Saturday, 2 June 2007

Humble pie - part 1: DRM

Rory McCune and I have had words this weekend. The posts and comments are too numerous to mention. The basic issue has come down to a couple of misunderstandings, and if Rory can make them, then anyone can, and I should try and clear them up instead of ranting...

First off, I apologise to Rory for biting his head off, he got me at the wrong time, that's all. I then proceeded to do what I hate most about other bloggers, which is to criticise instead of explain. I am an arse. He is a smart and generous guy, and his blog is worth a read.

I'm going to spread this across a number of posts to keep the reader (hopefully more than one) from switching off, but they will basically be the same thread.

What is DRM?

The most familiar form of digital rights management to most readers will be that of Apple's iTunes. This is an "off network" form of DRM, and a valuable problem to crack, but faces economic issues which make this a complex task.

DRM in a network is difficult because networks are fairly porous from the inside out. Documents can be easily printed, copied, emailed and saved to USB or other. Of course it is possible to disable printing, copying and saving. Emailing of attachments or scanning of mails for keywords can be effective as a perimeter control too, but this seems like very tight security for most networks. Even if all of this was implemented, there is nothing to stop someone looking over the CFO's shoulder to read my salary, writing down a list of account numbers from the credit card database, or photographing the screen when logged in as sysadmin.

Digital rights management outside of a network is essentially a way of sending data protection along with the data. This is also extremely hard to achieve. DRM is achieved by packaging a file with some sort of license. If the license is not activated, or becomes inactive, the file will not open. The license also controls copying and printing of the content. This requires perimeter controls built around the data.

The problem with this type of DRM is that you have to send the controls along with the files. These perimeter controls are then in the hands of the very people who want to attack them.
DRM on music files has proved incredibly unpopular, Apple's iTunes has been under constant attack from users because of the problems it causes in transferring music between systems. Apple have had to patch their DRM systems continually to beat the crackers.

(They also had a lawsuit brought by the Beatles, because they promised not to enter the music business with the Apple brand, as it was the same name as the Beatles' record company. Then came iTunes, and Apple entered the music business in a fairly big way. You still won't find Beatles tunes on iTunes, but that's another matter entirely...)

DRM is probably the toughest security to achieve, largely because of the nature of that security.

On the network, with current capabilities, you can achieve DRM by applying too much security. Thich disables business processes as much as securing the network. Or you can apply hardly any security, in which case you lose control of the data very quickly.

Off-network DRM is an economic tool as much as a security tool, it forces users to pay for access to a file. In an ordinary network the administrators have the control over the access rights, and it is they who need to enforce this and pay for it, so there is no conflict of interest. With DRM, the user pays, but the administrators still want to enforce. Unsurprisingly, the users try to take access into their own hands.

DRM is just one (very visible) part of data-centric security. In my next post I will be examining data-centric security, before moving on to data-classification, and an attempt at explaining all the different subsets that each of these fits into.

No comments: