Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Digital rights management protection: The next level of data security

Digital rights management technology not only protects and controls electronically distributed data, but also is a flexible enterprise solution that can lessen security breaches.

Nintendo's Casey Pelkey knew he had a hit -- albeit one that would never hit the shelves -- when employees started buzzing about Nsite, the company intranet launched last fall. But while Mario Bros. may be all fun and games in your living room, Nintendo of America is all business when it comes to protecting proprietary images -- including screen shots from unreleased titles.

When the game-system giant realized the risks inherent in sharing those images across its intranet, it sought a digital rights management (DRM) solution.

"We were most impressed on what IP [intellectual property] theft cost in the long run. It was a concern from the get-go, as it's one of those things you don't really understand until it happens," says Pelkey, corporate communications manager and former game development project manager, who played a lead role on the intranet/DRM implementations. "What we share internally is something you can't figure the cost of, and so it needs to be protected."

Protecting data in storage and transit is no longer enough. The ability to share content with employees, partners and customers using Web-based applications on intranets, extranets and the Internet requires that protection travel with documents. Sharing digital content for business collaboration -- such as merger and acquisition plans, employee data or documents outlining the next product line -- requires the kind of granular and flexible control that only DRM can offer.

In addition to protected internal and external workflow, DRM may become the technology that drives the selling and leasing of electronic content, from videos and music to newsletters and e-books. Health care organizations and financial institutions may turn to DRM to meet the stringent data protection regulations imposed by legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).

The range of DRM products fits the missions. For example, Nintendo's choice, Alchemedia Technologies' Mirage 3.0, is designed to control operational use of documents by employees and partners, as well as prevent theft or unauthorized sharing of proprietary documents, financial information, medical records, etc. Authentica's (www.authentica.com ) PageRecall and NetRecall perform a similar function for documents and dynamically created Web content. Sealed- Media can be applied to the same market, but is heavily focused on the selling and distribution of electronic consumer content, such as e-newsletters and e-books.

A New Level of Protection

DRM provides control over content-controlled access, controlled use and controlled distribution -- throughout its life cycle with what is sometimes called persistent information protection (PIP).

DRM technology secures content, such as HTML, PDF and MP3 files, by creating a digital wrapper. The wrapper includes the encryption algorithm that's used to decrypt the information, as well as access control, requiring the user to provide a password or digital certificate to retrieve a decryption key from a specialized server.

The server can also track usage and provide information for billing or other systems, depending on the business model.

With DRM, the content can be locked forever or limited to a one-time short peek. DRM can prevent content duplication via screen captures, forwarding or printing. Some DRM applications can even recall e-mail or files, pulling them completely out of a user's reach. It all depends on rules assigned by the content owner.

"The business need of DRM is controlling the distribution of electronic media," says Larry Tunks, CIO of Congressional Quarterly, which adopted DRM technology to secure the launch of an electronic version of its CQ Daily Monitor. "We had to make sure the digital format couldn't be passed along to everyone in the world."

Don't Play Around With Security

Redmond, Wash.-based Nintendo of America was in the midst of building a new intranet last year when consultants warned the project team about inherent security risks -- such as intellectual property theft.

Studies indicate that information theft -- most of it by insiders -- represents an increasing percentage of security breaches. That caught the attention of the wholly owned subsidiary of Japanese parent Nintendo Co. Ltd., which produces Game Boy, the world's top-selling handheld gaming system.

"We were not worried about employees, as most times when breaches happen, it's a pure accident," says Nintendo's Pelkey. "But an image just has to hit one wrong spot before it becomes a problem, and there's no way to calculate the damage that could be done."

But the intranet project was critical for improving Nintendo's internal communications -- giving groups easy access to information about product lines, internal events, form processing and other insider info. Before Nsite, internal corporate communications had a bad reputation, relying on e-mails for which employees had little patience.

"There were so many e-mails that people called them 'internal spam,'" recalls Pelkey.

The intranet team didn't want a DRM product requiring a lot of plug-ins, or one that would impede intranet use by making access to content too difficult.

"We wanted a nice, simple enterprise solution, as we use a traditional routing system with most of our files," explains Pelkey. "Our expectations [of technology] only went so far, because if we have to worry about serious breaches, then that's an indication we have a real problem internally -- a problem that likely can't be solved with a technology application."

Nintendo's intranet team looked at a number of potential solutions, test driving each application, doing their best to break the security. Only Alchemedia Technologies' Mirage Enterprise 3.0 withstood their attempts to crack it, he says Mirage prevents copying, saving, printing, e-mailing and capturing of PDF files and information displayed via browser-based applications. It lets users view and collaborate on documents, while specified data is controlled by role-based rules that dictate and audit user access.

A screenshot of Alchemedia's Mirage Server administrator panel
The administrator panel in Alchemedia's Mirage Server allows admins to create and modify protection rules for static and dynamic Web content. Under the Rules tab, the admin can choose whether to allow printing or local copies. Full protection of a document means no printing or local copies are permitted.

Protection Is No Mirage

Mirage protects Web content created with any tool that formats data for Web applications in text, HTML, GIF, JPEG or PDF. It includes two components, the Mirage Server and the Mirage Client. Mirage 3.1, scheduled to be released this month, extends protection to MS Word and Excel documents as well.

Mirage Server is installed on a Web server -- IIS, Apache or iPlanet -- where its Interceptor module snags browser requests for documents. If the document is unprotected, the Web server handles it normally. If it is protected, the request is passed to the Document Processor module, which determines the protection rules, encrypts the data and sends the document to the browser. The Mirage Client intercepts the text or image before it's acquired by the browser, requests and receives the key from the server and decrypts the data, allowing it to be displayed.

What happens next depends on the protection settings recorded through the Mirage Server's Administrator. Through a browser-based interface, the admin determines the level of protection, including whether the entire document or selected portions will be protected. The self-installing client can be deployed using standard utilities (such as SMS), login script or remote access.

Pelkey says setting up protection wasn't difficult, especially since the rules for limiting the use of proprietary images were already in place. "We've always known what has to be protected," he says, "and it was very easy to set up templates [for protection settings]."

Mirage secures communication between Client and the Key Server component of Mirage Server with the PKCS#7 protocol, and encrypts documents using 128-bit AES.

If a user attempts to copy, print or e-mail content, all he'll get is ciphertext or the mocking eye of the Mirage logo. Pelkey says some of his more clever users thought they could break Mirage by screen capture or print screen, but the result was the same.

Integration went smoothly, though there were a few issues, Pelkey says. For example, Alchemedia hadn't fully tested Mirage and IBM's WebSphere application server. Nintendo's WebSphere server began overriding the Mirage server, preventing it from encrypting images. Alchemedia replicated the problem in its labs and was able to successfully integrate WebSphere.

Overall, "Response has been great, and viewership is growing," he says. "People have latched on to it as an internal gossip site. They say, 'Did you see that?' and 'Go check this out.'"

Nintendo, as well as each DRM adopter interviewed for this article, declined to reveal technology costs. But Pelkey says that the DRM price tag is small compared to potential damage costs.

"It's one of those things where we'd rather go home and sleep well, knowing our information is safe and the employees' information is safe," he says.

No Defined Market

The fact that Nintendo brought in DRM to secure just a small segment of its content isn't surprising, according to industry analysts. Most implementations have a limited scope.

"There isn't one specific segment or user base for DRM at this point," says Matthew Kovar, director of security solutions and services for Yankee Group, a Cambridge, Mass.-based technology research/consulting firm. Kovar recently authored a report that describes DRM as "the Holy Grail" for secure content delivery, providing a secure and highly flexible solution that other technologies can't match.

"[DRM] creates several new paradigms for retaining and capturing value where there were no means for doing so before," he writes.

Kovar says most organizations employ DRM to secure documents or intellectual property to meet federal regulations. In other early DRM scenarios, financial organizations are piloting the technology for 401K plan administration. Even the largest deployments are limited to just a few hundred users at this time.

The sticking points are integration and support. With some products, DRM software and support is required on both ends, and today's complex environments aren't easy planting grounds.

"That's the challenge; it needs to be supported," says Kovar. "The vendor has to dig in and determine the client's needs. They have to understand what the customer's processes are and latch onto that. It's a lot of up-front work." Kovar predicts that these requirements will lead DRM vendors into OEM partnerships.

"You can go through every industry and think of a transaction that might need [DRM]," he notes, "but the challenge has been for the infrastructure to support it and get it out there."

DRM Across the Enterprise

Despite the general trend of pilots and specific-use implementations, some organizations are planning to use DRM across their enterprises.

KPMG Consulting, which reported $2.9 billion in revenues last year, learned about Authentica's PageRecall and NetRecall products a few years ago, when Authentica sought KPMG to serve as a systems integrator. At the time, KPMG wasn't using DRM in-house and had no plans to do so. Instead, the firm relied on "fundamental" security approaches, such as employee agreements, access control measures and the "honor system."

But concern about staff turnover prompted KPMG to investigate better ways of securing data.

"We're an information-based business, and turnover brings a high probability of intellectual capital walking out the door, if it's not properly protected," says Bradley Schwartz, the group's executive vice president. The fact that KPMG is a newly christened public company also came into play. "There's a greater sensitivity about transmitting data," he says.

Like many DRM systems, Authentica's tools encrypt source files and include a server to manage encryption and decryption keys. They also require a client plug-in. With NetRecall, users can recall and expire online content at any time -- even if recipients have forwarded, printed or copied the document. Authentica calls its products "Active Rights Management" technologies. Schwartz describes Authentica as an "overlay" of extra protection for data accessed by the group's 10,000 employees, most of whom are constantly on are the road.

KPMG Consulting already had several layers of information security in place. What they didn't have was the ability to dynamically change content access or security levels on the fly.

"With all we had, we didn't have a way to dynamically manage it -- to change user policy or change access privileges," Schwartz explains. "If I sent out financial statements via e-mail for review, I had to ask recipients to delete it after giving their comments, but I had no guarantee or assurances it would be done."

With PageRecall 3.0 and NetRecall 3.0 (Authentica released the latest versions last December), users can create a document access "time window," which maps out privileges such as the number of access times and actions such as printing and forwarding. KPMG doesn't plan to use Authentica's third product, Mail-Recall, which applies similar protection to e-mail.

A screenshot of Authentica's PageRegall DRM system
In the distributed authoring model of Authentica's PageRecall, the Acrobat plug-in allows content owners to set policy on document usage, including who has access, printing, copy/selection, and time/date restrictions. The Batch Registration component can be used to encrypt directories of documents. For centralized authoring, the Policy Server API allows integration with third-party document management systems.

The Authentica Wrapper

PageRecall limits what users can do with PDF documents, while NetRecall protects both static and dynamic content generated for the Web. In either case, the controller is the Authentica Recall Server, which stores protection policies, distributes keys, manages client connections and logs all activities. The server supports Windows NT/2000 and Sun Solaris 2.6/2.7.

The server encrypts documents with RSA's RC4 algorithm. Client-server communication is secured via a TripleDES SSL session, which can also be used to protect remote admin management. As with Mirage, NetRecall allows sysadmins to create policy templates that authorized admins/users can apply to content.

On the client side, PageRecall uses an Adobe Acrobat plug-in. The NetRecall Secure Viewer, available as a browser plug-in for IE or Netscape Navigator, can be automatically installed when the user attempts to view a Web page.

Both products offer great flexibility for who determines document protection and how.With the Acrobat plug-in, authorized users can determine protection features and register them with the Recall Server. A Batch Registration component allows an admin or user to encrypt directories of documents and register them with the server. Finally, the Batch Registration function and the Recall Server allow organizations to integrate PageRecall with document management systems, such as Documentum (www.documentum.com), for centralized management of document protection (Authentica announced NetRecall for Documentum 4i Web Content Management Edition in January).

Individual document pages can have different document policies. If policy allows, an encrypted document can be read offline from the server, with protection policy still enforced.

NetRecall can support both static and dynamic Web content. The NetRecall Content manager allows users to statically encrypt Web files and directories. The Dynamic Protection Module enables content to be dynamically encrypted as it's being served from the Web server. Only Microsoft's IIS is currently supported.

Roll-out and Beyond

KPMG rolled out both tools last October to several internal business groups, including general counsel and finance. It's phasing it in with project teams that work with sensitive client information, and plans to implement it across the entire enterprise at some point. The firm is also considering extending DRM to work with partners and clients.

"It's like any new technology introduction. While we believe there are some great advantages, we wanted to make sure we took an incremental approach, realize the benefits and then roll it and scale it," explains Schwartz.

A key integration requirement for KPMG is compatibility with its Microsoft Exchange environment and intranet infrastructure. Though DRM is an overlay, organizations have to take integration issues into account, warns Schwartz.

"DRM is something you debate about, and then once you have it, you'll say I can't believe I got along without it," he explains. "The reality is that you know you have highly sensitive data, and that if it ever got in the wrong hands, there would be an impact. And it's hard to quantify what that impact would mean in dollars."

He hopes that DRM eventually will be embedded into infrastructure applications, either at the switch level or with knowledge management solutions.

"Much like in the middleware environment, in the EAI [enterprise application integration]," says Schwartz, "we're now starting to see a lot more of the application software products being embedded in the synchronization and exchange communications, and in messaging. It will be the same with DRM."

About the author:
Judy Mottl is a regular contributor to Information Security based in New York. She has contributed to several technology publications, including Information Week, InternetWeek, TechWeb, techies.com and Tech Republic.

This was last published in March 2002

Dig Deeper on Data security technology and strategy