Terms. Azure Media Services are in scope for our HIPAA BAA.
- CSA Cloud Controls Matrix
- Azure responses to the CSA Cloud Assessments Initiative Questionnaire (CAIQ) version 3.0.1
- Implementing CDSA-compliant content protection and security using Azure
- Azure responses to MPAA common guidelines 032016
- Azure responses to the MPAA application and cloud security guidelines 032016