Sealed and Delivered...Keeping content safe is a big job and everyone has to do it

Page 2 of 2

Culture Shift
In order to get a grip on content security, there's a systemic problem that needs to be solved, says Bill Rosenblatt, president of Giant Steps Media Technology Strategies. Most of the time, he says, content security is determined at the product level, instead of at the enterprise level. "In many content businesses," says Rosenblatt, "you have a chasm between the corporate IT security people and those who are in charge of figuring out strategies for anti-piracy. But, to put together a coherent policy for content, they have to cooperate."

There are cultural and operational reasons for this divide, he says. The execs in product divisions see IT folk as handling back office functions and don't want them getting involved in decisions that affect their bottom line. CIOs and CTOs tend to focus on infrastructure and systems and policies that affect the entire enterprise; they may not have the necessary expertise in content-specific technologies. "The obvious solution," Rosenblatt says, "is to hire and develop IT people who have the knowledge and affinity for content products, and to get them involved in product planning and production. This is a major, systemic problem that the media industry needs to solve."

The Tactics
Content security depends on a complicated skein of permissions, controls, and management tools—and often the products of several vendors. Good content management can be evaluated like a good newspaper article: It tells who, what, where, when, and how.

Who: The pivotal concern is access control, the "who" of content security. It's one of the most important for enterprise content, keeping that snoopy manager from prowling the HR files, and making sure employees don't get a hint of that upcoming merger until the Communications Department is ready with the press release.

The first line of defense is the familiar user authentication—the password—sometimes backed up by a hardware key such as a smart card or dongle. Passwords can, of course, be hacked, guessed, or simply passed along. They also can be difficult to manage for larger enterprises. More advanced access control products let the administrator define access based on role rather than individual: Let all employees read reports on the intranet, but only let upper managers upload reports. For example, a multi-national consulting firm might want to let personnel in local offices update their specific areas of the corporate customer-facing site, while making sure that they can't by mistake screw up another branch's info.

What: Secure content delivery is important whether the content is paid or free, going to customers, partners, or employees. Whether it's streamed or downloaded, the company should be able to make sure that the stream isn't accessed or corrupted. Content may be pre-encrypted or encrypted on-the-fly; the recipient may be sent an encryption key with the file or have client software that automatically decrypts files.

Where: Better still is the ability to define what the recipient can do with the content after it reaches the desktop. Some digital rights management applications force the user to log onto the Internet to access the content on a server; this tactic makes it more difficult for customers and could create a barrier to sales or make employees less productive. Some products "wrap" the content in an unbreakable bubble so that it can, for example, be used freely within the desktop environment to which it was downloaded, but can't be copied or forwarded.

When: Often a company must work with outside professionals to complete a project, especially in entertainment, music, and advertising. This content can be extremely high value—and extremely stealable. For example, the TV show American Idol needed to get out singles by the winners in just nine days. RCA Records had to move the digital audio tracks over the public Internet among production and post-production facilities. To make sure no one leaked the tracks, it used a secure collaborative work environment from DMOD.

Some secure collaborative environments let the content owner revoke permissions and "shred" content; they may also show the history of the transaction, so that the owner has proof that the content was delivered, sees whether it was opened, and has a record of when alterations were made.

How: When there are collaborators, there are agreements, often a welter of permissions, licenses, and limitations. Managing contractual obligations is often a scram- ble, says content consultant Rosenblatt. Conditions can include embargo dates, geographic area of distribution, foreign language translations, restrictions on reformatting, and time limits. Unfortunately, says Rosenblatt, "most vendor solutions can only take you so far."

Too bad, but not surprising. As in any other area of IT, it's rare that any one content security solution will go the distance with your content. Security must be evaluated within the framework of the entire content life cycle. With digital information becoming the standard, every company is an econtent company, and they must be prepared to go the distance.

Sidebar: Leaky Content
Some Spectacular Security Gaffes

December 2002
 A West Virginia man pleads guilty to importing and selling 450 "mod chips" designed to allow the playing of pirated games on the Microsoft Xbox console.

February 2003
A University of Texas student uses an automated program to get the Social Security numbers of 55,000 former and current students and faculty members at the Austin school. According to Information Week, the university's vice president of IT says, "Shame on us for leaving the door open."

Visa, Mastercard, and American Express reveal that a cracker accessed the records of up to 2.2 million accounts.

March 2003
The Sacramento Bee reports that California State University's computer system has a long-standing flaw that lets users view personal information including Social Security numbers.

April 2003
In its quarterly report, security specialist Internet Security Systems reports an increase of over 867 percent in "security events" in the past three months.

Security researcher Berend-Jan Wever announces a flaw in SETI@home, the screensaver software that lets individuals harness their computers to help search for extraterrestrial life. His advisory says that a bug in the SETI server software would allow a hacker to exploit millions of personal and business computers.

Sidebar: Security Scares Create Market Boom

Business is ready to spend on security, according to information security firm Aladdin. In a survey of IT professionals it conducted in November 2002, 67 percent of respondents said their companies plan to increase security spending this year. They'll have plenty of options, including these content-focused products:

Access and Permissions Management
Lets the content owner choose who can access content while setting parameters such as length of access, ability to forward, ability to alter. Products include License Server, Sealer, and Unsealer from SealedMedia; Privilege from Aladdin Knowledge Systems; CypherCast by Irdeto Access (for broadband and broadcast as well as IP networks).

Secure Content Delivery
Secures content as it's delivered over the Internet; sometimes includes permissions and rights. Products include Secure Download, Secure Content Delivery, and Secure Streaming from Speedera Networks that offer enhanced security combined with enhancements to network performance.

Secure Collaborative Environments
Lets in-house staff or outside vendors exchange and alter content under specified circumstances. Products include WorkSpace from WAM!NET; and WorkSpace from DMOD.

Native Security

Security parameters are generated within the application or environment used to create content. Products include Adhaero Doc for Microsoft Office Suite from Adhaero Technologies.

Companies Featured in This Article

Adhaero Technologies
Aladdin Knowledge Systems
Irdeto Access
Speedera Networks

Page 2 of 2