Motion Picture Association (MPA)

MPA overview

The Motion Picture Association (MPA) provides content protection best practices and control frameworks to help major studio partners and vendors design infrastructure and solutions to ensure the security of digital film assets.

The Trusted Partner Network (TPN) is a joint venture between the MPA and the Content Delivery & Security Association (CDSA), the worldwide leaders in third-party entertainment industry assessments. Both the MPA and CDSA have ceased their individual security assessment programs to focus on managing and developing the TPN program and TPN annual assessments. Past audits or assessments will remain valid for the period originally indicated but will not be renewable within their individual programs. For both the MPA and CDSA, the primary focus is to provide a unified assessment program through the TPN. The TPN has been developed to help the industry improve content security, simplify assessments, and enable content owners to gauge their level of conformance to the MPA content security best practices.

The MPA continues to maintain and update their content security best practices. The TPN assessment does not provide a “pass/fail” grade, certification, or rating. It provides an assessment of a facility’s security preparedness for conformance with the MPA content security best practices.

Azure and MPA

In February 2016, Microsoft Azure became the first hyper-scale, multi-tenant cloud services platform to successfully complete a formal assessment by independent MPA auditors, and comply with all three of the MPA content security best practices frameworks: Common, Application, and Cloud Security Guidelines.

The MPA assessment covers 48 security topics in the Common Guidelines and an additional six in the Application and Cloud Security Guidelines. These topics are built on industry-accepted security standards such as ISO/IEC 27001 and NIST SP 800-53, and are aligned to industry best practices, such as the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM).

The formal assessment of Azure compliance means that companies who do business with major studios can use Azure to help reduce the IT costs that are normally associated with the secure creation, management, storage, and distribution of content while complying with MPA requirements. Azure Media Services, Storage, Virtual Network, and more than 30 other services provide a content workflow engine in the cloud that customers can use to build secure and scalable production processes while protecting media assets downstream.

Azure has released guidance documentation to help you implement your solutions that meet MPA security best practices. For additional customer assistance, Microsoft provides Azure Blueprints, which is a service that helps you deploy and update cloud environments in a repeatable manner using composable artifacts such as Azure Resource Manager templates to provision resources, role-based access controls, and policies. Resources provisioned through Azure Blueprints adhere to an organization’s standards, patterns, and compliance requirements. The overarching goal of Azure Blueprints is to help automate compliance and cybersecurity risk management in cloud environments. To help you deploy a core set of policies for any Azure-based architecture that requires adherence to media security best practices, Azure has released the Azure Blueprint for Media. When assigned to an architecture, resources are evaluated by Azure Policy for compliance with assigned policy definitions.

Guidance documents

You can download the following guidance documents from the Service Trust Portal Data Protection Resources - Compliance Guides section:

Additional guidance documents are available:

Frequently asked questions

Why are the MPA best practices important?
Content security is critical for feature film development, as there are multiple points along the workflow where digital assets could be compromised or stolen. Dailies, rough cuts, and visual effects are just some of the materials exposed during a normal production cycle, and the box office impact of a security breach on a blockbuster project can reach tens of millions of dollars.

MPA guidelines provide major studio vendors and partners with a set of best practices for creating, processing, storing, and distributing digital assets. Cloud service platforms such as Azure can provide an additional layer of assurance that content uploaded to the cloud will be managed in accordance with established industry requirements for encryption, authentication, access control, resiliency, and others.

Does my organization still need to undergo a TPN assessment, or can we rely on Azure MPA assessments?
Production facilities, visual effects houses, and other service partners should work with their executive producers and directors to understand the new security requirements, including the annual TPN assessment. You can hire a qualified TPN assessor and then manage your assessment process using the secure online platform. The TPN assessment does not provide a “pass/fail” grade, certification, or rating. It provides an assessment of a facility’s security preparedness for conformance with the MPA content security best practices. If an assessment indicates non-conformance with a security best practices control, you can validate remediation via a follow-up assessment or furnish your own evidence of remediation to the TPN.

Compliance with MPA content protection best practices is voluntary - MPA does not provide an accreditation program. Best practices outline security expectations and provide a framework for assessing facility's ability to protect content. Microsoft elected to carry out an independent MPA assessment so that you can be confident in the content security and protection capabilities of Azure. However, Microsoft does not inspect, approve, or manage your applications deployed on Azure. You are wholly responsible for ensuring your own compliance with all applicable laws and regulations.

Resources