I was reading an article today, that said keep your best ideas for your products. This is probably one of those but since I don't have the resources to do it I'm hoping that Adobe, Microsoft, Oracle or Google read this or someone at their companies suggests something similar.
Digital Rights Management (DRM) is broken. As a concept it is brilliant, it allows you to move security away from the infrastructure and to the information. Security travels with the information no matter where it goes. In practice currently it is badly broken, it is too hard to implement and use. I have some suggestions for fixing it....
Data and information needs to move to be of any use. You can't just lock it up, and increasingly with Cloud computing, social media and world wide on-line collaboration - more and more data is moving to more places faster. For example GigaOM writes that documents are moving from being spreadsheets and word docs to be made up of Twitter messages and blogs. In fact I was reading this book that was entirely written on Twitter.
To be effective Digital Rights Management (DRM) needs to have the following properties:
- Be really easy to use - that means both for the creator of information to apply DRM (or have it ideally applied transparently based on context analysis against policy) and for the consumer (to view and edit the information without any new software or new passwords, registrations etc)
- Do not restrict the natural movement of information and collaboration between those who should have access
- Secure - it must be able to restrict access to view, edit, control print, copy, even screenprint (using some automagic) etc.
- It must allow full tracking of what actions have been performed by whom, when and where on the information ideally with geolocation
- It must be self contained within the information - there must be no new software, the DRM needs to be meta information that travels with the information always
- It must leverage existing identity systems without requiring the creator nor the consumer to enroll and use new identity systems. No new passwords should be required, or certificate installation and no out of band transfer of credentials
Problems with current systems
Current implementations of DRM are hopeless. I tried to use Microsoft DRM with Office 2010 (which is leaps and bounds ahead of where it was previously) but guess what send it to a few people using MAC computers and they can't open it. Even Windows machines running Office 2003 or 2007 had a lot of problems and I had to go back to basic password based protection. Oracle's DRM is worse - you need to install software to even open a document. A friend was telling me about the 50 step process you need to go through to open a DRM document on the Sony e-Book reader - hopeless, no wonder 1 Click Amazon has 61% of the e-Book reader market
A better solution design
I believe that these requirements can be achieved today as they are already applied by other software. Some ideas on how:
- Identity - use existing identity systems such as Google, Open-ID, Twitter, Facebook, MS Live-ID etc. Google already does a great job of this with using email address for sharing Google documents
- Authentication - use the existing authentication in a federated manner - again leverage the above systems. Twitter has a great API implementation of this with oAuth. How about if all I had to do to protect a companies confidential documents (and twitter messages) was to enter a twitter id of people that should have access to it. They are automatically sent an invite link, they authenticate against Twitter to gain access
- Role based access - Google documents, Gomockingbird etc have excellent and simple methods of choosing what access people should have. You should be able to request greater access by simply email, twitter etc
- Tracking - you need to be able to be alerted (configurable) and report on all aspects of a DRM document e.g. I shared my HR database with my payroll provider I want to know who opened it, from where in the globe, at what time, what they did (read, edit etc). This should all be alterable and reportable. Dropbox does a great job of this e.g. you are emailed when someone joins your shared folder. This should be in syslog format so you can easily import it into a SIEM
- Self contained - no software. This is probably the hardest part, but I have seen some very cool protections applied by PDF in the UK HMRC company tax return. This could simply be opened by Adobe acrobat reader. Alternately you could do it like through Google docs (including off-line mode) where all you need is a browser because you authenticate to gain access
- Secure - again PDF, even MS DRM does a good job at being able to restrict view, edit, copy, print. There must be some auto-magic that for example stops the print-screen function or for really sensitive information (where you are worried about someone taking a photo of it when displayed on screen - a viewing window that moves at reading speed and the text randomly moves around the screen. Get the thinking hats on - this can be achieved
- Context policy based - you should be able to tie your DLP system to analyse information and automatically apply DRM policies or request the user that they select who should have access to it. RSA DLP can already do this but with MS Rights Management Server (which is horrible). Alternatively you could use lower tech like Dropbox folders to have anything saved to particular folders to have DRM policies applied. Also when information leaves your company e.g. email, FTP, internet, middleware - you could use an in-line DLP network device to analyse it against policy and apply DRM, this is especially easy with email if email is the DRM identifier - it can simply take the email addresses of the addressees (analyse them first against policy to see if this information should be going externally) and then apply e.g. read only DRM policy to the email and all attachments.
DRM has had a really bad reputation and deservedly so, the current implementations of it are just terrible. But with some sensible user centric design in a few years it could be one of the most useful security technologies. It totally makes sense in a cloud based world where infrastructure security is becoming less and less relevant.