contribution
Myths of native vs. downloadable DRM
According to Steve
Christian, SVP of
Marketing, Verimatrix,
the assumption that
certain DRM choices
are inevitable must be
challenged urgently, on
technical, financial and
business grounds.
A
ll the recent hype about native player
and native DRM implementations
on mobile devices might suggest that
the benefits of this shift in approach towards
free security are well proven. Yet closer
examination suggests that any advantages
are elusive – and in fact the reliance on
unpredictable support for a mobile OS may
limit the competitiveness of operator services.
It may even undermine the security perimeter
protecting delivery of a service’s content. So
as operators take a hard look at their options
here, the question has to be posed – who is
reaping the benefits of native security?
The fallacy that client-side content security
will be in the future be natively available in
a streaming world – and either free or very
inexpensive – has recently been promulgated
by the major Internet players and especially
Google. It is important that video service
operators (VSOs) challenge this hype on
several counts, chiefly to understand that it
really is a fallacy and not in their long-term
interests.
The assertion about use of mobile native
DRM emerges as VSOs are delivering ever
more premium content, increasingly including
live streaming video, that must be protected
on a fragmented constellation of unmanaged
consumer electronics devices. At the same
time, there is broad recognition that attempts
to unify security across the browser world
under HTML5 with its associated Encrypted
Media Extensions (EME) and Content
Decryption Module Interface (CDMi) have
failed in their bid to simplify cross-platform
app development and content delivery.
This outcome seemed inevitable for a
22 TV Everywhere
variety of proprietary commercial reasons,
with the result that VSOs and content owners
now need to manage secure content delivery
and subscriber management across all the
combinations of streaming format and
principal DRM platforms that have emerged.
At the same time, this growth in streaming
of premium content, with more live sports, a
trend towards Ultra HD (UHD), and shorter
windows for blockbuster movies, is exerting
pressure on VSOs to be more conscious and in
control of client-side security.
Against this background, the perception
has grown that the media content world should
rally around the security mechanisms that
come with the underlying devices, built into
browsers or the operating systems. This view
has its origins with Google, whose Widevine
DRM is increasingly available in Android-
based consumer electronic (CE) devices, while
Microsoft has been consistently reducing
effective licensing costs of its PlayReady DRM.
With a bit of
campaign management
by the companies
involved, this view has
crystallised among
the consultants and
systems integrators
serving VSOs, which
threatens to help spread
the myth throughout
the video life cycle and
value chain to the severe
detriment of revenue
protection in the longer
term. The result has
been that many VSOs,
including a number
of Tier 1 operators,
have come to assume
certain DRM choices
are inevitable, dictated
by what comes with
target platforms. They have come to see native
DRMs almost as axiomatic and even set them
out in RFPs (request for proposals), yet this is
an unfortunate myth that must be challenged
urgently, on technical, financial and business
grounds.
Financial Myths
There are two particular strands of thought
that do not add up: 1) the idea that native
security can be free and 2) that it can be
effective. On the first of these counts, it is
only the DRM core that is free, which is just
one component of the TCO (total cost of
ownership) associated with content security.
This completely ignores all the server side
aspects of security that will require additional
investment to cater for multiple client
platforms, as well as the limitations inherent in
native DRMs beyond the control of operators.
There is also the important point that
the DRM itself is not an isolated component
that can be treated as a one-off project, but
is instead an ongoing development program
that must be capable of responding to
challenges and threats as they emerge. Such
challenges can lead to unscheduled R&D, as
well as additional testing, when for example
a new standard is implemented or a service is
extended.
Technical Myths
This leads to the second point about
effectiveness. One thing that has become
absolutely clear is that for security to work over
time and counter not just known threats, but
new ones as they emerge, it must be renewable.
This fundamental realisation is at the heart
of the now well-
established MovieLabs
Enhanced Content
Protection guidelines.
Although these were
originally aimed at
a new generation of
UHD security, the same
underlying principles of
software renewability
are now acknowledged
by everyone in the
security business.
Supporters of native
security argue that it
must be more robust
against tampering
or external attack
because it is built into
the operating system
rather than relying
on downloadable
components. But this fundamentally
misrepresents, or fails to understand, the
direction security is going in the era of
streaming and IoT (internet of things),
where the threat landscape will be constantly
changing and creating new risks, some of
which cannot be anticipated at all in advance.
The trend is firmly towards actively managed,
fully upgradeable, security that can be
delivered in the same way as apps and so be
managed independently of devices and the OSs
inside them.
Of course the OS can itself be upgraded
remotely, but the point is that this is under the
control of a third party, typically the device
maker, rather than VSOs themselves or their