Security in the cloud


We use the expression “asset management” so regularly today that we can be forgiven for overlooking the critical significance of the words. Content – production material and completed programmes – are the core assets of the media business. You invest heavily in the content, creating business assets, and subsequently expect to earn a fair return.

Any leak of the material risks those returns. Movie and premium drama producers are notoriously averse to any risk of leaks and spoilers, and every facility in the production and post chain will have to demonstrate the highest levels of content protection.

Broadcasters pay very large sums for the rights to cover major sports events. They invest heavily in must-watch programming like Traitors or Love Island: if these are leaked before transmission then the audience disappears completely – along with the substantial advertising revenues.

When we talk about security in media systems, we are looking to protect the intellectual property. As technology develops to help us create even better content, so its security layer must grow to ensure the content cannot be pirated. The entirety of the financial investment in the content is at risk.

The same applies to other cyber threats. In court we are asked to tell “the truth, the whole truth and nothing but the truth.” In media asset management, we want to know that the file is what the metadata says – complete as originally created, and nothing has been added. That means we must consider security a central part of any file-based environment. 


The major cloud providers, like AWS, Microsoft and Google, have adopted a shared responsibility model. Put simply, this draws a distinction between protection “of” the cloud – the infrastructure itself – and protection “in” the cloud – the user’s data and processes.

Protection “of” the cloud is the provider’s responsibility, and they are very good at it. AWS has a page on its website about how its security allows it to provide services to the US intelligence community.

Protection “in” the cloud is the responsibility of the user. That includes ensuring tight control on identity and access management.

In practice, users share responsibility with their technology partners. A post house, for example, which uses EditShare cloud-enabled shared storage, will look to us to provide the structures necessary to secure the content. Indeed, we would like to think that one of the primary reasons our customers choose EditShare is that we have thought through the security implications of the cloud and have the tools and certifications in place to make it simple to implement.

Remember that protection “in” the cloud is your responsibility. If material is pirated or systems corrupted because of a failing in your security, you have no-one to blame but yourself.


The core of that protection is knowing who can get into your content and workflows. This is IAM: identity and access management.

Every individual in your operation must be uniquely identifiable. Individuals must also be cross-certified in a matrix so that they can only access the parts of the system and the specific content they need.

This is vital for security, of course, but it is also an operational benefit. Editors are immediately presented with just the materials for their project, rather than having to wade their way through the whole of a large asset management system, wasting time and potentially compromising the security of other projects,

Powerful IAM is part of a new generation of cloud-appropriate security systems, which must be integral to any media system. The goal, as always, is to let creative people focus entirely on creativity with no worries about building and protecting workflows wherever the technology sits.

That could include multiple cloud providers. Your commercial and operational decisions should not be limited by technical and security considerations.

With secure client-side security “in” the cloud, users can work with content that happens to be stored on different sites. Or, perhaps more likely, the assets are in one cloud, and the deliverables must go to another.

In conclusion

Security is vital. No one wants content pirated, and no one wants to be at risk of cyber-crime like ransomware. Cybercrime Magazine estimates that ransomware could cost victims up to $42 billion this year, with a new attack occurring every two seconds. 

Piracy is an existential threat to your business. You have invested in creating great content, and you must ensure you get the full return on that investment. Data leaks mean significant, perhaps total, financial losses.

Cyber-crime is on the rise, and we are all aware of high-profile cases where operations have been halted for extended periods. In 2023, one of the largest entertainment groups in the world, Sony, suffered a number of ransomware attacks. Also in 2023 – and probably also by the same criminal group, Rhysida – the online catalogue of the British Library was compromised, causing damage likely to take more than a year to rectify,

Security is vital for any media enterprise. Understanding the issues around security and how they can be addressed has to be at the top of the agenda when specifying systems and developing workflows. When looking for a technology partner to implement collaborative systems and cloud operations, make sure they really understand just how important it is to get the security right.


Why is security important?

You have invested a lot in your content: you do not want anyone taking that content without paying for it. Or blocking it by ransomware so you cannot exploit it commercially,

Content can also be leaked for malicious purposes, like spoilers or to harm some of the performers. And content can be changed or damaged by adding to the files in your store.

Keeping your content safe is business-critical.

Who is responsible for cloud security?

The roles are shared. The cloud provider is responsible for securing the infrastructure, to ensure it keeps working. You are responsible for securing access to your data and processes.

How do you secure content?

Primarily, by ensuring that only those authorised to do so can access your data and processes. A careful sign-on process will ensure only those who should be there can get there.

In a multi-tenant operation like a post production facility, that means only granting access to the content relevant to each individual. An editor working on production A cannot see anything of what is going on with production B, for example.

That incidentally makes it easier for the editor, who is presented with just the content they need for the part of the project they are working on.

What is IAM?

IAM is identity and access management.

Through a system of secure log-ins and validated paths, IAM ensures that only authorised people get onto your site, and then only see the media and processes they need. Good IAM will keep everyone else out.

What happens if IAM is compromised?

Criminals can get in. They may be seeking to pirate your content, but more worryingly they may want to hold you to ransom: pay a large sum of money or your content is destroyed. Ransomware gangs are international in scope, and it can prove impossible to even isolate where in the world they are before they carry out their threats.

Can I carry security from one cloud to another?

Work in AWS but need to deliver to Microsoft Azure? With good IAM and other security practices, this is simple.

Remember the difference between the cloud providers protecting the infrastructure and you protecting the data. Your own security systems should move transparently and seamlessly with the data across barriers.