Evaluating digital rights management technology

By Joshua Duhl

Digital rights management (DRM) technology has emerged to protect and manage the intellectual property ownership, commerce and privacy rights of digital content creators and owners as their content travels through the value chain from creator to distributor to consumer, and from one user to another.

DRM enables greater control over the access, use and distribution of content. In an enterprise setting, it can be considered a security technology, complementary to firewalls and access control systems, which allows increased control of sensitive, confidential, private or proprietary information. DRM enables policy-based management for sharable content, controlling access and management of the company’s information after its receipt based on well defined policies.

As enterprises, content and information owners and service providers consider strategies for protecting their digital content--both for information shared within and between enterprises as well as for commercial content--DRM should be considered as an integral part of those strategies.

When considering DRM for an organization, a critical part of the selection decision is defining the criteria that represent the needs of the organization. Once a company determines where it fits in the content value chain--as an enterprise, a content or information owner, or a service provider--it needs to consider a number of general criteria, which are discussed below. Operational control

Trust and control are core issues. A DRM system encrypts information before its transmission and controls the opening of the encrypted package and activity on the file (print, edit, etc.) after receipt based on rights and permissions. The DRM system is integrated into an organization’s software infrastructure. A company that installs DRM uses the system to manage encrypted data, keys, information about the content and the users, and the flow of content. The organization needs to trust that the DRM vendor and system will support the company's business rules, policies and interests, and do so under the company's control.

That being said, DRM providers offer functionality in three forms: as a software platform, hosted service or application that includes DRM capabilities. Enterprises and content providers in particular have a choice to make among those three alternatives.

At issue for DRM, as for any security and infrastructure technology, is operational control. Companies must consider whether they want to implement and maintain or outsource their DRM infrastructure. That is often one of the first decisions. Operational control criteria to consider include the following:

• Is the need to maintain control of the system or infrastructure a primary priority? If so, a DRM vendor that offers software or an application is required.

• Does the company have the requisite skills to integrate, manage and maintain the DRM system? Is it a core competency? If it isn't, can the skills be learned or acquired? Outsourcing to a DRM service provider or a professional services organization with DRM experience for the implementation are strong alternatives.

• Does the company have the budget to install the DRM system? What is the total cost of ownership (TCO) for the DRM system?;

• Does the DRM system fit the needs? Does a hosted service offer additional services that more cost effectively fit the needs of the organization? Is custom development required to fit the needs?;

• For commercial use, can an economy of scale be realized? Does the company have high enough levels of content delivery or sharing that allow amortization of overall DRM system costs? ;

• How is digital content being delivered? Is it delivered on physical media (e.g., CD-ROM) or over a network? ;

• What is the time horizon for the company's implementation of DRM, or return on investment (ROI) for the DRM system? ;

• Does the DRM system allow for a company to make a smooth transition from an outsourced or hosted service to an internally managed one?;

Using a hosted DRM service may be easier and less costly than integrating a DRM application or platform with existing infrastructure. However, a hosted solution puts control over the system in another party's hands and may not be appropriate for many enterprises. A DRM software platform or application gives control to the enterprise or service provider. That's often a key choice.

Industrial strength

DRM protects the privacy or commercial value of digital intellectual property. Critical to that is whether the DRM technology is secure, reliable, scalable and widely deployed. Consider the following:

• Are standards-based cryptography algorithms (AES, DES, RSA and SHA-1, etc.) or proprietary algorithms being used? How strong are they? Can they be upgraded and replaced over time in case they are defeated? Can the DRM software on the devices or PCs be updated as well?;

• How are keys managed, distributed, authenticated, revoked and renewed? Can renewal be done without human intervention? What kinds of revocation are supported? ;

• What is the scope of the damage if a key is compromised?;

• What tamper-resistance mechanisms exist? ;

• Does the DRM system scale up to handle large numbers of users, pieces of content and devices? Can it scale up in modular increments or does it require a whole new system? What is the architecture being used? Is it peer-to-peer or client-server? Which components are needed to achieve the required scale?;

• Does the DRM system provide consistent capabilities across supported media types? Can it be extended to support other media types? ;

Flexibility

Content comes in a variety of types (video, audio, text, images) and in a variety of formats. As such it may need to be streamed, delivered as a file, or on physical media such as a CD or DVD. Depending on the company or application, it could be delivered to and accessible from a variety of devices, such as PCs, PDAs or mobile phones, which all run different operating systems.

Furthermore, a company may need to support multiple consumer and non-consumer business models for the delivery of content. Depending on the needs of the application, the following criteria may apply:

• Does the DRM work with all the kinds of content needed by the applications (e.g., documents, audio and video)? ;

• Is the DRM available across the range of devices and operating systems (e.g., PC, handheld and wireless mobile phone)? ;

• Does the DRM work with multiple file formats and codecs (MP3, REAL, Microsoft, PDF, etc.)? ;

• Does the DRM system support open codecs, or does it require the use of proprietary codecs? How important is that to the company?;

• Can it be used to control access to content delivered on physical media or any other distribution method (CD-ROM, DVD and Flash memory, for example)? ;

• Can the current and future range of required business models, expressed in rights and rules, be represented and implemented? ;

• Can additional applications be built using the DRM or is it restricted in its application or focus, such as music only or document only)?;

• How does the DRM system handle content sent between users in different organizations? What is required to do that?;

In general, those criteria are more important for service providers or content owners that aim to build commerce-oriented businesses. They can be equally important to enterprises whose needs for sharing protected content may evolve over time.

Note, however, that in order to enjoy some of those flexibility benefits, a DRM customer might need to spend time and money to tailor a DRM system to its application needs, technical infrastructure and business goals. Compatibility

DRM is an important content security technology, but it cannot function alone. To fully protect content, it must integrate with existing network infrastructures, both within a company and potentially with a partner's systems in the content value chain. Those include:

• Web servers and portals,

• database and content repositories,

• ERP systems,

• authorization and directory services,

• e-mail systems, and

• commerce and billing systems (for commercial content).

Standards also play a role in ensuring compatibility, enabling integration and facilitating widespread adoption across the value chain. While proprietary approaches are typical for products in an emerging market, DRM systems must embrace emerging standards for securing content (such encryption standards as AES, DES and RSA), defining rights and business rules (rights specification languages such as OeBF, XrML and XMCL), content identification (for example, DOI), describing what is contained within an encrypted file (metadata) and industry standards (OMA for use of DRM on mobile devices).

Furthermore, the DRM should be able to work with tamper-resistant, feature-disabling capabilities supported in standard formats and viewers (PDF, for instance). Therefore, compatibility criteria include the following:

• Does the DRM system easily integrate with a company's existing infrastructure and with that of its partners?

• Does the DRM system have an open architecture and APIs? Does the DRM support standards that enable interoperability and integration with required systems, such as databases, e-commerce systems or asset management systems (such as XML and ODBC)?

• How much effort, time and cost will the integration entail?

• What are the system requirements for the client and server products (operating system, hardware platform and third-party software)? Does it enable expansion to new hardware platforms and software systems as needs and infrastructures change?

• If the DRM system supports policy-based packaging of content, how easy is it to define new policies or work with existing systems (for example, LDAP or Active Directory)?

• Does it support the company's required file formats and content types? Can the DRM work with feature-disabling capabilities supported in standard formats and viewers (PDF) to further protect the content?

• Does the DRM support the required standards (e.g., content standards, communication standards and security standards)?

Business criteria

DRM is an emerging market. Like the early days of the Internet security market, a number of companies offer products, some of which may be small, but have very good technology. Business criteria is equally important when considering the selection of a DRM vendor. The following are some suggested criteria:

• Vendor viability. How has the company performed historically? A DRM provider's healthy corporate performance suggests good management and longevity, both of which are essential for delivering ongoing technical support to a DRM customer as its business grows and changes.

• Trust and control. Do you trust the DRM system vendor and its products to implement your business policies and models and give you the control you want? Do you trust the vendor to hold cryptographic keys to your information or have access to your transactional data? A DRM system deals with encrypting content and information and is typically integrated at an infrastructure level in an organization. Given this, trust in the vendor is essential.

• Price. How much does it cost to implement a DRM system? The total cost to acquire a DRM platform will include purchase, implementation and maintenance costs. Those costs should be carefully considered in terms of potential gains from implementing a DRM system or potential losses from not implementing it, such as lost revenues, market cap (stock price), competitive advantage, time to market or reputation. Note that while a low-cost system may fit a company's current needs, it may not scale as the business grows, and may actually necessitate the purchase of an entirely new system at a later date. Conversely, a high-cost system may include extra features that a company does not need.

• Return on investment. How substantial will the ROI be on a DRM platform, and how long will it take to recoup it? A company should consider not only whether there will be a return on its investment in a DRM platform but also the time frame in which its investment will be recouped. Since DRM is one component of a larger system, the ROI of the system must be evaluated, as well as that of the DRM.

Companies that plan to invest in a DRM solution should use these criteria to gauge their specific needs against the DRM products and services offered by the more than 20 DRM technology and application vendors currently in the market. A close evaluation is essential to ensure that the capabilities of the chosen system coincide as much as possible with the company's immediate and future goals.

The market for DRM continues to grow as content owners, device manufacturers, service providers and enterprises continue to build out the DRM infrastructure necessary to protect IP and develop content-based businesses.

For a DRM technology provider, the key to success is to meet the majority of the criteria for device manufacturers, enterprises and commerce applications. For a device manufacturer, the key is to partner with the DRM vendors that allow consumers the broadest access to content and utility of a device. For an enterprise or a service provider, the key is to partner with a DRM vendor that meets the fullest set of appropriate criteria.

Why use DRM?

While most enterprises have lost control over their information, few are willing to admit that it is really a problem. They're losing critical, sensitive information all the time, often through e-mail, but also through documents and files that are passed on deliberately or inadvertently from one person to the next. To date, few companies have implemented substantial controls to assess or restrict their electronic information flow. Leaked or ill-gotten information can cost a company in one of four measurable areas: revenue, market capitalization (or stock price), competitive advantage or reputation.

Within and between enterprises, digital rights management (DRM) can provide the means to control and track the distribution and post-receipt activity of sensitive documents and media. For example, it can be used to protect highly sensitive financial documents, memos and e-mail from being accessed by anyone other than intended management recipients, or only by those external personnel such as lawyers and auditors directly connected with the earnings preparation and dissemination workflow. Healthcare information is another example. Recently enacted Healthcare Information Portability and Accountability Act (HIPAA) legislation mandates the security and tracking of access to all patient records and healthcare-related information. DRM can facilitate both of those, and allow companies to disable access to data shared between an HMO and an external billing organization.

Impact on the user Digital rights management (DRM) is ultimately experienced by a user who is either protecting a piece of content or attempting to access, render or transfer a piece of content. Depending on whether the company is using DRM for commerce or for privacy, the criteria for the user impact will be different. Both criteria have consequences to the organization and its business goals:

• Is the packaging of content easy to do or transparent to the user?

• Can it be done automatically on the user’s behalf?

• Is the DRM transparent and easy to use (what user interface is shown)?

• What software is required on the client? How is it deployed to the client? Does it require a download? Does it work within a browser?

• How is the client or user authenticated? Is it reasonably transparent? Is it trustworthy? How is it implemented and what does it require from the user?

• What extra steps, if any, does the user need to take to access or view protected content (e.g., download extra files or click on dialog boxes)?

• How does the client enforce rights, rules and permissions?

• Does the DRM system enable portability of content? What devices are supported?

• How is the client software distributed (built into the operating system or applications or distributed from the vendor's Web site)?

• What does the user need in order to view protected content (a special viewer or a standard application)?

• Is the DRM easy to use and easy to teach how to use?

In all uses of DRM, it is important that the DRM system balances DRM transparency with security, making the DRM transparent and unobtrusive in normal use and appropriately visible when a rule violation occurs.

Competition and revenue-generation requirements in the consumer application of DRM mandate that the DRM be easy to use so that content owners and service providers can retain their customers and revenue models. Companies risk losing customers to other content offerings that are easier to access.

Enterprises considering DRM for privacy need the DRM to be both easy to use and easy to teach how to use. Enterprises seek to protect their intellectual property and their constituents' privacy (in healthcare, for example) and to maximize the value of the initial DRM infrastructure expenditure and utility of the application. Training is essential to teach users about how and when to use DRM when creating, sharing and accessing corporate information.

Joshua Duhl is research director, Rich Media at IDC (idc.com), e-mail jduhl@idc.com.