Get Coursework Help In Your Essays, Assignments, Homeworks, Dissertation Or Thesis

Professional And Experienced Writers - 24/7 Online Support

How do air masses interact to form a hurricane

Develop RACI Chart Human resources need to be planned to ensure that the right individuals are onboard and it is clear who is accountable and responsible. Charts such as the RACI chart, named as the chart indi- cates the activity and who is Responsible•, Accountable (A), should be Consulted (C), and who needs to be Informed (I). Typically, only one person should be held accountable for a particular activity, whereas there may be multiple individuals responsible.

Project Execution Project execution involves assembling the appropriate project team to accomplish the tasks and coordinating those resources to complete the activities identified in the planning stage. While the project execution stage typically has the longer duration, the activities to properly plan the project should not be short changed, as failure to properly plan usually leads to surprises, delays, and implementation of a lower quality. Project management performed by a project manager is a skill that could be honorably viewed as a profession similar to that of a policeman directing traffic at a busy intersection during a stoplight outage. Cars are approaching from many direc- tions and need the guidance of the traffic cop to determine when to go and when to stop. If the traffic cop lets traffic from one direction never have the opportunity to proceed, the drivers will get very frustrated while they wait. If the policeman lets all the cars, or activities, advance at the same time, there are bound to be constraints and collisions in the intersection, which also slows down progress. The policeman also may be receiving information from other policemen at dif- ferent checkpoints to understand how those cars or activities are progressing so that he/she can adjust his own flow through the intersection. In other words, the project manager, like the traf- fic cop/policeman, must make many decision based upon what is occurring in the environment. This is important, because project management is much more than creating a project plan, Gantt chart, deliverables, or project milestones and then forgetting them. A project manager must be thoroughly engaged throughout the project to ensure that tasks are being completed and the plan is appropriately modified.

The project manager may be someone within the Information Security department or part of the PMO as previously mentioned. What is important is not where the project manager resides, but rather that the person running the project is taking on the role and discipline of the project manager. Are the activities well defined? Have the activity sequences (precedence diagrams) been created with realistic time frames and are they agreed to? Does the project have the right skill sets available at the right time? Note that none of these questions are technical security questions, but rather are project management questions to keep the project on track.

Where the Rubber Meets the Road A successful project will spend a good deal of time in upfront planning, and with the proper resources, the ability to execute will increase. Gartner classified product vendors into four quad- rants, ranging from a niche player to one that has the vision and leadership with the “ability to execute.” Our projects should be viewed the same way—maybe we have the appropriate vision, but not the right resources to execute. Or, maybe we have the right technical resources, but our vision of the project and project management practices are not up to snuff. Project execution is where we bring the planning together and create a new service, increase the protection of the information

Getting the Best Out of Information Security Projects  ◾  53

© 2010 Taylor & Francis Group, LLC

assets, or implement a new process to satisfy the objective stated in the original project charter. Projects fail more often not because of the technology product selected, but rather from inad- equate project management or not being aligned with the business objectives.

Project Monitoring and Controlling Project monitoring occurs thought the project and is not a phase in the project. Project changes need to be controlled and authorized to ensure that the project timeline and functionality are not adversely impacted. Corrective actions can be taken only if issues are raised and escalated in a timely manner. The RACI chart identified earlier can be referenced to determine where the issues need to be raised and who has the decision-making authority. Monitoring needs to ensure that the scope, schedule, costs, quality, risk, and human resources are appropriately monitored and adjust- ments are made where necessary to enhance the likelihood of project success.

Regular Updates Status meetings should be held at a minimum on a weekly basis. Sometimes very technically ori- ented resources may regard these as a waste of time, or “another meeting to attend,” whereas the regularly scheduled meetings have a way of making everyone more accountable. The status meet- ings bring visibility to the issue areas and those activities that are in trouble that need additional focus. No one likes to show up for a status meeting unprepared, so these meetings have a catalyst effect of keeping the project moving in the right direction. These meetings are not the place to perform a deep dive into a particular technical security discussion; however, they should be used to identify additional meetings that need to be scheduled. The status meetings also permit the col- laboration necessary between departments, which may/may not occur naturally with the formal meetings to serve as the impetus.

Matrices containing responsibilities, dates, and tasks should be color-coded with red (behind schedule/in danger of meeting schedule), yellow (potentially in danger), green (on schedule) to provide a quick read as to the status. These status need to be honest assessments, as it does the proj- ect no good to highlight an activity as green for 10 weeks, and then in the last week turn it to red. Rarely are events not known earlier in the effort and this type of scenario typically indicates that the activity was not being managed or actively worked on until just prior to the deliverable date.

Project quality is monitored through the use of quality tools such as cause and effect dia- grams, control charts, flowcharting, histograms, Pareto charts, run charts, scatter diagrams, sta- tistical sampling, and defect repair reviews. Quality audits of the project review the scope change requests, corrective actions, actions to mitigate project risk, and so on.

Communications Project communications take on many forms, as there are many stakeholders. There are the execu- tive sponsors, which need a high-level understanding of whether or not the project will meet the agreed upon timeframes. Issues of cost overruns may surface and need approval for additional funding to proceed. The parties from the other departments, such as the business units being sup- ported, network, infrastructure, database administration, systems development, physical security, facilities, and so forth depending upon the project, need to be informed of the project status. There may also be a core team that needs to have information on a more frequent basis. If this is a large

54  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

project impacting many other users, a weekly communication via email may be necessary. Finally, depending upon the complexity and scope of the project, a steering committee may be necessary for the rollout.

The old adage that “you can’t ever over communicate” applies here. Communication must be two way, and during these meetings, it is beneficial to ask the difficult questions, “Does anyone have any concerns with this effort?” Each organization can identify those that are very vocal in their positions, which tend to be the more extraverted individuals. Key information that could impact the project may be known by those that are more reserved, or introverted, and need to be drawn out during the meetings. Therefore, it is more productive to “draw out” those responses from those individuals.

Project Closing Once the new security controls are implemented, we are done! Not so fast. While it may appear desirable to move the resources to the next big security initiative, care should be taken to properly close the project. Were all the proper signoffs obtained? What were the final costs? How did the actual schedule/budget correspond to what was planned? What items were surprises during the project? What were the lessons learned that we should not repeat on the next project? Were other enhancements identified during this project? There are many questions which should be answered and appropriately documented.

To really leverage the work from the project on the next project, the project team should have maintained a project repository that can be leveraged for subsequent projects. Many times a new template may be developed, such as one for recording minutes, or capturing the technical environ- ment guests/hosts/servers for a cloud computing endeavor. These templates can be standardized and made available to future projects. Failing to do so would be a missed opportunity to increase the effectiveness.

As busy as teams are, key resources will be pulled into other initiatives. Recognizing these individuals is a step that is very important, not just to thank them for the work done on this project, but they may also be supportive of the next security initiative if they feel that they had some ownership in the deliverable. Resources that work on security projects extend well beyond the security team, so they need to have a sense of “what is in it for me” to be re-engaged for the next effort. They need to see some value for themselves and their department in working in the effort to become fully committed in the next project. This recognition will be increasingly more important, as Generation Y becomes a larger part of the workforce, where project experiences tend to be more important than long-term job security. The security teams also need the involvement of this generally technically savvy demographic.

A project will always have events that are unexpected during the project—the scope may increase because of a new time-to-market marketing initiative that needs a hardened server implemented in less time than originally planned, a key resource suddenly leaves the company, or someone forgot to order the leased line which has a 90-day turnaround and it is needed in 30 days. Each of these items can increase the project risk, risk that the project will not be completed on time, within budget, or with the quality expected. These risks must be managed and tracked, so that accountability is main- tained and new alternatives and corresponding dates are managed. This is analogous to tracking the security vulnerabilities across the environment and ensuring that the appropriate departments are reducing the risk by implementing mitigating controls in a timely manner.

Getting the Best Out of Information Security Projects  ◾  55

© 2010 Taylor & Francis Group, LLC

Final Thoughts The information security field has evolved greatly in the last 10–15 years, and then again, one could argue that it is still at the same place it was. As laws and regulations have increased with the introduction of the Health Insurance Portability and Accountability Act (HIPAA) Final Security Rule (2003), the Federal Information Security Management Act (FISMA, 2002), Payment Card Industry Data Standard, Gramm–Leach–Bliley Act (GLBA), Health Information Technology for Economic and Clinical Health Act (2009), the National Institute of Standards and Technology (NIST) publications, and others, there has been an increased focused on security controls. There has also been an increased focus on the soft skills of the information security officer to build effective teams, influence decision making, market their services, build relationship, and so forth. What has not received as much focus has been the focus on effective project management for information security projects. While this is emerging, as indicated adding Program Management as the 18th family of the NIST 800-53 control series (NIST, 2009), there needs to be a greater recognition that just as security operations control activities need resources capable of interpreting the security events that are coming across the wire, security projects need to have allocated project managers to achieve effective results. This may be a project manager from the PMO, or taken on as a role by a security professional. In either case, it is important that the individual has the appropri- ate training and experience needed, as defined by the criticality of the project. With these skills in place, the information security team can achieve the projects to carry out the vision and strategy. Otherwise, the vision will remain just that, a vision.

References ISO/IEC 17799:2005 Information Technology Security Techniques—Code of Practice for Information Security

Management. International Organization for Standardization (ISO), http://www.iso.org/iso/en/prods- services/popstds/informationsecurity.html

Lessons from History. 2012. The History of Project Management. http://lessons-from-history.com/ history-project-management-page

National Institute of Standards and Technology (NIST). August 2009. Special Publication 800-53 Rev3: Recommended Security Controls for Federal Information Systems and Organizations. http://csrc.nist.gov/ publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

PMI. A Guide to the Project Management Body of Knowledge (PMBOK Guide)—Fourth Edition. Project Management Institute, Newtown Square, PA, 2008.

PMI. Project Management Institute, 2012. http://pmi.org

57 © 2010 Taylor & Francis Group, LLC

Chapter 5

Mobility and Its Impact on Enterprise Security

Prashanth Venkatesh and Balaji Raghunathan

As part of its report titled “User Survey Analysis: Impact of Mobile Devices on Network and Data Center Infrastructure,” Gartner, who surveyed respondents from enterprises with 500 or more employees and an in-house data center in the United States, the United Kingdom, Germany,

Contents Drivers for Adoption of Mobile Technologies in the Enterprise ................................................. 58 Enterprise Mobility Ecosystem .................................................................................................. 58 Key Challenges in Managing, Controlling, and Securing Access to Enterprise Data from Mobile Devices ..................................................................................................................59

Device and Technology Diversity and Heterogeneity .............................................................59 BYOD (Bring Your Own Device) ......................................................................................... 60 Additional Security Vulnerabilities to Be Handled .................................................................61 Carrier-Level Vulnerabilities ................................................................................................. 62 Vulnerabilities at the Enterprise (Server-Side Vulnerabilities) ................................................ 62

Tools Leveraged by IT Departments in Leading Enterprises for Addressing Mobile Technology Challenges .............................................................................................................. 63

MEAP .................................................................................................................................. 63 MDM ................................................................................................................................... 64 Enterprise Appstores ............................................................................................................. 64

Best Practices ..............................................................................................................................65 Tackling Heterogeneity ..........................................................................................................65 BYOD Precautions ................................................................................................................65 Precautions to Address Additional Vulnerabilities ..................................................................65

Conclusion .................................................................................................................................65 References ................................................................................................................................. 66

58  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

Australia, Brazil, Russia, India, China, and Japan, in October–November 2011, found that 90% of these enterprises have deployed mobile devices, with smartphones being most widely deployed and 86% of these enterprises planned to deploy media tablets this year.1

“Consumerization of IT,” which is all about how consumer technology, which includes mobile devices such as phones and tablets as well as PCs, is rapidly proliferating into the enterprise has changed the traditional IT environment in a big way.2

This chapter describes the challenges brought into the realm of enterprise security by the rapid adoption of mobile technologies and how leading enterprises are addressing these challenges.

Drivers for Adoption of Mobile Technologies in the Enterprise A decade ago, mobility for an employee meant having a company laptop and having access to the required data that would enable them to work offline. This evolved into employees getting access to corporate network through virtual private network (VPN) or remote access tools. Today, the world has moved on from PCs and laptops to mobiles, tablets, and PDAs.

Mobile devices play a key role in rapid and ubiquitous access to data within the enterprise. This can be leveraged by the enterprise to enhance customer experience, and improve partner and employee productivity and engagement.

The rapid adoption of mobile devices such as smartphones and tablets has also meant a para- digm shift in the way the employees, partners, and customers of the enterprise expect to be engaged.

To enhance customer experience and retain customer loyalty, enterprises develop mobile appli- cations for their customers and allow them to download them on to their device. These mobile applications may provide access to data that lie within the corporate network and the applications may also allow the data to be stored on their personal devices.

Partners also expect the enterprise to allow access to data from their mobile devices. Given that mobile devices enable rapid access to corporate data, employees too expect

“productivity-enhancement” applications and tools to be made available through mobile devices. Enterprises are continuously seeking newer ways to enable their employees to access information ubiquitously.

The various business benefits that a mobile work force can bring in to the organization have resulted in the enterprises equipping their employees with mobile devices (or allowing these employees to get in their own mobile devices) and making corporate applications and data acces- sible from these devices.

Enterprise Mobility Ecosystem Figure 5.1 provides an overview of how a mobile device can access enterprise data and the ecosys- tem around this.

Thus, the basic mobility ecosystem involves

◾ Mobile applications that provide access to enterprise data ◾ Devices and operating systems (OS) to consume the enterprise data ◾ Protocols to share this data with other devices ◾ Telco carrier (data) network to transmit this data ◾ Enterprise applications/services and data stores

Mobility and Its Impact on Enterprise Security  ◾  59

© 2010 Taylor & Francis Group, LLC

In addition to these, appstores (application stores), from where mobile applications are typi- cally downloaded, can also be considered as a component of the mobile ecosystem.

The integration of this ecosystem into the enterprise IT infrastructure makes it imperative for the enterprise IT to procure additional systems, and have additional policies, processes, and tools to manage, control, and secure the enterprise assets and communication points.

Key Challenges in Managing, Controlling, and Securing Access to Enterprise Data from Mobile Devices Device and Technology Diversity and Heterogeneity Mobile technology is still evolving at a rapid pace. The ecosystem is filled with heterogeneous pos- sibilities and diversity and a wide range of options for the end consumer. Mobile devices can be a tablet or a smartphone or low-end cell phone. The handset can be from different vendors (Apple, RIM, HTC, Samsung, Nokia, etc.) and each vendor can have multiple models. The OS on these devices can vary (IOS, Android, Windows Phone, etc.). Devices also have a range of protocols to choose from, for any data sharing or file sharing (Wi-Fi, Bluetooth, etc.) and a host of data net- work types (GPRS, Edge, 3G, 4G) they can connect to. The applications can be either native or hybrid or can be accessed by a browser. The data for these applications can be from any enterprise data store (SAP, Siebel, RDBMS, etc.).

Table 5.1 captures the heterogeneity and diversity of the ecosystem. This heterogeneity results in the following challenges:

◾ How should different devices, platforms, and OS be supported by the enterprise? ◾ How should communication between the device and enterprise network be secured? ◾ How should diverse devices be managed and controlled? ◾ Can one tool support all these devices, platforms, and OS, or should we go in for multiple tools?

Mobile devices Carriers Enterprise data center

Device OS

Mobile Apps

Wireless protocols for transferring

content between devices

Data networks

Enterprise data services

Figure 5.1 Ecosystem for a mobile device to access enterprise data.

60  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

◾ How should security patches and policies be applied on the devices? ◾ How should applications be delivered? ◾ How should applications be managed? ◾ How should application development and testing for applications on multiple platforms be

supported by the enterprise? ◾ What is the minimum device configuration that should be supported by the enterprise? ◾ What is the minimum OS version that must be supported by the enterprise? ◾ What is the minimum permission that should be granted to applications?

BYOD (Bring Your Own Device) Initially, enterprises used to provide their own handsets to employees, which were hardened as per company policies. Most companies allowed their employees to check e-mails or store contacts, but did not allow employees to download rich applications. With the advent of powerful devices with rich features, more and more employees prefer to use their own devices for work purpose.

More enterprises permit their employees to bring their own devices mostly as an employee engagement initiative. On the one side, this initiative helps organizations to save capital cost (on procuring devices for their employees), while on the other side, it helps employees to use the device that they are comfortable with.

However, BYOD brings with it a host of security, privacy, and legal concerns.

◾ What is the level of control that enterprise IT can exert over a personal device? ◾ What is the level to which the personal device must be managed? ◾ How should theft of devices be handled? ◾ Should applications be allowed to store enterprise data on personal devices? ◾ Which are the handsets (makes, models) and OS versions that should be permitted? ◾ How many devices can the user connect to the enterprise network? ◾ How should applications be delivered on to devices? ◾ Can the user be restricted from accessing specific social networking and other sites?

Table 5.1 Mobile Device and Ecosystem Heterogeneity

Ecosystem Component Options

Device Smartphones, tablets

Handset choices: iPhone versus Android phones (HTC/Samsung/Nexus) versus Blackberry versus Windows Phone

Device operating system iOS versus Android versus Blackberry versus Windows Phone

Device protocol Wi-Fi, Bluetooth

Data network GPRS, EDGE, 3G, 4G

Mobile application Native apps versus mobile web versus hybrid apps

Enterprise application/data store ERP, CRM, portal, database

Mobility and Its Impact on Enterprise Security  ◾  61

© 2010 Taylor & Francis Group, LLC

◾ What level of support should be provided to personal devices? ◾ What is the level of restriction that can be placed on the device without annoying the user? ◾ Given that native apps are much more difficult to be controlled by IT as compared to web

apps, can the user be restricted from accessing native apps?

Traditionally, the enterprise IT infrastructure team is used to manage all the OS in an enter- prise. With the advent of BYOD, heterogeneous systems are introduced into the network.

Different mobile OS support different ways to manage device and application security. For example, if we need to install an application on Android OS, we would have to give either all the permission to the list or cancel install. This is not the case with Apple iOS-based devices. We can choose not to give permission to a specific service and still install the application.

Also, the levels of security might vary if the same device is jail broken and allows installation of applications from unrecognized application sources.

Additional Security Vulnerabilities to Be Handled The introduction of mobile access to enterprise data brings into its fold a list of additional vulner- abilities and threats to the enterprise. Figure 5.2 provides a list of additional vulnerabilities and threats the enterprise IT must be prepared to handle.

OS vulnerabilities: Many OS vulnerabilities have led to the compromise of the device. For example, one of the vulnerabilities in Safari web browser allowed access to phone features such as address book. Some of the major vulnerabilities found in iOS are CVE-2012-0674, CVE-2011-3442, and so on.

Mobile devices Carriers Data centers

(Enterprise services and data repository)

1. Operating system- related vulnerabilities 2. Data at rest 3. Mobile malwares 4. Device theft

1. Transport layer security (MITM attacks) 2. Weak protocols (WEP) 3. Rogue access points 4. SIM-related attacks

1. Server side attacks 2. Rogue app stores 3. DDOS 4. Database security

Figure 5.2 Device-level vulnerabilities.

62  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

Android OS has been a target for malware writers and hackers for some time now and many enterprises still do not prefer Android for enterprise usage due to reported major vulnerabili- ties. There are specific websites (http://www.cvedetails.com) that highlight some of the major vulnerabilities found in Android OS. Most vulnerabilities found in Android revolves around access bypass and privilege escalation. Some of the common malwares found on Android are Zitmo Android Edition mobile version of banking malware (Zeus).3

Data at rest: Applications might store user data such as passwords to applications such as Facebook locally on mobile phones. In case of a device theft or unauthorized access, it might be possible that someone can steal the data. Data at rest vulnerability has to be addressed by the application.

Mobile malwares: Mobile device users are increasingly vulnerable to malware attacks. Changing the device settings, tracking users based on the location of the devices, collecting sensitive data from the device, spam messages, and so on are the malwares which are increasingly threatening unsuspecting users.4

Device theft: Device theft remains a biggest worry for any organization supporting mobility. Mobile device management (MDM) solutions provide support for remote disk wipe for lost devices. There are applications that send an SMS to a registered number whenever a SIM card in the phone is changed automatically, and thus help in tracking the lost devices.

Carrier-Level Vulnerabilities Transport layer vulnerabilities (MITM attacks): Man In The Middle (MITM) attacks are those

that are targeted toward the network layer. MITM attacks allow an attacker to sniff the net- work traffic and gain access to the sensitive data. There are various ways to perform MITM attacks but the attack can be avoided by using SSL or HTTPS at the transport layer. Strong algorithms with good key size can prevent an attacker from decrypting the data.

Weak protocols (WEP): WEP is considered to be insecure, and encrypted data transmitted using these protocols can be easily sniffed and decrypted. WEP is considered to be weak as it uses RC4 cipher with a key size of 40 bits and a 24-bit initialization vector (IV) repeated across the message stream.

Rogue access points: Usually at public places such as hotels and airports, attackers can set up rogue access points to provide free Internet and lure innocent users to get connected to websites. A variety of tools can be used to act as a proxy and capture Internet traffic that can contain user credentials to websites. For example, a tool such as SSL strip can be used to capture credentials from sites using https protocol.

SIM-related attacks (SIM cloning): SIM cloning is a process of creating a copy of the original SIM. There are various tools and software available on the Internet that help in SIM card cloning. There are many methods through which SIM card details can be stolen. Essentially, the solution to prevent SIM card cloning has to be implemented at the service provider’s end so that innocent customers are not charged for usage by cloned SIM cards.

Vulnerabilities at the Enterprise (Server-Side Vulnerabilities) Server-side attacks: Enterprises are vulnerable to server-side attacks such as SQL injection and

buffer overflow even when the access devices are mobile devices. Enterprises have to secure these servers in the same way as it is done when accessed by web browsers. Firewalls and IDS (intrusion detection systems) still need to be used as protection mechanisms to ensure that only the necessary services are exposed to the world and the ones exposed are monitored.

Mobility and Its Impact on Enterprise Security  ◾  63

© 2010 Taylor & Francis Group, LLC

Rogue appstores: Appstores are the preferred mechanism to allow users to download mobile apps. Care needs to be taken while installing apps from unofficial appstores that can turn out to be rogue appstores. Mobile malwares are largely spread using rogue appstores, which combine authentic application with viruses. A user might install it thinking it to be a genu- ine software, but behind the scenes, it can monitor SMS or steal personal information.

Different OS allow different levels of access to third-party appstores. Apple iOS devices can only install applications from iTunes appstore. One needs to jailbreak it to install third- party apps. Android allows installation of third-party apps.

DDOS: Cyber criminals own a vast network of botnets and use them for performing distrib- uted denial-of-service (DDOS) attacks against websites. DDOS is a sophisticated method of generating malicious traffic and makes servers unavailable to authentic users. It is a difficult attack to prevent as the source of attack might come from different destinations. Recent attacks by hacktivists have concentrated on using DDOS to bring down servers.

Database security: Appstores that store customer data should take extra precautions and ensure that customer data are protected. PCI compliance provides a comprehensive list of controls that should be implemented to ensure that credit card and personal identification informa- tion (PII) is protected for the data at rest, transit, and display. In addition to PCI, there are other legislations such as HIPAA, PIPEDA, European Data Protection Directive, and so on, which mandate adequate protection to PII and PHI (Protected Health Information).

Tools Leveraged by IT Departments in Leading Enterprises for Addressing Mobile Technology Challenges Table 5.2 provides a mapping of the approach or tools enterprises used to address key challenges and vulnerabilities.

MEAP Mobile Enterprise Application Platform (MEAP)5 is a platform that provides enterprises the capa- bility to mobile-enable their business processes securely. MEAP essentially provides enterprises the capability to

Table 5.2 Approach Used by Enterprise to Address Mobile Technology Challenges

Challenge Approach Increasingly Being Adopted

by Leading Enterprises

Device and technology diversity and heterogeneity

MEAP

BYOD MEAP + MDM + enterprise mobile appstores

Device-level vulnerabilities Remote patching, OS upgrades

Carrier-level vulnerabilities Transport layers security and data encryption

Server-side vulnerabilities Firewalls, IDS, application firewalls

64  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

◾ Deploy mobile applications across heterogeneous devices and OS ◾ Manage the handset and OS heterogeneity of mobile devices ◾ Synchronize data between smartphones and enterprise servers ◾ Increase mobile developer productivity by providing a rapid application development toolkit

(mobile application development platform) that supports drag-and-drop controls for appli- cation development

◾ Deploy policy-based configurations on mobile devices

In addition, a MEAP provides a host of important management and security features such as backup and restoration of critical data, distribution of software, and sending out automatic updates to applications and antivirus software to mobile device with minimal impact to the user. It can optimize distribution over low-bandwidth connections by helping compress applications. It also supports security features such as Power-On Password and password lockout and can also lock down Bluetooth ports wherever necessary. It also helps in automatically configuring device settings.

MDM The need to support BYOD has resulted in organizations accelerating their deployment of MDM solutions in their enterprise. Some of the important features that MDM supports include

1. Remote administration a. Over-the-air distribution of necessary applications and start/stop required services b. Firmware upgrades c. Remote device tracking, wipe in case of device theft or loss d. Remote password resets 2. Data security a. Security at rest: Ensure that the data stored in a mobile (file system and database) are

encrypted. Only authorized person should be able to access the data. 3. Third-party app installation a. Ensure that only permitted apps from recognized appstores are allowed. b. Access control on apps to ensure that only appropriate services are allowed to be accessed.

Enterprise Appstores To ensure that enterprise users are able to search and download authorized enterprise mobile appli- cations on their devices, more and more enterprises enable the distribution of applications only through enterprise appstores rather than public appstores.

Given the rapidly evolving nature of the enterprise mobility space, the borders between MEAP, MDM, and Appstores are getting redrawn.

The development components in MEAP are being increasingly referred to as MADP (Mobile Application Development Platform), while new tools for Mobile Application Management and Mobile Content Management are being adopted by the enterprise. The device, application, and content management tools are collectively being grouped as Enterprise Mobility Management tools.

Mobility and Its Impact on Enterprise Security  ◾  65

© 2010 Taylor & Francis Group, LLC

Best Practices Tackling Heterogeneity Mobility space is evolving, and it is always better for enterprises to design their applications and tools for these evolutionary challenges. One of the key evolutionary challenges is device and eco- system heterogeneity. Mobile apps must be designed for heterogeneity. Similarly, enterprise tools need to support heterogeneity. MEAP and MDM can address today’s challenges, but enterprise IT must be prepared to invest on procuring additional tools in the future to adequately address evolutionary challenges.

BYOD Precautions Adequate tools to enable remote device wipeout in case of device theft are mandatory before allow- ing BYOD. When implementing BYOD, enterprise IT must ensure that the enterprise IT policy does not restrict the employee’s right to use his or her personal device for their legitimate personal needs. BYOD does not mean absence of providing technical support for devices. Enterprise IT must be equipped to provide reasonable level of technical support to personal devices of employees. Enterprise IT must set up a mobility center of excellence to constantly monitor the mobile technol- ogy evolution, evaluate new devices, OS, and management tools, monitor loopholes and risks in mobile technologies, and advise on the permissible list of devices, minimum device configurations, and OSs, which can be used by the employee to access enterprise data and frame BYOD guidelines and policies.

Precautions to Address Additional Vulnerabilities As a good practice, employees must not be allowed to connect their smartphones to access points that use WEP protocol for data transmission. While allowing an employee-owned device to be connected to the enterprise, it should be ensured that certificate-based authentication is used with WPA2 enterprise protocol.

Any device that is to be connected to corporate network should be registered with the enter- prise IT. Certificates should be pushed to the device at the time of registration and subsequently used for authentication.

Employees must be allowed to download enterprise applications only through the enterprise’s own appstores and not through public appstores.

Enterprises should restrict jail-broken devices as it increases the risk of rouge app getting installed on the phone

Mobile applications must address data at rest vulnerability.

Conclusion The need to enhance employee productivity and enhance customer experience as well as the need to provide access to enterprise data to employees, partners, and customers have brought mobile devices into the enterprise IT. The introduction of mobile technologies into the enterprise comes with additional challenges, vulnerabilities, and pain points for enterprise security. The

66  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

enterprise IT needs to be equipped with a mix of tools, procedures, processes, and best practices to address the challenges and vulnerabilities. Taking a strategic view as opposed to a piece-meal view is needed to address the challenges of device and technology heterogeneity, BYOD, and other vulnerabilities.

References 1. http://www.gartner.com/it/page.jsp?id=2048617. 2. http://blogs.msdn.com/b/b8/archive/2012/04/19/managing-quot-byo-quot-pcs-in-the-enterprise-

including-woa.aspx. 3. http://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224). 4. http://articles.economictimes.indiatimes.com/2012-06-17/news/32281927_1_mobile-malware-

mobile-devices-android-platform. 5. http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/80701ab1-7153-2e10-6db9- d57b8d0b4b7d.

67 © 2010 Taylor & Francis Group, LLC

Chapter 6

An Introduction to Digital Rights Management

Ashutosh Saxena and Ravi Sankar Veerubhotla

Contents Introduction .............................................................................................................................. 68 Digital Rights Management ...................................................................................................... 68

Background .......................................................................................................................... 68 Types of Rights ..................................................................................................................... 69 DRM Principles .................................................................................................................... 69 Protocols and Industry Standards .......................................................................................... 69

DRM Practices .......................................................................................................................... 71 Software ................................................................................................................................ 71 Hardware .............................................................................................................................. 72

Working of DRM Systems ........................................................................................................ 72 DRM Architecture ................................................................................................................ 72 DRM Components .............................................................................................................. 73 Limitations of DRM ..............................................................................................................74

Implementation of DRM Systems ..............................................................................................74 Identification of Scope ...........................................................................................................74 Analysis of Requirements ...................................................................................................... 75 Implementation Choices ....................................................................................................... 75 Evaluation Framework .......................................................................................................... 75 Match the Business Needs .....................................................................................................76

Conclusion .................................................................................................................................76 Annexure: Sample Data Gathering Templates ............................................................................ 77 Further Reading ........................................................................................................................ 79

68  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

Introduction Digital rights management (DRM) is a collection of access control and encryption technologies used by publishers, copyright holders, and hardware manufacturers to limit and regulate the usage of digital content. With rapid information sharing and unauthorized distribution of high-value content, digital piracy has grown multifold. This piracy, which was initially confined to the enter- tainment industry involving movies or music, is now spreading to the e-books and software mar- ket as well. With the increase in electronic reading devices, smartphones, and tablets, the problem of piracy is only getting worse.

In 2011, Frontier Economics estimated that the U.S. Internet users annually consume between $7 and $20 billion worth of digitally pirated recorded music. The same report estimated that the total value of counterfeit and pirated products impacting G20 economies in 2015 would be in the range of $1220−$1770 billion, which was $455−$650 billion in 2008. According to the ninth annual Global Software Piracy Study (2012) by Business Software Alliance (BSA), which is a software industry lobbyist group dedicated to combating digital piracy, 57% of global PC users acquire pirated software, up from 42% in 2011. The BSA also pointed out that the cost of unchecked digital piracy in the software industry was $63.4 billion in 2011 whereas software worth of $59 billion was illegally downloaded in 2010.

The rise in these figures, year on year, is alarming and poses a tough challenge to all the con- cerned industries that are losing revenues. Hence, it is necessary for legal and IT security profes- sionals to be better equipped for combating piracy.

To counter the piracy menace, DRM solutions are widely practiced, which range from software approaches to hardware designs. Early DRM solutions were proven not-so-strong, but today, with technological advancement, the situation is much better and favorable to the publisher. Today, DRM solutions use strong encryption techniques combined with watermarking or fingerprinting to track the usage. Moreover, users can consume the protected content either in the online or in the offline mode. Apart from choosing the proper DRM solution, implementing the solution cor- rectly is also equally important. Cost, performance, usability, and scalability are few of the addi- tional parameters to be considered for selecting a right DRM solution, apart from security aspects.

Digital Rights Management Background In the predigital era, the people’s ability to use and alter the content was limited. But in this net- worked digital era, it is possible to do just about anything to the digital content instantly and with minimal cost. Today’s digital contents are in various forms such as documents, e-books, audio, video, games, and software binaries. In general, any business that needs to control access to its content or intellectual property documents is a potential user of DRM. Thus, there is a need for a technology that enables the secure creation, distribution, and management of digital content.

DRM places a digital lock on the digital asset to regulate the usage, thereby protecting it from being misused. DRM systems can be used to specify user rights such as read, play, edit, copy, and print. These rights are enforced during the consumption of the content by a trusted client. DRM has been an active area of research for decades. Previously, the main intent of DRM was to prevent the user from making illegal copies of the proprietary content and limit its distribution to only those who pay. Hence, early DRM solutions focused only on different encryption techniques to solve the issue of unauthorized copying. This was the case with the first-generation DRM solutions

An Introduction to Digital Rights Management  ◾  69

© 2010 Taylor & Francis Group, LLC

where it was comparatively easier to bypass the DRM restrictions. Today’s second-generation DRM solutions are far better as they are capable of protection, identification, monitoring, and tracking for digital assets.

Types of Rights Rights are creations of law. Property is a bundle of rights, protected and guaranteed by a gov- ernment. Examples include real property, personal property, intellectual property, and so on. Intellectual property (IP) is a general term for intangible property that is an outcome of an intel- lectual endeavor or the creation of the mind. Intellectual property right (IPR) is the legal recog- nition of the ownership of IP. In general, the following forms of IP are recognized: copyrights, patents, registered design, trademarks, know-how, and confidential information.

Copyright allows the creators of a work to control the use of their material, such as making copies, distribution, or its use in public domain. However, copyright cannot protect ideas and other forms of IP. A patent issued for an invention permits the inventor the right to stop others from making, using, or selling; offer to sale; and import the invention without the permission of the inventor. When a patent is granted, the invention becomes the property of the inventor, which, like any other form of property or business asset, can be acquired or licensed.

In the case of digital content, it is very easy to replicate and distribute it. Thus, it is important to identify the rights, which are applicable to digital content for its legitimate usage and distribu- tion. Essentially, DRM is the management of these digital rights. Such rights consist of permissions on how the content can be used and constraints such as duration for which the content can be accessed. Digital rights can be classified into two main categories—static rights that do not change with time and dynamic rights that may be altered by the application of content usage policies.

DRM Principles DRM principles ensure that the desired goals for content protection are attained. DRM controls the access to sensitive content by including information about the user rights for the content in the form of a license. Initially, the digital content will be encrypted by the publisher, with a random secret key to prevent the unauthorized copying and misuse of the content. In some scenarios, such as multimedia encryption, selective encryption techniques are employed. These techniques par- tially encrypt the content, by choosing important portions of the content or by making a random choice. The encrypted content is distributed to users for consumption along with a user license. The publisher, who owns the content, grants the user rights applicable for it.

DRM systems comprise of many different subsystems that handle content distribution, licens- ing, rights handling, and deterring mechanisms. In some instances, the DRM server plays a dual role as a repository for content and a license server. In this scenario, the server holds the content and decryption keys, and is responsible for rights management and license distribution to autho- rized consumers on behalf of the publisher.

Protocols and Industry Standards Various organizations, for example, ContentGuard, Open Mobile Alliance (OMA), W3C, and Open Rights Group, are working toward establishing DRM standards. The OMA, which is a consortium of wireless, IT industry, and mobile manufacturers, released the OMA DRM. The aim of the OMA DRM is to facilitate a controlled consumption of digital content by allowing content providers to

70  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

express usage rights by granting permissions on the digital content, which in turn defines how the content can be consumed. Figure 6.1 shows the functional architecture of the OMA DRM.

OMA DRM 1.0 supports forward-lock, combined delivery, and separate delivery.

◾ Forward-lock—This prevents the content from leaving the current device by blocking for- ward (to another user) option.

◾ Combined delivery—This mode packages the digital content and rights together for delivery. ◾ Separate delivery—This mode provides the content and user license as two separate files. In

this case, by changing the license file, new rights can be acquired.

OMA DRM 2.0 extends its predecessor and controls the content and rights separately. A few of its characteristics are as follows:

◾ Content is encrypted using a symmetric key either in − DRM content format (DCF) for discrete media − Packetized DRM content format (PDCF) for streaming media

◾ DRM licenses are handled as rights objects (RO) and acquired through rights object acqui- sition protocol (ROAP). RO is an XML document created to specify permissions or con- straints associated with the content.

◾ Public key cryptography-based techniques are used to authenticate devices and bind RO to devices.

OMA DRM 2.1 has several additional features on top of OMA DRM v2.0, which includes

◾ Metering, mainly intended for information gathering on how the content is used, thereby enabling the rights issuers to collect royalty based on the actual usage of the content.

◾ Content differentiation, describing a mechanism to control the content consumption. For example, this mechanism can prevent the music track to be used as a ringtone.

Content issuer Rights issuer

Rights object

End user Protected content

DRM agent

Protected content

Figure 6.1 Functional architecture of OMA DRM.

An Introduction to Digital Rights Management  ◾  71

© 2010 Taylor & Francis Group, LLC

◾ Support for user editable metadata, besides content issuer-defined metadata. ◾ RO upload functionality that enables users to upload rights from their old device to a rights

issuer, which can then be downloaded to their new device.

The OMA DRM defines a general framework for downloading rights to devices, but the OMA secure removable media (SRM) standard allows users to move and consume rights on a different device. Rights expression language (REL) is used to express digital rights and achieve interoper- ability by DRM vendors. Major RELs include ODRL specification from OMA and XrML speci- fication from ContentGuard.

DRM Practices The DRM solutions that are being practiced today range from the software approaches to the hardware designs. Each approach has its own benefits and limitations. Techniques such as licens- ing, watermarking, and fingerprinting are few, generally used on the software front, whereas in hardware, security is relied upon the external hardware objects such as dongles and SIM cards.

Software To improve the DRM protection, initially, the content can be watermarked, before encrypting and distributing it. Content protection and deterring mechanisms that monitor and track content include watermarking and fingerprinting. Deterring measures do not aim at preventing copyright violation but make copyright violations detectable, verifiable, and thus prosecutable.

Watermarking techniques hide a message or copyright information in the content. In the event an unauthorized copy is traced, the content owner can recover the watermark and use it as an evidence to sue the culprits. The main requirements of watermarking techniques are robustness, imperceptibility, and security. Robustness is the ability of a watermark to survive intentional and inadvertent distortion. The watermarking process must not affect the fidelity of the content and for this reason the embedded watermark must be imperceptible. Watermarking must be secure to prevent unauthorized detection, embedding, or removal. There are several watermarking tech- niques such as least significant bit (LSB) insertion, and discrete cosine transform (DCT)- and discrete wavelet transform (DWT)-based methods.

The LSB insertion technique is the simplest method for embedding watermark. In color images, each pixel has three components, namely, red, green, and blue. Assuming 3 bytes are allocated for a pixel, each of these colors has 1 byte, or 8 bits. In the LSB technique, watermarking information is embedded into red, green, or blue bytes by storing 1 bit of information in each least significant bit. So, for each pixel, we can hide 3 bits of watermarking information, in the LSBs.

Watermarking in the frequency domain involves the modification of the image (or media) in the transform domain. In the DCT method, the image is first transformed into the frequency domain by the use of DCT. Subsequently, the DCT coefficient values are modified by adding watermark information. The inverse transform of the marked coefficients forms the watermarked image. The DCT allows an image to be broken up into different frequency bands, making it much easier to embed watermark information into the middle frequency bands of an image to withstand compression and noise attacks.

The DWT-based methods are similar to other transform domain methods such as DCT embedding, but can model human visual system (HVS) more accurately. In the DWT-based

72  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

methods, initially, the image is decomposed into higher- and lower-resolution bands by choosing a particular wavelet. The watermarks are then embedded into high-resolution bands where the HVS is less sensitive.

Fingerprinting techniques are another form of watermarking techniques. Fingerprinting makes the digital copy unique by embedding a unique identification or serial number into it. Fingerprinting has an ability to track back the culprits who circumvent the copy protection by analyzing the pirate copy under circulation. Watermarking deals with embedding identification information in a cover, such as a video or audio signal robustly, whereas fingerprinting mainly concentrates on creating a unique identification number, which, when embedded in a digital copy, can track the culprits who circulate unauthorized copies. Some of the fingerprinting methods do not alter the digital copy; instead, they use the natural properties unique to the content. Software licensing solutions also use similar techniques to protect software.

Hardware There are many kinds of DRM solutions available in the market. In a device-based DRM, the rights management comes from the mandatory usage of customized players and unique global device identifiers, for example, the international mobile equipment identity (IMEI) number. However, this kind of DRM scheme is constrained by its inflexibility, especially in the mobile environment. Alternate approaches use field programmable gate array (FPGA) and application- specific integrated circuit (ASIC)-based security platforms or smart card-based design where a chip is the core component of the scheme. This chip carries all the intelligence to identify, encrypt/ decrypt, and store the required data. But the complexity and cost associated with this kind of DRM schemes are high.

Working of DRM Systems DRM Architecture Because of the rapid increase in counterfeit and illegal distribution of digital content, there is a considerable need for DRM solutions in the market. The major responsibilities of a DRM system include secure delivery of content, prevention of unauthorized usage, enforcement of user rights, and monitoring of the content. In a typical DRM system, each customer obtains the encrypted content from a distribution center on their network or over the Internet. To decrypt and access the content, a license, containing the user rights and the access key, needs to be obtained from a license server. The license server authenticates the customer based on their credentials and returns a license file. The customer’s workstation must have a DRM client trusted by the DRM system to render the content after enforcing the rights as per the license. The DRM systems support online and offline models for the consumption of the content, so that appropriate content delivery and licensing methods can be used.

a. Online model. In this model, the DRM client has to connect to the DRM server to consume the content. Once connected, the end user authenticates to the server and gets a license through a secure session. The license that includes the secret key for content decryption along with the information on rights is transferred to the client during content consump- tion. The DRM client decrypts the content in memory and enforces the rights specified in

An Introduction to Digital Rights Management  ◾  73

© 2010 Taylor & Francis Group, LLC

the license. By changing the rights information on the server, the publisher can grant new rights or extend existing privileges to the user. This online model provides the greatest flex- ibility when assigning rights to any combination of users and controls the usage of content such as view, copy, edit, and forward.

b. Offline model. The offline DRM model is applicable to the scenarios where the DRM cli- ent has limited connectivity to the DRM server. In this case, the client can choose to work offline after the initial connectivity to the DRM server. The DRM server establishes the trust among the client’s workstation, the end user, and the DRM client using a reliable mechanism such as digital certificates. The end user obtains a DRM license and stores it locally, which will be used every time the content is consumed.

DRM Components DRM systems incorporate many different integrated mechanisms and functionalities such as content protection, distribution, licensing, payment systems, access control, rights handling, and deterring mechanisms.

The DRM solutions come in various flavors but most of them have the combination of stages defined as follows:

◾ Packaging. Normally, encryption methods are used to protect the digital content before user-specific rights are granted. In some cases, watermarking techniques are also used in packaging the content.

◾ Content distribution. The DRM-protected files are delivered to the customers through the Internet, e-mails, or through a physical medium such as CD/DVD. Using superdistribu- tion, the encrypted content can be shared with anybody without any restrictions. However, as licenses are customized and cannot be transferred, each customer has to acquire a new license for using the content.

◾ License service. Specialized servers are placed to authenticate legitimate users through an Internet connection to allow or deny access to the DRM-protected content using various authentication mechanisms. DRM licenses that generally contain cryptographic keys are used to manage protected content. Legitimate users use these keys to unlock their files. The choice of how to provide these cryptographic keys to the users will vary with the DRM scheme. As such it is not advisable to give these keys in plain to the end user, since it may lead to the circumvention of the DRM protection.

◾ License acquisition. Users generally need to pay a fee to the publisher through a payment gateway or prove the legitimacy by an authentication process before acquiring a license from the license server.

◾ Communication protocols. Various components in the DRM system need to communicate with each other using a set of predetermined commands or protocols to make the solution work. User authentication, rights acquisition, and rights revocation are examples of such activities.

◾ Rights enforcement. User rights need to be enforced at their end by means of a trusted application.

◾ Tracking. In some scenarios, DRM systems may need to monitor the use of content. This is mainly carried out by fingerprinting methods. Broadcast encryption systems that allow targeting of an encrypted message to a privileged group of receivers can also track the con- tributors of a pirate decoder.

74  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

◾ DRM client. This client, also referred to as a DRM agent, is a trusted application that resides in an end user’s workstation. It acts as an interface between the end user and the correspond- ing DRM server(s), handling user authentication, license acquisition, content rendering, rights enforcement, and tracking. This client can be a dedicated application, a plug-in to existing applications such as Adobe PDF reader or a customized browser.

Limitations of DRM Given the variety of devices (with different form factors) used to consume digital contents and the lack of a common ground, the interoperability of DRM systems is a major problem today. A variety of organizations are working on DRM standards; however, there is a lack of a common standard. DRM vendors either follow different DRM standards and rights expression languages or create one of their own. This makes the interoperability of DRM systems difficult. The con- tent protected on one platform may not be used on any other platform. Similarly, users cannot choose their favorite media player for rendering the DRM-protected content due to interoper- ability issues.

Another major challenge is related to the deployment of DRM technology for the end users. End-user environments are heterogeneous and mainly untrusted. DRM clients generally enforce the rights by means of customized content rendering software and using cryptographic keys. End users will not be interested to install customized software at their end without any incentives or perks. The protection of cryptographic keys and licenses is very difficult in an untrusted environ- ment. The circumvention of the DRM protection is possible by ripping the audio, converting digital content to analog forms, capturing the decryption streams, or using print screen options for readable content.

As a genuine concern, archival of the DRM content will be difficult due to the fact that the technology may become obsolete after a couple of years or a particular DRM vendor may go out of business. However, this problem can be partly addressed by using proper key escrow mechanisms and establishing decommissioning procedures for DRM.

Implementation of DRM Systems The implementation of a DRM system involves an initial risk assessment for identifying possible threats to content, development of use cases, defining requirements, RFP creation, and vendor evaluation to finally create a DRM system.

Identification of Scope In this phase, the stakeholders’ requirements are to be identified and documented. This may incorporate different perspectives of publishers and end users. The publisher is mainly concerned about content protection and its secure distribution whereas the end users may wish to consume the content on a wide variety of platforms with ease. It is important to identify the classifica- tion, format, volume, usage, and life cycle of the content to understand how the content is to be protected and which digital rights are to be managed. It is also essential to consider and understand the business model for content dissemination, which may include paid downloads, subscriptions, rentals, pay per view, try-before-you-buy, and so on. The DRM solution shall sup- port the required business models and address the technical challenges to sustain it. Thus, the

An Introduction to Digital Rights Management  ◾  75

© 2010 Taylor & Francis Group, LLC

activities for the identification of scope mainly involve distribution of questionnaire, conducting interviews, data-gathering techniques (see Annexure), and an initial risk assessment to identify the threats for the content.

Analysis of Requirements Publishers may wish to protect a variety of content formats. For example, in the case of e-learning, the website might host audio/video clips apart from html and PDF content. If a download option for the content is provided to the end users, the DRM protection must be persistent on the user’s environment. Even though the end user wishes to use the content on multiple devices, including mobile gadgets, the publisher may wish to limit the access to desktop or a set of devices. A music company may wish to distribute music albums and other creations of its artists over the Internet. However, they may be reluctant to distribute specialized software for content protection such as trusted DRM clients along with it. In the case of conflicting requirements from stakeholders, a trade-off needs to be achieved for a successful outcome.

Implementation Choices There are many DRM solutions available in the market for off-the-shelf use. These solutions include Microsoft Active Directory Rights Management Services (ADRMS) for Microsoft Office documents, Microsoft PlayReady content access technology for music, video, ringtones, images, or games, ADOBE Content server for PDF content, LockLizard’s Lizard protector, and IBM’s WebGuard for web content protection. Many other DRM solutions and alternatives can be found on the Internet. Content publishers or organizations willing to implement DRM solution have to make an appropriate choice between buy and build, once the scope and the use cases are identi- fied. Buying a DRM solution from the market is advisable when an existing DRM solution meets their requirements and is cost effective and reliable. Otherwise, a custom DRM solution needs to be built to suit their needs. If the organization understands the DRM technology and has the resources, they may consider building the solution on their own. However, one has to be careful with the developmental costs and rework. An alternate approach would be to customize an exist- ing solution to suit the needs of the organization and integrate it.

Evaluation Framework This section presents an evaluation framework for DRM solution as an illustration, which is based on major DRM requirements such as flexibility, efficiency, interoperability, and security. However, based on business needs and operating models, this framework may be amended or customized to add or remove new components.

a. Flexibility requirements Content format. Digital content is available in a wide variety of formats. It should be possible

to protect these content formats with the DRM solution. Assignment of rights. DRM should be able to enforce rights at the granular level, for a selected

user, on a selected content. Consumption of content. Consumers shall be able to consume the content with ease. Device

restriction for consumption may be needed on the business need. Platform support. The DRM solution shall be portable to a variety of platforms.

76  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

b. Efficiency requirements Robustness. The DRM architecture shall be robust to support load balancing and clustering

in the case of a large user base and high-volume transactions. Complexity. The DRM solution should be fairly simple and be easily implemented. It should

also support time-tested and common business models for content distribution. Complex systems tend to fail easily.

Network traffic. The DRM solution should not congest the network traffic. In the case of huge files, it is desirable to protect them as they are, rather than uploading them to the DRM server. License acquisition and distribution also accounts for network traffic.

c. Security requirements Availability. The protected content shall always be available to all the legitimate users. If a

user license is lost, a backup copy should be provided to the legitimate users. User rights management. Rights management should be granular to the required extent. It is

desirable to have a support for revocation of rights. Multiuser environment. Users need to authenticate to the DRM server for fetching licenses.

In the case of multiuser environments, only authorized users should be able to access the licenses stored locally.

Communications security. All the communications from DRM client to server shall happen over a secure channel such as SSL. Every time the content needs to be consumed, user authentication to server over https is needed.

Tamper-proof license. In the event of a tampered license, the DRM client shall reject the license file.

Protection of content. Content shall be protected with reliable encryption schemes. The cryp- tographic keys shall be adequately protected using access controls or using key wrapping.

d. Interoperability Rights expression. The DRM system may use popular rights expression languages such as

ODRL or XrML for interoperability. Third-party integration. The solution shall support third-party DRM client integration using

an API.

Match the Business Needs At the end, it is important to match the business needs with the capabilities of DRM solutions. If the DRM solution is not implemented properly, it will not cater its intended purpose; instead, it may become a roadblock for future activities. Prior to DRM implementation, a checklist of require- ments is to be prepared and each solution may be carefully evaluated and weighted. Additional care may be taken to get support from vendors for doing pilot or prototype implementations and determine the right solution.

Conclusion DRM aims to protect, distribute, manage, and enforce user rights associated with the use of dig- ital content. Content delivery methods ensure that the content is properly distributed to legiti- mate users and prevent unauthorized copying. Users need to acquire consumption rights from the publisher by paying a royalty or fee. During consumption, the end users are authenticated

An Introduction to Digital Rights Management  ◾  77

© 2010 Taylor & Francis Group, LLC

to the DRM server by a trusted client, which is also responsible for enforcing user rights. DRM is an evolving and promising technology but has not yet reached its perfection. There are merits as well as shortcomings associated with it. DRM allows new content to be made available in a safe and trusted environment. It enables industry and content owners not to encode their works in proprietary formats. For a foolproof content management system, additional access controls and data loss prevention (DLP) techniques can be used in conjunction with DRM systems.

Annexure: Sample Data Gathering Templates Content Type Requirements—This checklist helps to identify if the solution supports all the content types.

Requirement Vendor’s Compliance

Single media—Text, audio, still images

(PDF/DOC/TXT/JPEG/MP3/e-book, etc.)

★★★★☆

Multimedia—Animation, video, games ★★★☆☆

Executable code—Dynamic link libraries, Java class files, executable file

★★★☆☆

Stream data—Video/audio for broadcasting ★★★☆☆

Designs and drawings—CAD files, proprietary formats ★★★☆☆

Note: Low -★☆☆☆☆; High -★★★★★.

Business Model Requirements—This checklist helps to identify whether the solution supports the popular business model(s).

Requirement Vendor’s Compliance

Try-before-you-buy—Enables evaluating prior to purchasing ★★★☆☆

Pay per use model—Facilitates the customer with more licenses than they had purchased. It can support

Time based

Volume based

★★★★☆

Subscription/rental—Facilities the customer to subscribe to a content for a specific duration

★★☆☆☆

Lending—Facilitates the customer to lend or borrow content ★★☆☆☆

Note: Low -★☆☆☆☆; High -★★★★★.

78  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

Content Protection and Security Requirements—This checklist helps in gathering the content pro- tection and security requirements.

Requirement Vendor’s Compliance

Technology used—Has the current technology been used in the solution?

★★★☆☆

Encryption—What kind of encryption techniques are used? ★★★☆☆

Watermarking—What kind of watermarking techniques are used? ☆☆☆☆☆

Fingerprinting—Is it possible to uniquely identify each digital copy? ☆☆☆☆☆

Authentication mechanisms—What kind of authentication mechanisms are used?

★★★☆☆

Secured communication—Is data secured during transmission? ★★★☆☆

Granularity of rights—To what level can rights and permissions be assigned?

★★★★☆

User restrictions—To what level can device, IP, or geography restrictions be enforced?

★★★☆☆

Note: Low -★☆☆☆☆; High -★★★★★.

Business Enabling Requirements—This checklist helps in identifying additional requirements and prerequisites for going live.

Requirement Vendor’s Compliance

Time to market—How much time will it take to launch the solution in the market or go live?

★★★☆☆

Distribution—How easily can one distribute the content? ★★★☆☆

Payment gateway—Is there a secure payment gateway for monetary transactions?

★★☆☆☆

Royalty—What is the possibility that publishers do not lose the royalty for the content used?

★★★☆☆

Maintenance—How easy is it to maintain the solution? Is it cost effective?

★☆☆☆☆

User acceptance—What would be the user acceptance level for the solution?

★★★☆☆

Note: Low -★☆☆☆☆; High -★★★★★.

An Introduction to Digital Rights Management  ◾  79

© 2010 Taylor & Francis Group, LLC

Further Reading Adobe. ACS, Adobe Content Server. http://www.adobe.com/products/ Business Software Alliance. 2011. 2010 Eighth Annual BSA Global Software Piracy Study. http://portal.bsa.

org/globalpiracy2010/ Business Software Alliance. 2012. 2011 BSA Global Software Piracy Study, Ninth Edition. http://portal.bsa.

org/globalpiracy2011/ Cox, I.J., Miller, M.L., and Bloom, J.A. 2002. Digital Watermarking. Morgan Kaufmann Publishers, San

Francisco, CA. International Chamber of Commerce. 2011. Estimating the global economic and social impacts of counter-

feiting and piracy. http://www.iccwbo.org/Advocacy-Codes-and-Rules/BASCAP/BASCAP-Research/ Economic-impact/Global-Impacts-Study/

Koved, L. System and method for supporting digital rights management in an enhanced javaTM2 runtime environment. U.S. Patent 20020161996, filed Feb 23, 2001, and issued Oct 31, 2002.

LockLizard. Lizard Protector web security. http://www.locklizard.com/html_security_features.htm Microsoft. 2012. ADRMS, Active Directory Digital Rights Management. http://msdn.microsoft.com/en-us/

library/cc530389(v=vs.85).aspx Microsoft. 2012. PlayReady. http://www.microsoft.com/PlayReady/Default.mspx Mourad, M., Munson, J., Nadeem, T., et al. 2000. WebGuard, A system for web content protection. IBM

white paper. http://domino.watson.ibm.com/library/cyberdig.nsf/papers/D2CC8887A94BCFF58525 6A01006F8727/$File/rc21944.pdf

ODRL, Open Digital Rights Language. http://odrl.net OMA-DRM, Open Mobile Alliance Digital Rights Management. http://www.openmobilealliance.org/

technical/release_program/drm_v2_0.aspx Open Rights Group. http://www.openrightsgroup.org/ Rosenblatt, W., Trippe, W., and Mooney, S. 2001. Digital Rights Management: Business and Technology. M&T

Books, New York, NY. Veerubhotla, R.S. and Saxena, A. 2011. A DRM framework towards preventing digital piracy. In Proceedings

of IEEE, 7th International Conference on Information Assurance and Security, Malaysia, pp. 1–6. W3C. http://www.w3.org/ XrML. http://www.contentguard.com/ Zeng, W., Yu, H., and Lin, C.-Y. 2006. Multimedia Security Technologies for Digital Rights Management.

Academia Press, Burlington, MA.

81 © 2010 Taylor & Francis Group, LLC

Chapter 7

Information Security on the Cheap

Beau Woods

An informal survey of the stories on information security budgeting suggests that 40–60% of organizations are cutting or holding their budget the same over the last year. And of those that are increasing their budgets, most increases are small. This is at a time when the actual threats are on the rise, security has risen in importance to the organization, vendors are daily coming out with solutions to problems we did not know we had a year ago, and hiring and keeping good people is becoming increasingly difficult and expensive.

Thankfully, effective information security does not have to be overly expensive. Although many of us feel we do not have the budget we need to do our jobs, it is alright. Many of the things

Contents “Plan” Is Not a Four-Letter Word .............................................................................................. 82 Focus on Fundamentals ............................................................................................................. 83 Minimize Diminishing Returns ................................................................................................. 84 Pick the Low-Hanging Fruit .......................................................................................................85 Iterate to Dominate ................................................................................................................... 86 Visibility for the Win ................................................................................................................ 86 Putting It into Practice .............................................................................................................. 87 System Hardening ..................................................................................................................... 87 Patch Management .................................................................................................................... 90 Vulnerability Awareness ............................................................................................................. 92

Vulnerability Scanning .......................................................................................................... 92 Threat and Vulnerability Intelligence .................................................................................... 94 Analysis ................................................................................................................................ 94

Security Awareness .................................................................................................................... 95 Review and Strengthen Password Security ................................................................................. 98 Final Thoughts and Conclusion ................................................................................................. 99

82  ◾  Information Security Management Handbook

© 2010 Taylor & Francis Group, LLC

we need to do would not cost a lot. That is not what we are hearing in the media and from vendors, but it is true nonetheless.

Effectiveness is almost never achieved by doing a single thing and this is true for information security effectiveness as well. Instead, it helps to use many different approaches and tactics, which together can make your program effective. And it also helps to shape or form a philosophy that will guide your decisions and your activities.

I have tried to encapsulate the philosophy behind the specific technical guidance into a few guiding principles. These principles are meant to act in concert with each other to build and enhance each other. I feel that the philosophy here is the one that will let you get the most out of your limited resources*. Some of the best-secured organizations I have seen have used these methods to be very effective and efficient. In fact, some have found it hard to spend their budget on more than one occasion!† And one found that they did not have enough work for everyone; so, they had to move him elsewhere. Imagine that!

Here are the guiding principles that I feel will allow you to be most effective and efficient with

Get Coursework Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework

Professional And Experienced Writers - 24/7 Online Support

Similar Questions


  1. How do air masses interact to form a tornado
  2. How do air masses interact to form a cyclone
  3. La masse d un litre d air
  4. Lab activity air masses and fronts answer key
  5. Quelle est la masse d un litre d air
  6. Comment calculer la masse volumique de l air
  7. Comment calculer la masse de l air
  8. Comment calculer la masse d un litre d air
  9. Letter from birmingham jail essay
  10. Https://www.homeworkmarket.com/content/number-chocolate-chips-18-ounce-bag-chocolate-chip-cookies-approximately-normally-distribute
  11. 7 3 skills practice similar triangle
  12. Nursing student goals and objectives examples
  13. Which of the following best characterizes ferromagnesian silicates
  14. Write the function in standard form
  15. Soul surfer common sense media
  16. The handsomest drowned man in the worlds pdf
  17. Status and role in sociology
  18. Cultural diversity in health and illness
  19. On going home joan didion
  20. Frosted glacier freezing rain tower star coins
  21. In its standardized form the normal distribution
  22. Give me liberty eric foner 6th edition pdf
  23. Identify each account as asset liability or equity
  24. Website that does your homework
  25. Electric field hockey level 3
  26. Killing us softly 4 advertising's images of women
  27. Gloria anzaldua how to tame a wild tongues
  28. The gift li young lee
  29. The danger of a single story essay examples
  30. Attention getter for introduction speech
  31. Www strengthsquest com sign in
  32. Shadow health focused exams cough objective
  33. Word module 1 sam exams
  34. Which intermediate sanction resemble a military style boot camp
  35. Who invented homework and school
  36. What is karyotype in biology
  37. Executive summary sample for project report
  38. Insect that is found in an obsessive bonnet
  39. The negro digs up his past
  40. Find the z value that corresponds to the given area
  41. A periodic inventory system measures cost of goods sold by
  42. Primacy effect vs recency effects
  43. According to author stephen covey effective communication is driven by
  44. Is the pirate bay safes
  45. Summarize machiavelli's beliefs about what makes a great leader
  46. Las pirámides de teotihuacán están lejo del valle de méxico
  47. In which part of the chloroplast does eachs stage occur
  48. In which part of the chloroplast does each stage occur
  49. Radioactive dating game lab answer keys
  50. What is the value of x identify the missing justifications
Top Grade Tutor

ONLINE

Top Grade Writer

10374 Orders Completed

Top Academic Guru

ONLINE

Top Academic Guru

9345 Orders Completed

Top Essay Writer

ONLINE

Top Essay Writer

8379 Orders Completed

A-Grade Writer

ONLINE

A-Grade Writer

7812 Orders Completed

Get Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework