Digital Rights Management 2.0

Written by

There nothing new about the need for digital rights management (DRM). However, what DRM tools are expected to achieve has changed over the last decade or so. DRM aims to limit what can be done with copy-righted and sensitive material through asserting access controls.

Such material has become more likely to be shared between organizations linked by online business processes. This usually involves various cloud storage platforms, as well as each organization’s internal systems.

Furthermore, access is required via an increasing multitude of end-user devices, a challenge for Microsoft, which many have turned to for DRM in the Windows-dominated past. The content involved is also more likely than ever to be the target of online theft by cyber-criminals, business competitors and/or nation states.

All this means DRM systems have had to become both more flexible in the way they support legitimate users and more secure when it comes to blocking illegitimate ones. The latter need has led to native encryption support appearing in DRM offerings, which leads to the additional complexity of encryption key management. DRM is also being linked with identity and access management (IAM) systems to help authenticate users and apply policy controls to their use of sensitive content.

There are two basic approaches to DRM:

  1. The document itself knows about access rights and maintains its own audit trail. If the rights change a new version of the document is issued and old versions might be recalled; it is hard to keep track of what is going on across distributed communities of users. The advantage, is the document is usable wherever it ends up. This is the way older products such as WatchDox (now owned by BlackBerry) worked.
  2. The DRM system is based on a policy server. Here wherever a document is, the server is referred back to, asserting access rights and maintaining audit trails, all changeable at any time. A drawback is that documents can only be manipulated if the user is online, although there are ways around this, and anyway, situations where users cannot get online are becoming rarer.

Quocirca reviewed the use of DRM policy servers in a 2014 report. The report was sponsored by Fasoo, a DRM tools vendor using a policy server approach. Fasoo Enterprise DRM (FED) is installed on-premises or can be hosted per customer on a cloud platform such as IBM SoftLayer or Amazon Web Services (AWS). It relies on user endpoints having agents installed to ensure referral back to the policy server.

Fasoo has therefore focussed on use cases where the use of an agent can be mandated such as participation in a given supply chain. FED does provide limited agentless support by allowing content to be rendered within a web browser. Fasoo supports file encryption via its eData Manager add on, so it is optional rather than innate. To date, Fasoo, which is based out of South Korea, has seen most success in Asia and the USA and is yet to really get going in Europe.

Another vendor, FinalCode, emerged from stealth mode two years ago and has innate encryption controls. Its product is provided as either a cloud service (SaaS) or an on-premises virtual appliance. In either case it also relies on an agent installed on the user endpoint. FinalCode just announced 5.11 (September 2016) of its product. With this release, the cloud version, like the on-premise one, now puts encryption fully in the hands of the data controller using AWS’s Key Management Service (KMS). It has also enhanced IAM support around the SAML (security assertion mark-up language) standard and Microsoft Active Directory. FinalCode enables file owners to give specific viewers of files offline access, but does not recommend this as real-time policy changes and audit logs will be disabled.

Quocirca first wrote about FinalCode in January 2016, where it was pointed out how advanced DRM products come closer to the need to implement a compliance oriented architecture than ever before.

Vera is an even newer kid on block having launched its product just over a year ago. It also has innate encryption. Initially only available as a cloud service it now has an on-premise version too, with some customers using a hybrid approach, with the policy engine in the cloud and an encryption key server on-premises. The biggest use case to data for Vera has been to support Microsoft Office 365 deployments, but it also supports other cloud stores, such as Box and Dropbox. For IAM it has partnerships with Ping Identity, Okta, Centrify and others. Access controls and encryption are supported using a file wrapper. Browser-based rendering allows read-only access without an agent, but for full editing capability an agent with specific file support is required. This also enables an offline mode which can be time limited, with activity logs synchronisation later. Vera also features Dynamic Data Protection for specific file types including usages stats and an audited chain-of-custody.

Two other products in this area are Ionicprivacy enforced [with encryption] by your policy” and Seclorethe most advanced, automated and secure enterprise digital rights management”.

Increasing cloud use and cross-organizational interaction; greater mobility and device choice and evolving security, privacy and compliance requirements are leading to a shift in the way digital rights are managed. A new guard looks set to overrun the old order to provide the necessary support.

What’s hot on Infosecurity Magazine?