​Busting cloud content security myths

Across the media and entertainment industries, cloud technology isn’t new – it has been around for at least a decade. But as it steadily moves ‘upstream’ from being primarily used for content distribution to playing a more significant role in content creation, security concerns are top-of-mind. 

Media companies looking to use cloud for production workflows are understandably preoccupied with content security. But those concerns are currently preventing further significant adoption of the cloud and if companies shy away from any risk taking, they might not be able to give themselves the competitive advantages that full adoption of the cloud will enable.

In the early days of cloud, some of these security concerns were justifiable. But technology has come on in leaps and bounds, particularly since the pandemic. Today, cloud is just as secure as on-premises storage, with most security incidents caused by operator error – easily rectifiable with proper training and processes in place.

With that in mind, let’s address some persistent myths around cloud security, and look at how media companies can ensure they’re deploying cloud safely.

Demystifying the ‘cloud’

Cloud isn’t some magical place in the sky. At its core – forgive the oversimplification here – it’s nothing more than the location of servers. When thinking about it from this perspective, there’s no reason why either cloud or on-premises storage should be intrinsically more or less secure. After all, we’re talking about the exact same hardware sitting in two different locations with similar levels of management.

If we follow this line of argument, public cloud has several clear security advantages. Unlike media companies – who are focused on the production and distribution of content and programming – cloud providers’ entire business model depends on providing secure storage infrastructure. As such, cloud providers cumulatively invest billions of dollars a year to secure their infrastructure and protect against ever-increasing threats, from state actors to thirteen-year-olds pulling scripts off the dark web! This is without a doubt going to be more than in-house technicians managing on-prem storage.

Security levels – from infrastructure to application

This isn’t to say that media companies can offload all responsibility for security onto public cloud providers. There are several levels to consider.

Public cloud providers are responsible for securing their base-level infrastructure, whether that’s applying security patches, updating firmware or scanning for new vulnerabilities. 

However, things are a bit different if we go up a level to the application layer. Most cloud providers will give media companies various tools to build and secure cloud applications. But ultimately, it’s up to the companies to ensure the applications built are secure, in the same way that they would for any on premises workflow. This means using virtual private clouds where appropriate and implementing robust access controls. Just because content has been put in a public cloud storage bucket doesn’t mean it’s secure! We saw a few media companies fall foul of this in the early days of cloud. 

So, how can media companies ensure content security in the cloud?

One option for security-conscious media companies is procuring cloud applications from SaaS (software as a service) vendors, rather than building them in-house. SaaS vendors are typically responsible not only for the underlying infrastructure, but also for application layer security. As such, going down the SaaS route is a good option for smaller media companies looking to dip their toes or embrace fully cloud. These companies typically don’t have the same in-house security and IT expertise as larger players. So, SaaS vendors can represent the best of both worlds – offering the flexibility and scalability of cloud without the risk.

However, this option clearly isn’t the right choice for everyone. Larger media companies have diverse application portfolios that span multiple facilities and geographies. Moving entirely into the cloud in one giant step is unrealistic. But media companies looking to build their own cloud applications or extend their workflows into the cloud even in part should double down on staff training and ensure they’ve hired staff with the right security expertise. Often, companies assume that the skill set they’d built up for managing on-premises storage would suit them well in the cloud, too. It’s certainly a great starting point. But it’s also crucial to invest in cloud-specific training.

Luckily, most public cloud providers are very happy to provide training! After all, they know that increased training brings increased adoption. Most public cloud providers will provide free training credits in order to win customers’ business. Media companies should ask about this when evaluating their options.

Once your preferred cloud provider is chosen, it can be tempting to start moving assets over right away. But it’s crucial first to outline a dedicated security strategy for media assets – which is agreed to by all stakeholders. This prevents missteps (like the one mentioned earlier around placing sensitive files in public storage buckets). 

There’s now a well-worn path for media companies looking to adopt cloud. So, you shouldn’t hesitate to discuss security plans with cloud application providers; especially those with a true understanding of the specificities of the media industry, like Sony. There are also plenty of case studies and templates out there to guide in-house experts.

What’s the bottom line?

Cloud can empower media companies, whatever their size, to improve their bottom line. The cloud has already started to play a greater role in content creation and as it continues to do so will democratise access to the tools creators need in a much more cost-efficient way. Its intrinsic link to the rise of an operational expenditure model means its adoption does need to include a different approach to financials.  With the technological advancements we’ve seen in recent years, there’s no reason for security concerns to hold back progress.

David Rosen is VP of cloud applications – imaging solutions, at Sony.