Compromise DRM Better Than None

Our manager wants more out of digital rights management than his company can afford right now.

Ive been getting my hands dirty working on our digital rights management implementation. DRM is something Ive been working toward implementing since I came to this company, and were finally within a couple of weeks of announcing its availability internally.

DRM will address some core security issues for us. We have a lot of documents, from product designs to service manuals, that we cant let slip out of our control. It would be disastrous for us if any of them fell into the wrong hands. For example, we have contracts that are worth up to $100,000 for maintaining and servicing the equipment we build. The service engineers who do this contract work in our customers fabrication plants typically take along our service manuals on CD-ROM discs. Anyone who got a hold of one of those CD-ROMs could sell our manuals or use them to offer service to our customers at a discounted rate. By protecting the manuals with DRM, the loss of a CD-ROM wouldnt be a dire event, since whoever found it wouldnt be able to access the documents.

This project has been a high priority for our CIO, and thats why Ive been deeply involved in it. Its actually refreshing to work on projects at a technical level for a change, although its not as if Im writing shell scripts or compiling code.

I had wanted to deploy a robust DRM product such as Oracles Stellent Information Rights Management (formerly SealedMedia) or Liquid Machines Enterprise Rights Management software, but our budget wouldnt accommodate that. Instead, were rolling out Microsofts Rights Management Server. Were also saving money by installing RMS on one of our virtual machines.

VM is all the rage these days, since it allows you to run multiple server environments on a single piece of hardware. That saves both money and data-center rack space. And current VM technology makes it very easy to provision a new server.

On the negative side of the ledger for VM are security implications, but I feel that VM environments can be designed to be just as secure as stand-alone platforms.

For the most part, installation and configuration have been point and click. The RMS software installs within minutes, and basic setup takes about one hour, which includes the configuration of the Microsoft SQL database and a couple of Active Directory groups. We need those two new groups so we can configure two new policies for rights management.

In addition to our central deployment of the RMS server, a SQL database and new directories, users will need to install the RMS client on their desktops, but that will be pretty simple as well. Whats nice about this client is that no additional configuration is needed. Once the client is downloaded from Microsoft or obtained from our companys software download site, the client will listen for the service locator point configured on our domain controller and will automatically be configured to talk to the RMS server.

Gibberish for Outsiders

The new Active Directory groups are named Director and Internal. The Director directory will map to an RMS policy that covers employees who have a pay grade or position of director or above.

The day-to-day implementation of this policy is pretty straightforward. If this policy is applied to a document, we will be assured that the documents contents will be off limits not only to outsiders, but also to lower-level employees who arent part of the Director directory. This policy is likely to be applied to high-level strategy documents and other sensitive materials.

The Internal directory, in turn, maps to a policy that includes all valid employees who have an Active Directory entry and a corporate e-mail address. The Internal policy lets us encrypt documents so that they are gibberish to outsiders but readable by virtually anyone who authentically works for the company.

We may at some point increase the number of policies if thats necessary. But besides these two defined policies, we will allow users to apply restrictions of their own to documents. For example, if I created a vulnerability assessment report for our financial servers, I could apply permissions allowing only my team, the Unix manager and his boss to access the document. I could also restrict the ability of any of those permitted readers to cut and paste from the document or to print it.

Weve addressed the risk that accompanies allowing employees to create their own policies willy-nilly. The Microsoft RMS infrastructure supports the concept of escrow, which means we can give certain people the power to view and remove permissions for any RMS-created document in the company. Thus, an important document cant be locked away forever just because someone who has permission to view it is no longer an employee. And we have written extensive training materials so that our help desk will be able to solve a lot of the problems that are likely to arise.

And so, our big DRM push is coming to fruition. It wont give us everything I want. RMS can be applied only to certain documents, all created with Microsoft software like the Office suite and the Exchange e-mail client. But we have a lot of sensitive material that exists as Adobe PDFs and Visio files, for example.

My hope is that this effort will be a successful beginning at protecting our intellectual property. My ultimate goal is to build on that success and obtain additional money so we can deploy a more robust DRM technology thats able to address most document formats within the company. For now, though, Im looking forward to the extra protection were about to have.

What Do You Think? This weeks journal is written by a real security manager, Mathias Thurman, whose name and employer have been disguised for obvious reasons. Contact him at, or join the discussions in our security blogs: To find a complete archive of our Security Managers Journals, go online to


Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon