How DRM could ensure cloud security

Could much-despised Digital Rights Management (DRM) be an equitable solution to cloud security concerns?

Yet another survey is indicating that security is a big issue for those intending to take up cloud computing. Network equipment manufacturer Ipswitch asked 1000 of its customers if they planned to invest in cloud technology in 2011.

The good news is that over two thirds of them reportedly said yes. The bad news is that most want either a private cloud setup (29 per cent) or a mix of public and private clouds (21 per cent).

Nobody entirely agrees what constitutes a private cloud, but there's some agreement that it's a method of offering cloud-like services using dedicated hardware entirely owned or managed by the company itself (or dedicated hardware managed on its behalf).

The whole point of the cloud is that it's supposed to do away with the need and cost of managing hardware, so this doesn't make a lot of sense. But it might be the first step of an evolutionary process for companies that will eventually embrace cloud computing in its purest form.

Encryption is one answer to cloud security worries. If a file is encrypted with 256-bit AES protection, for example, it doesn't matter if it ends up in the wrong hands because nobody will be able to decrypt it without the correct key. However, finding a system where file encryption can be used in a way that is transparent to users is a goal that arguably hasn't yet been met.

However, there might be a solution, and it's been around for years: Digital Rights Management (DRM).

Nobody likes DRM because when applied to movies, music and games, it creates a "them and us" situation: Rights holders impose unfair restrictions on end users, and there's a lack of trust between both parties.

However, I can't see any issues with a democratic DRM system, where everybody working for a particular company automatically enforces DRM on documents, and a certificate file needs to be installed on any computer or mobile device that requests to open or edit the file. We could call this Document DRM, or "DDRM."

Something similar already exists. Microsoft has been building what it calls Rights Management Services into its operating systems and office suites for years. The problem is that this uses a client-server model to protect files--which is to say, to open a document, a computer needs to be logged into a Microsoft server. No doubt Microsoft would argue that this is the best way of enforcing DRM, but cynics might suggest a client-server model was chosen to lock people into using Microsoft's technology.

What would be better is a simpler, standalone system based on encryption certificate files. If your computer has the correct certificate, then it can open or edit a document. Certificates would expire after, say, one week, meaning that the client computers would need to phone home periodically to refresh their certificates. But they wouldn't need to phone home every single time they accessed a file.

This proposed system isn't perfect. Hackers could steal certificate files and possibly decrypt documents, although certificates would ideally be generated using a specific hardware identifier, such as the computer's CPU serial number, making this more difficult.

But it's very unlikely there will ever be a perfect cloud security solution. Usability needs to be balanced with security, without too many trade-offs in either camp.

Ideally such a DDRM system would work at the file level within operating systems, and not at an application level. That's to say there'd be no need to build it into applications, and that would also mean old applications would be entirely compatible with DDRM. Instead, the operating system would take care of encryption, decryption and certificate management. The user would be largely unaware.

DDRM should also need to be an open standard that anybody could implement on any operating system--proprietary or open source, mobile or desktop. Both Apple and Google claim to fully support open standards, and could easily build it into their iOS and Android mobile operating systems. Microsoft might be reluctant but it wouldn't matter if they didn't play ball; a file system driver would be all that's needed to implement DDRM. Files protected with DDRM could have an extra file attribute, or perhaps even something as simple as a different file extension (.docd rather than just .doc for a Word document, for example).

Sadly, it already might be too late for such a system. Assuming a company like Google took the initiative--which would require the audacity of such a giant--it would take a year or two to outline a system everybody was happy with, and then even longer for it to be incorporated into operating systems. By that point mobile operating systems will be fully mature, and adding in DDRM would be a matter of ugly retrofitting. Ideally, such a system should have been dreamed up a few years ago, so it would have become a feature in the nascent wave of mobile operating systems.

Additionally, I wouldn't be surprised if somebody has already thought of a system such as DDRM and patented it. That could create all kinds of problems and expenses.

So for the moment DDRM will have to remain a thought exercise, although a curious one that perhaps deserves more attention.

Keir Thomas has been writing about computing since the last century, and more recently has written several best-selling books. You can learn more about him at and his Twitter feed is @keirthomas.

Join the CSO newsletter!

Error: Please check your email address.

Tags digital rights managementonline securityfirewallsopen sourceapplicationscloud computinginternetnetwork securityintellectual propertysecurityCloudIpswitchlegalsoftwareencryptiondata protection

More about AES EnvironmentalAppleetworkGoogleIpswitchMicrosoftOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Keir Thomas

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts