Access controls, encryption or DRM for Document Security?

What Document security method is best?

There are three major classes of controls used by computer systems to protect access to information – Access controls, Encryption, and Digital Rights Management (DRM).  But which one is the right one for your requirements and why?

Document access controls

The traditional control mechanism in computer systems has been to apply access control to the files holding the information.  So you can stop people reading, writing, modifying, executing and deleting files, and that is well established and deeply embedded into operating systems everywhere.

But if someone has the right to read, then likely they can either copy the physical file or open the file and copy the content into another file or device.

And it is the content of the files that is important, the file is simply a container holding whatever you put in it – and it doesn’t care what it is.  You can call a file anything you like.  A real case of one size fits all.

But then, as a Mr Snowden (CIA retired) so aptly demonstrated, it’s all down to the content.  He had the ability to make the copies and then take them all away.  And, being an insider, he had the access.  And a body of experience says, it is the insiders who have all the knowledge of file contents, access to them, and ready ability to collect files and send them wherever they will, and they are the single biggest risk to the business.

So access controls, although essential in an operating system, do not go far enough in protecting the content of the files that they are used for managing.

Document encryption

The bedrock of data security for many years now has been the use of encryption to protect data from theft and also to prevent falsification and prove authenticity.  Encryption was around back before the time of Julius Caesar, and has had a lot of work done to improve it down the years.

Essentially, you encrypt something using a secret key.  Anyone who has that secret key can decrypt it.  Having decrypted it the recipient can do what they like with it because the encryption control has been removed.

This is very different from access control because having the ability to read or change the file doesn’t mean anything unless you can decrypt the file.  (Delete still works, but it’s not likely what you are wanting to do with the file.)  So encryption is providing a number of ‘new’ controls that are interesting and powerful, but do they achieve your requirements?

The single biggest problem with pure encryption is that the recipient is able to do anything they like with the file they have decrypted.  That is fine if you are a bank and you can control very precisely who gets to access which secret keys, and you are processing very defined file formats (SWIFT transfers, for instance) and you can control your local environment very carefully indeed.  Because once the content has been released from the encryption there is no control over the data beyond processing very promptly and deleting the uncontrolled copy before anyone gets the chance to steal it.

But encryption on its own is not able to fulfil more complex control requirements.

Document DRM (Digital Rights Management)

The DRM concept was initially created to enable sound and audio-visual (music and film) copyright owners to license the use of their products.  Although these were complicated they were essentially about licensing models on a pay per view type basis, and licensing distributers to ‘broadcast’ films and music under sub-licenses.  Amongst the big players in this league are Sony, Intertrust and Microsoft.

But document DRM is considerably more complex in a rather different way from the multimedia market.  It revolves around the specific content of a document rather than the abstraction of protecting a generic film being processed on DVD or streamed over the network.

Multimedia providers are only interested in the content of the file to the extent that they can claim a fee for publishing it, and that they display the right content warnings for the consumer marketplace.

Document publishers have far more to think about, including:

  • When is the first date it can be viewed
  • When does it stop being available
  • Can I stop access to it at any time, globally and user by user
  • How many times can a user read the document
  • Can I stop printing
  • How many times can the document be printed
  • Can I link documents together into licensable groups
  • Can I watermark viewed and printed copies
  • Can I stop redistribution
  • Can I stop simple screen grabbing and copying
  • Can I check if the document has been read or printed
  • Can I make the document display how I want
  • Can I enforce the locations from where the document can be used
  • Can I be sure it will look the same on different platforms and printers

As you can see, the demands for document DRM are significantly larger than those for a film (although maybe the film industry would like some of these?) and require a granularity of many controls in order to achieve the document publisher’s objectives.

In fact, the problem with encryption on its own was the fact that it could not address different risks outside of its ability to protect content from disclosure once it had been revealed.

So there are distinct demands that document DRM expects to achieve.  And it does it by building on what went before rather than trying to be disruptive and invent a new order.

Document DRM needs the file access mechanisms of the operating system.  And it also needs the use of encryption.  The critical features of content protection, authentication and verification of source are the building blocks.  But document DRM binds other more granular controls (such as those I listed above) to the document(s) so that the controls cannot be forged or changed, and can be applied.

And that brings you to the question of how does a document DRM system actually operate in order to meet the control specifications?

Firstly, document DRM must be able to work both online and offline (films are usually online using streaming).  So there must be enough controls embedded in the document to control it without it having to ‘phone home’ in order to operate.  There are purely online control models for documents and they can be appropriate for Internal Resource Management (IRM) where a corporate body wants to restrict use to within the corporate network but they may be less suitable when selling documents to unknown purchasers.

Secondly, document DRM controls must be capable of being reset – with the best will in the world things can always go wrong or get delayed and the controls limiting reading, printing and so on need to capable of being changed dynamically, as does the ability to stop (and restart) an authorised user from continuing to have access to one or more documents.  This is a more subtle control than typically used in film protection.

Thirdly, document DRM must be able to work with the commonest computing platforms used by both business and the consumer.  This may be achieved by using a common interface, such as the browser, which is fairly device agnostic (although you may not always get exactly the same document rendition on each platform, and formats such as PDF may go a long way in achieving device independent rendering and printing).  As an alternative the document DRM supplier may have custom viewers that can process DRM protected files and enforce their controls.  Browser based viewers demand that the user be connected to the Internet for the (cloud) system to function.  As a result, those systems can implement changes to controls immediately.  Installed viewers offer the ability to use controlled documents offline – not everyone is (or wants to be) permanently online, and publicly available WiFi is still not a universal feature (although some broadband suppliers ship routers with WiFi on and a public WiFi gateway installed on the device).

Fourthly document DRM should be able to work fully offline.  This would be using a USB or flash drive which would carry all the licensing, controls and DRM protected documents.  In this way the user would be completely independent of the supplier, and the documents on the device would continue to be available unless the device itself failed.  The life expectancy according to manufacturer Flashbay could be between 60 to 80 years in perfect conditions.  More likely it would be a few years given how they are normally handled.

Document Security conclusions

There is an expectation that computers have been controlling access for documents for years now, and it should be a done deal.  But it turns out that the normal computer access controls are primitive when compared with today’s requirements.

Encryption technology is needed as the foundations of a system for controlling access to and use of document (file) content.

But in order to provide a fully featured and overarching control structure you need to implement document DRM.  We have outlined many of the requirements placed on document DRM and some of the architectures needed if an implementation of document DRM is going to produce commercially useful results both for publishers and users.

So we conclude that if you need to protect the content of a file, not just the file itself, then you will need to have a document DRM system in place to enforce your controls.