Adapting Digital Rights Management to Secure Sensitive Data
Could (or should) the bane of music aficionados who like to, but can't, share recordings - digital rights management - be adapted to produce another layer of protection of sensitive or classified government information?
In a phone conversation Tuesday, Jeff Nigriny, president of security provider CertiPath, raised the idea of employing the technology behind digital rights management to help secure sensitive documents. Digital rights management would be ideal in situations where a limited number of individuals need access to information.
Nigriny said the Joint Strike Fighter Program could benefit from digital rights management. JSF, as the program is known, is a joint effort by the U.S. military and nearly two dozen of our allies to define affordable, next-generation jet fighters. He says a problem our government faces is sharing sensitive and classified documents associated with JSF, even with such close friends as Britain:
"The U.S. government has not been able to get our heads around sharing the technical data with the U.K. It's not that we don't want to do it; the U.S. government has concerns that the people who would receive it in the U.K. might not have the same technical wherewithal to protect it the same way as Lockheed Martin would."
This is where a technology such as digital rights management comes in. It allows the creator of documents to designate not only who can access the data, but how long they can access the information. Says Nigriny:
"I want to have the ability to say, 'You can read but you can't copy.' And, when I say you can read, you can only read for the next one hour, and after that, this thing is locked and you can't get into that."
Though some popular tools such as Microsoft Word allow for digital rights management, to have it work successfully as a government security measure would require the ability to work cross-platform, and that would require the development of open standards.
Symantec CEO Enrique Salam, at a forum in Washington in June, said he's a big proponent of digital rights management, but noted problems in its adoption, according to an account of the event by CRN:
"Why hasn't it taken off? Because it requires users to change how they work."
But the idea of using digital rights management reveals an important aspect of information security: the simple fact that data needs to be secured regardless of where it is. As Nigriny says:
"The people who have figured out that the network is hostile and there is no security in where the data reside are the people who are going to win first. China has shown us time and time again that our networks are going to be broken into and that data is going to be exfiltrated and that's going to happen every hour of every day for as long as any of us can see.
"Until we get to point where it doesn't matter that they took a copy of the data because they won't be able to get into the data itself, we continue to lose."