Preventing the next workflow break-in
Posted on May 7, 2026 by Admin
With so many tools, vendors and contractors intersecting in a production, now’s the time to up the game on workflow content security, says Neal Romanek
Words Neal Romanek
The conversation around content protection usually focuses on assets already delivered – anti-piracy, rights protection and fighting off IP-devouring GenAI. But we tend to think less often about security inside the production workflow, assuming that established internal protocols at studios or post houses have it all covered. However, as long as you have a digital connection to the outside world, hackers, pirates or just undertrained employees can wreck your content business.
The distributed nature of modern media also means that production is distributed over multiple locations – a production’s own infrastructure, multiple vendors, individual contractors – and digital connectivity means multiple ways in and out of each of these nodes. It’s almost impossible for a production to directly monitor security at every point.
MovieLabs, a technology think tank made up of the major Hollywood studios, created the Common Security Architecture for Production (CSAP) with the goal of establishing easier methods of managing security across organisational boundaries.
CSAP was established as part of MovieLabs’ 2030 Vision, a roadmap for the studios which anticipates that virtually all of the content pipeline will have moved to the cloud by 2030. As a result, the architecture is built with distributed workflows in mind. It recommends that productions move to the ‘zero-trust’ security architecture widely used in multiple sectors. Zero trust means that every user, device and service must be authenticated before it can take place in any activity.
“Production pipelines can use many of the same security solutions as elsewhere,” says Spencer Stephens, MovieLabs’ SVP production technology and security. “What is different is the way production works. For example, more of the users are contractors and there are more temporary locations than the corporate environment. We’re not unique, but we are different in how we need to apply security. Of course, there are technologies productions need that don’t have a huge role elsewhere, but many of those are at the point where we cross between digital and the physical. Video watermarking is a case in point.”
Though the lines between production and post are blurrier than they used to be, very different sets of activities are required between each – but they often share vulnerabilities.
“When production and post-production are using the same technology, the risks are often the same. The traditional view of post-production facilities as a protected ‘fortress’ don’t hold true any more. You may think that securing the DIT cart on a set is a different problem than an editor’s workstation but you should still take every precaution to prevent the content on the DIT cart being accessed by a bad actor on the production Wi-Fi,” Stephens adds.
Controlling access
In some instances, the security and secrecy of your content is the core of the show itself (if PricewaterhouseCoopers loses that briefcase, there goes the Oscars). Ionoco is a creative technology business with a number of customers whose content requires strict security, including game shows or programmes that feature live audience interaction.
“In the US, you have standards and practices, where it is a federal offence to run any kind of unfair game on TV, and you have to be able to demonstrate that it is fair,” explains Simon Ingram, chief executive of Ionoco, and chairperson of its spinoff company Content Vault.
Working for productions with sensitive content, such as the aforementioned programmes with live audiences, leads to a good practical understanding of how to keep files safe, and where the vulnerabilities in workflows are.
“Sometimes we’ve seen customers sticking something up on Vimeo with a single password that’s emailed to people and shared, and they’re suddenly in the position of not actually knowing who’s viewing what, who’s got access, or whether someone has downloaded something. This is game data. If it gets into the public domain, it’s going to destroy your game show.’”
The company built Content Vault for the secure sharing of video, images and audio. This platform encrypts the files directly, which can then only be viewed by those with the Content Vault app and appropriate permissions. The levels of permission range from viewing only, to the ability to share or even to fully decrypt the original file.
Some companies working with highly sensitive content still occasionally rely on physical delivery of media in order to avoid content passing through unsecured networks. With an available solution like Content Vault, the content itself is encrypted, so even if it were somehow intercepted, it can’t be accessed and de-encrypted by
anyone but the intended recipient. This makes delivery across multiple networks much more secure.
“Nobody can open these files except you,” says Ingram. “Even if they’re posted publicly, the files can’t be opened or viewed, so you remove the risk that a third party is viewing your files and potentially using them.
“People always tend to think about cybersecurity after the event rather than before, but some of the bigger networks we work with now are getting very tight, particularly when it comes to handling of pre-release video content, when it’s in that edit process.”
Getting clarity on cloud safety
LucidLink offers a cloud-based solution for accessing and editing large shared files. The platform is used by a variety of content-intensive sectors, including construction, architecture, media and entertainment. Most content production occurs via a hybrid of on-premises and cloud systems, with each environment requiring its own security approach.
“On-premises offers control but requires total responsibility for hardware and patches,” says Tom Holmes, media and entertainment workflow consultant at LucidLink. “Cloud solutions provide ‘shared responsibility’, where the provider secures the infrastructure while the customer manages identity and access management, which is often more robust in a cloud environment.”
LucidLink’s security is based on a regime of zero-trust storage where security is baked into the file system – even the provider cannot access unencrypted data – as well as just-in-time (JIT) permissions, which use granular, time-bound access for sub folders rather than broad project access. The platform also has immutable audit trails that are real-time logs of who has accessed or modified a file.
But none of these tech solutions are workable unless teams are aware of the potential threats and the best practice for keeping content safe. AI has scaled the ability to conduct cyberattacks, with everyone a potential victim of personalised phishing or deepfake audio. Demanding deadlines can force teams to cut corners, whether through abandoning protocol or employing ‘shadow IT’ – tools or consumer apps, including AI, not approved by production.
“People, not technology, are often the weak link. We recommend a ‘no-blame’ culture for reporting suspicious activity and contextual training during on-set ‘Safety Minutes’. The best security is frictionless; if secure storage like LucidLink feels like a local drive, users won’t seek unsecure workarounds.”
There’s often an anxiety that creativity and security clash, that greater care for security and procedure hobble the creative process. But security should add to freedom and creativity. After all, if security ends up harming the production, it’s not really security.
“Production must take place in a highly secure environment and security should not interfere with the creative process,” says MovieLabs’ Stephens. “Often that becomes a zero-sum game – but it shouldn’t be. It is possible to do both. If people working on a production understand how necessary the security is, and the people managing the security understand that the creative process doesn’t have the same characteristics as a corporate environment, we can get a long way to securing production.
This article appears in the April/May 2026 issue of Definition
