Managing digital content

In light of the 21st century data explosion, the need to protect information and manage access to it becomes critical. To take care of data security and authentication needs, companies are relying on digital rights management (DRM) solutions

Digital rights management (DRM) is not just an obsession of the music and film industries. Any company that needs to protect digital files from theft and malice and ensure data integrity and control must consider adopting DRM. Banks and financial institutions open accounts and maintain account profiles for investors. Medical facilities hold health records of patients. Insurance companies gather information and underwrite policies, and lawyers draft memoranda and letters for clients. Should this confidential content fall into the wrong hands, customers will walk. Should competitors get access to it, the damage could be long lasting and severe.

What is DRM?

DRM is a system that protects the copyrights of digital content that is distributed online. It can also include software that handles the accounting for paying royalties to authors. In the music business, a DRM system provides a container format that includes album and track titles and a set of rules that enforce copyright compliance. Software and hardware media players must support this format in order to play back the material.

Traditional methods for securing networks don’t cut it anymore Firewalls can limit external attacks and VPNs can conduct data safely between the server and the workstation, but neither can protect data once it hits the user’s desktop. Furthermore, protection is not everything. Security must be balanced against other desirable features such as openness and efficiency. Enterprise DRM, unlike other security mechanisms that protect data at rest or in transit, protects data while it’s live—in an application, on a desktop, or as it is being used. It accompanies protected files wherever they go and enforces administrator-defined polices, including who can read what; whether content can be printed, copied, or e-mailed; and even how long a particular user can view a file. Enterprise DRM applies authentication and access controls, creates audit trails, and encrypts and decrypts data locally. With a click of a button, master controllers can revoke access and turn information into unintelligible cipher text no matter where the file is or who has it.

Inside DRM

Enterprise DRM solutions let copyright holders create policies to control information in various ways, such as restricting the printing, copying, or forwarding of content; defining which users or groups can access protected information; enforcing local encryption and authentication; and controlling the expiration and revocation of access rights. Policies are created by administrators or information owners. The information owner registers the policy with a master server, and users check in with the said server to download policies and decryption keys.

An important feature of enterprise rights management is the ability to revoke rights to protected content. Solutions that are on the market today follow one of two models. The first approach requires users to connect to a master server each and every time they access the protected content. Rights and permissions can be changed at whim, making it easy to lock out a user who leaves the company. DRM player Authentica follows this model.

The second approach, favoured by Microsoft, lets information owners set rights. Once set, those rights travel with the information wherever it goes. Users do not have to connect back to a master server each time they use protected content. This allows for greater user mobility and offline access, but administrators lose the ability to revoke rights dynamically.

DRM company Liquid Machines’ solution straddles these two approaches, balancing offline access with mechanisms for stricter policy control. Although products from Authentica, Liquid Machines, and Microsoft typify the offerings in the enterprise rights management market, they are by no means the only choices available. Other companies such as Sealed Media, Finjan Software, Atabok, Probix, PSS Systems, and IBM also offer strong solutions.

DRM standards and selection

• Standard rights

DRM systems distribute assets and enforce permissions or rights attached to content by using metadata to identify content, owners, consumers, and the usage terms or rights associated with content. Using metadata, owners can control and fine-tune what end-users can do with content. The metadata is usually stored in the headers of an XML document or other digital content format or embedded in the digital content itself by means of watermarking. Dozens of metadata standards are in place to describe content; some examples are ONIX (Online Information Exchange) and RDF (Resource Description Framework). There are also industry standards to specify and manage rights and conditions associated with digital content—XrML (Extensible Rights Markup Language) and ODRL (Open Digital Rights Language). These two standards, both based on the XML, enable some level of interoperability in the rights management arena.

• XrML

XrML describes rights associated with digital content and services. Created at the Palo Alto Research Centre (PARC), the patents associated with XrML are now owned by ContentGuard, a commercial spin-off. Although currently controlled by ContentGuard, the responsibility for XrML standards and development is being transferred to the OASIS Rights Language Technical Committee, an industry group that includes active participants IBM, Hewlett-Packard, Microsoft, VeriSign and Xerox. Microsoft’s Windows Rights Management solution uses XrML to describe the rights associated with protected content.

• ODRL

The Open Digital Rights Language (ODRL) specification supports an extensible language and vocabulary (data dictionary) for determining permissions, constraints, requirements, conditions, and offers and agreements with rights holders. ODRL is intended to provide flexible and interoperable mechanisms to support the use of digital resources in publishing, distributing and using digital media across sectors including publishing, education, entertainment, mobile communications and software. It also supports protected digital content and honours the rights, conditions and fees specified for digital content. Today ODRL has been accepted by the Open Mobile Alliance (formerly the WAP Forum) as the rights expression language for mobile content.

ODRL is an open-source language with no licensing requirements. It utilises two XML schemas. One schema defines the Expression Language elements and constructs; the other defines the data dictionary elements. ODRL is extensible in that additional semantics (a new data dictionary XML schema) can be simply added to extend the existing ODRL semantics or add new semantics.

Choosing DRM

DRM can be overkill sometimes. For one thing, the type of content your company generates and distributes may not warrant a full-blown DRM solution. If your company does not generate many sensitive documents and you are under no corporate or legal duty to maintain their security or privacy, you may decide to avoid DRM. Or you may have adequate security with attentive administrators who guard access to your networks and file systems down to the folder level and keep user databases current. You might have an enterprise-content management or document-management system that limits file access. So, before you leap into DRM, evaluate the sensitivity of your data and the extent of current controls.

Before you consider DRM, get to know the technologies and evaluate them in light of the security risks that your content faces. Be aware that DRM products are proprietary and that standards are not mature, so you might end up with a product that does not suit your requirements.

This article first appeared in Asia Computer Weekly

Source: Tech Web