Managing digital rights

10 things you need to know about controlling corporate content.

Digital rights management is a hot topic in the entertainment business as record and movie companies try to figure out how to protect their content from piracy and mass distribution by way of file-sharing services such as Kazaa and Morpheus. But DRM does more than protect movies and music. It also can have a profound effect on the way corporate data is used and shared.

DRM is not necessarily a single product or service, but a means of extending corporate security to digital content that is easy to move around. The premise behind DRM is relatively simple: Users are given rights to a piece of content based on certain conditions (such as they can view it once, for a set period of time, or can use it only on a particular machine or device).

Data format. Various types of data (documents, spreadsheets, rich media) need to be secured in corporations. “[Organizations] should take inventory of those formats and make sure the technology that’s picked can cover all of them,” says Paul Rettig, director of digital media development at IBM. “You don’t want five or six different solutions to cover all the areas you need to protect.”

When thinking about what product, vendor or service to use in a DRM implementation, Rettig says it’s important that the ability to define rights is generic across all media types. With that said, there will always be some idiosyncrasies on how those rights are managed and implemented based on the delivery method and format. For instance, streaming media files could have a right that says whether they can be saved after they’re streamed or not, where a document can be read-only or read-write-print.

Puzzle pieces. Any DRM system put in place needs to be integrated with the existing enterprise infrastructure, including file management systems, databases, e-mail and Web servers.

“You’re going to need some sort of database if you’re going to be managing licenses and accounts. And if you’re going to issue passwords via e-mail, you’ll need an e-mail server to send users something,” says Ezra Davidson, co-founder and vice president of business development at SyncCast, a content delivery and DRM service provider. “Think about how you’re going to issue licenses and what type of server and complementary technology within your enterprise you may need. It’s like if you buy a new car, you still need the gas to run it.”

Support the user. Rettig says that like any type of security infrastructure, you need the right support to manage problems such as lost passwords or transitioning workers. When DRM locks a piece of content to a specific PC or person, what happens when a user gets a new PC or the worker takes a new position? The license needs to be moved to the machine or employee taking over the job task.

At Jane’s Information Group, a Alexandria, Va., company that publishes titles such as “Jane’s Fighting Ships,” offers access to its online library on an individual and corporate basis. Jane’s would like to be able to offer a single logon to an individual that also contains the rights that person’s employer might have paid for as well, says Lisa Koenigsberg, eServices manager at Jane’s.

“Part of the issue is someone has to manage it,” Koenigsberg says. “If you leave the company, Jane’s doesn’t know you’ve left, and you could still retain the company’s [access] rights even though you’re not there.”

Protect your keys. If using a third party to serve and authenticate licenses, it’s important to keep local copies of the user data in case something happens to the provider. “In the event the service provider goes away, you need to have a transition period to get access to data they have been collecting,” Davidson says. “Make sure to get data on cycle basis. If something happens, you can take your data to a new provider and quickly start issuing keys again.”

Partners outside the firewall. “Our biggest challenge is handling the people who are not employees of our company,” says Rebecca Burr, director of market analysis at chip maker Xilinx in San Jose. “We’re not as aware of what’s happening [securitywise] at our partners.”

Xilinx is in the process of rolling out Authentica’s PageRecall DRM product to help distribute the company’s price books (the Holy Grail of the company’s operations) using the Secure PDF format. DRM helps ensure the books are used for their intended purpose and not easily distributed to competitors. For assets distributed outside the firewall, the protected content will have to be authenticated more frequently than it would for someone using the price book internally.

Remote users. For traveling workers not connected to a network, there should be a policy implemented with some requirement to “phone home” to check the permissions that let users work offline on the local desktop. “One can go on a trip off network and take a key,” says Victor DeMarines, director of marketing at Authentica. “First, you take a snapshot of the user’s system that’s accessing the document or content, then download that content to the computer and bind it to the machine so that the DRM policy remains in force.”

Mobile devices. If your corporation deals with distributing content to mobile devices such as cell phones, PDAs or BlackBerrys, you need to be able to recognize the capabilities of the device to ensure the restrictions that DRM is placing on content, Rettig says. For instance, if it’s a device with no date/time feature, then it cannot track time-based expiration restrictions. If the device cannot help support the restrictions, the content should not be able to reside on it.

Don’t get in the way. On the delivery and management end it’s important to integrate with existing systems and workflows, and the same can be said for the way end users consume data. Jane’s provides access to its libraries via a standard Web browser, making it easy to cut-and-paste and print-and-carry the data and use it for source material in a research project. “Our customers use us as a research tool,” Koenigsberg says. “Look at the media, how many times over the last year have you seen CNN quote a piece of text from Jane’s? We give them the ability to retrieve the information themselves.”

Xilinx’s Secure PDF files are tagged and can “report” back whenever they’re opened, forwarded or transferred, so the company always knows who is doing what. Also, pages that are printed have a unique watermark based on the recipient’s identity, so if they are distributed, they are easily tracked to the original recipient, Burr says.

Change on the fly. One benefit of DRM is that it can let content owners change the rights and conditions of a given license on the fly. Burr says when a new price book becomes available, the DRM technology being rolled out will be able revoke the keys to old price books, rendering them useless. This keeps outdated material from accidentally being used or maliciously distributed, says Jonathan Lewin, founder and CTO of eMeta, a software company that makes content distribution tools.

Standards on the horizon. DRM products and services now are typically proprietary offerings that do not interoperate well beyond the content they control. For instance, the DRM technology embedded in Microsoft’s Windows Media Technology supports only the Windows Media Format and not competing formats such as Real and Quicktime. But a number of groups are looking to standardize how DRM rights are defined and how different pieces of the puzzle can operate.

One specification that could gain considerable momentum is coming out of ISO’s MPEG-21 committee. MPEG-21 is a framework for delivering and using multimedia services across a variety of devices. One of the major underpinnings of the specification is the Rights Expression Language, based on the Extensible Rights Markup Language developed by ContentGuard, which will provide a standard way of describing rights and methods of any object.

“Because MPEG deals with rich media, its [DRM piece] will be able to handle all media types,” says Bruce Gitlin, vice president of business development at ContentGuard, a Xerox spinoff that licenses DRM patents and tools.