Managing Rights Management

The Architecture Wars of the 1990s

In the 1990s, various companies fought DRM architecture wars. Once choice was to put security primarily in secure data centers and consequently put fewer capabilities into client-side applications. The alternative P2P choice put more security and functionality into the client. Neither architectural choice was perfect; each had its own combination of advantages and disadvantages. Today, client/server architectures predominate in the Enterprise document DRM market.

Avoco Secure: P2P DRM

An early stage company, Avoco is trying to swing the Enterprise DRM architecture pendulum from client / server to peer-to-peer (P2P). Generally speaking, P2P DRM solutions facilitate the exchange of information among those authorized to gain access because interactions with servers are minimized. P2P DRM also potentially makes much easier and efficient information sharing among authorized parties in different, cooperating groups within an organization and among different organizations. Finally P2P DRM solutions facilitate off-network authorized use.

At present, the s2t client is integrated with the MS Office Suite of applications and file types, Microsoft support for digital certificates (through use of MSFT’s Crypto API), and Microsoft Active Directory. Porter says, however, that the s2t architecture has been built to be extensible to any file format, and that he anticipates future versions will offer persistent protection for a broad range of Microsoft and non-Microsoft file types and applications in a variety of system environments or contexts.

Secure2trust can use Microsoft’s Active Directory as an authentication method but also supports a number of other authentication methods including digital certificates. Porter says that Secure2trust has been designed from inception to allow and enable intra-company secure document sharing. Their vision was to create an enabling application for the protection and control of content across organizational boundaries, thus enabling facilitating collaboration. S2t achieves this by removing dependence on a centrally managed license server.  Company A can create protected documents and share them via email or other transport method with Company B as long as Company B is properly authenticated and authorized to access the document, using, for example, digital certificates.  Avoco intends to support other authentication methods as required by their customers.

Secure2trust offers a number specific control options that may be set singly or in combination, including:

• No print,
• No copying of content,
• No editing except forms,
• Read only,
• Shred after (date and time), and
• No open until (date and time).

Controls may apply to individuals and, when using Active Directory-based authentication, to groups and roles within the organization.

S2t also supports several methods of authentication:

• Anyone,
• Certificate,
• Group member (secure team),
• Only the “owner” of the instance of the document (“only me”),
• Password, and
• Membership in an Active Directory.

Specific rights (controls) can be combined with authentication methods. For example, if both password and active directory authentication are set then ‘no printing’ and ‘no copying’ could be enforced if passwords were used to authenticate a person requesting authorized use.  However, only ‘no printing’ could be enforced when Active Directory is used to authenticate a user. Copying could be allowed in this instance, presumably because the Active Directory authentication ties controls to role and / or group within the organization.

Rules and content are packaged by the s2t software locally without having to talk to a license server. Consequently, documents can be secured from the time they are created irrespective of whether the creator is on- or off-line.

The only circumstances that a client would need to talk to a server would be when Active Directory is used as an authentication method or if the client needed to validate a certificate that was being used for user authentication.

Porter says that the secure2trust DRM platform embodies substantial flexibility. Some companies may wish to exercise central control over the use of secure2trust, and although the architecture is inherently P2P, some customers may wish to use a central server for administration and extended server-based authentication, which is optional.

The secure2trust peer may occasionally contact a time server in order to defend against replay attacks on time-based controls, for example, when the user attempts to reset the computer clock to gain early access or continued access after the expiration of the control.

Another key differentiator, in Porter’s view, is the use of kernel level device drivers by secure2trust as well as using a plug-in that affords a greater level of security by protecting SWAP files and preventing applications like WinHex to read the memory of an application that has a opened a protected document.

Management and Investors

During their R&D phase Avoco Secure was privately funded. They recently completed their first VC funding round by a syndicate lead by Albany Venture Managers Ltd, a Venture Capital fund based in Edinburgh, Scotland.

Avoco Secure’s management team includes Gerry O'Brien, CEO, who has approximately 30 years experience selling Enterprise software. Previously he was VP sales at Unicorn and before that at Kalido. Sandy Porter is VP, Business Development. Previously Sandy was CEO and Business Development at Global Network Services Solutions. He brings 10 years involvement with DRM. Susan Morrow is VP, Product Development. Previously, Susan was Managing Director, Product Development of Adhaero Technologies and HM Software. She also brings 10 years experience in DRM to Avoco Secure.

Competition

Major Enterprise DRM competitors in the US document DRM market are Authentica, Liquid Machines, and Sealed Media. AegisDRM and today’s focus, startup Avoco Secure, compete mainly in the European market. Increasingly there is overlap between Digital Content Management (or Digital Asset Management) applications and document DRM capabilities. Content management software vendors such as Artesia and Documentum also compete in the Enterprise DRM space.

Customers

The production version of s2t was released near the end of 2004. Porter says that s2t was designed to meet the requirements of one very large European defense project and a major European bank. The beta s2t product was tested in the context of these projects.   

NetNet

It’s still early in the 3rd wave of Enterprise document DRM product roll-outs. P2P DRM is one of the holly grails of rights management. P2P makes DRM life more convenient, useable, and flexible. The question is whether Avoco Secure’s apparent architectural advantages will prove sufficiently value-added in the eyes and experience of their target Enterprise market. If they can convince the market of these advantages and if the market believes the company has staying power, Avoco Secure may do very quite well.

At the same time, perhaps Avoco may have made a Faustian bargain to gain apparent short-term competitive advantage. Their present integration with, and dependence upon, the Microsoft environment—document types, Crypto services, Active Directory, and when invoked, group privilege management—may provide an excellent initial foundation. Their initial customers apparently needed DRM for the Microsoft Enterprise environment. Nevertheless, this same apparent dependence may (or may not) become an albatross down the road as they try to expand platforms and capabilities.