Friday, September 15, 2006

DRM hacked again - is it useless for protecting corporate documents?

The speed with which hackers broke the Digital Rights Management (DRM) from Microsoft and Apple last week, was commented on by David Berlind on ZDNet - 24 hours: The time it takes to crack the newest DRM from Microsoft or Apple.

This article was timely for me, as I was reading it just after coming off a conference call with Brad Beutlich, Director of Business Development for Safenet, a provider of encryption applications and devices for software and media. His comment around the announcement that was something along these lines:
Perfect DRM protection is like a waterproof watch - it doesn't exist

He wasn't surprised that either Microsoft or Apple had their protection systems hacked, citing a host of technical reasons why this is possible. A significant one is that the OS and the hardware it runs on must both provide facilities to secure the encryption keys used to unlock protected media - standard OS and hardware makes it too easy for a determined hacker to read the required information and incorporate it into a separate unlock utility. It seems unlikely that in the near future the PC hardware will provide this capability as standard, so DRM protection is likely to continue to be a feature of hacker's attention.

Now I'm not so worried about the DRM schemes that protect Windows media and iTunes (at least not when wearing my business hat). My previous posts, DRM gets lardy and Web technology for electronic records worry about the use of DRM for protection of vital business documents, both inside and outside of the corporate firewall. Both Stellent and EMC claim that they have coupled their recently acquired DRM technology with Records Management:
EMC recently announced that it was pairing its Records Manager with DRM technology aquired from Authentica, enabling records managers to enforce their policies for all records, independent of custody. In principle this seems like a great pairing, but there are some issues to be addressed[...]

It is in the corporate world that DRM could offer significant value, though there are issues related to use and lock-in with proprietary DRM solutions as I mention in my previous posts. Documents that need encryption are likely to be most valuable to a malicious hacker with the aim of damaging a corporate reputation. Given the recent news that DRM can be hacked easily, it seems it can only really protect against misuse of documents by casual users. A determined hacker that had acquired corporate documents through fraudulent means could probably hack a utility to unencrypt them (or find one on the Internet) in a short amount of time. The DRM protection of the documents would be worthless for the most valuable use case.

Safenet claims a strong security background, going far beyond that of consumer targeted DRM. Amongst other things, they can provide hardware devices and tokens that hold encryption keys, preventing a major hacking loophole in consumer systems. Although this may limit flexibility of document usage, targeting the deployment of the technology to appropriate users in an organization may be considered worthwhile in highly sensitive environments.

When identifying a need for DRM for corporate assets, ensure that a vendor that provides it is not just repackaging a consumer solution - Windows Media Player and iTunes are not the gold-standard! Stronger hardware reliant technologies such as Safenet come at a price - both flexibility and dollars. The question is whether IT managers and legal cousel can balance the risks of document misuse against the issues and costs of corporate DRM.

Technorati tags:

No comments: