Data rights management (DRM) is a technology aimed at controlling the use of digital content. DRM technology was originally invented by publishers to control media such as audio and video rights.
To design and implement data rights management within an organization, traditional security approaches such as access control and data classification have been used to protect data while on the LAN. When data moves out to the WAN, the use of secure transmission protocols and tunneling technologies has been deployed to offer additional protections. While these approaches do offer adequate protections in many cases, they are not foolproof, and they may not always scale to offer adequate protections for data in the cloud. As a result, one needs to consider adding additional layers of protection to their defense-in-depth architecture to ensure that data is protected while at rest, in motion, and in use across the cloud.
Rights management technologies use identity, context, and content attributes to automatically control document access and usage based on centrally managed policies that are enforced across server and endpoint applications.
The two main categories of DRM are:
- Consumer DRM: Aimed at controlling copying, execution, and alteration of media such as audio, video, and e-books. There is a variety of formats and standards for consumer DRM implementations focused on controlled one-way distribution—from the publisher to the consumer.
- Enterprise DRM: Focused on protecting enterprise assets such as documents and email through implementation of usage rights policies, enterprise DRM usually integrates into the business processes to control data sharing with partners or within the organization and may require integration with the company identity services or content management system.
Data Rights Management (DRM) Objectives
Data rights management (DRM) technology is also commonly referred to as information rights management (IRM) when implemented in the enterprise. DRM is not just the use of standard encryption technologies to provide confidentiality for data—it is much more. Here is a short list of some of its features and use cases:
DRM adds an extra layer of access controls on top of the data object or document. The access control list (ACL) determines who can open the document and what they can do with it, and provides granularity that flows down to printing, copying, saving, and similar options.
Because DRM contains ACLs and is embedded into the original file, DRM is agnostic to the location of the data, unlike other preventative controls that depend on file location. DRM protection will travel with the file and provide continuous protection.
DRM is useful for protecting sensitive organization content such as financial documents. However, it is not limited to only documents; DRM can be implemented to protect emails, web pages, database columns, and other data objects as well.
DRM is useful for setting up a baseline for the default information protection policy (for example, all documents created by a certain user at a certain location will receive a specific policy).
DRM Cloud Challenges
DRM requires that all users with data access have matching encryption keys. This requirement means strong identity infrastructure is a must when implementing DRM, and the identity infrastructure should expand to customers, partners, and any other organizations with which data is shared. Elements of a strong identity infrastructure to consider include:
DRM requires that each resource will be provisioned with an access policy. Each user accessing the resource will be provisioned with an account and keys. Provisions should be made securely and efficiently for the implementation to be successful. Automation of provisioning of DRM resource access policies can help in achieving that goal. Automated policy provision can be based on file location, keywords, or origin of the document.
Access to resources can be granted per user or according to user role, using a role-based access control (RBAC) model. Provisioning of users and roles should be integrated into DRM policies. In DRM most of the classification is either the user’s responsibility or is based on automated policy, so implementing the correct RBAC policy is crucial.
Identity infrastructure can be implemented by creating a single location where users are created and authenticated or by creating federation and trust between different repositories of user identity in different systems. Carefully consider the most appropriate method based on the security requirements of the data.
Most DRM implementations will force end users to install a local DRM agent either for key storage or for authenticating and retrieving the DRM content. This feature may limit certain implementations that involve external users and should be considered as part of the architecture planning prior to deployment.
When reading DRM-protected files, the reader software should be DRM aware. All readers could encounter compatibility issues and should be tested prior to deployment.
The challenges of DRM compatibility with different operating systems and different document readers increase when data needs to be read on mobile devices. The usage of mobile platforms and DRM should also be tested carefully.
DRM can integrate into other security controls such as DLP and document discovery tools, adding extra benefits.
Appropriate Capabilities
The following list illustrates key capabilities common to DRM solutions:
- Persistent protection
- Dynamic policy control
- Automatic expiration
- Continuous audit trail
- Support for existing authentication security infrastructure
- Mapping for repository access control lists (ACLs)
- Accessibility
- Integration with all third-party email filtering engines
- Prohibiting printing of an entire document or selected portions
- Disabling copy/paste and screen capture capabilities
- Watermarking pages if printing privileges are granted
- Expiring or revoking document access at any time
- Tracking all document activity through a complete audit trail