As the video delivery service industry as a whole becomes more software-empowered, the implementation of cloud-centric security management would seem a logical progression. However, the issue is complex and requires some unpicking.
In some ways, the term cloud is a misnomer. Effectively, DRM delivered as a service from a scalable platform allows content owners and providers to shift away from the need to build, maintain and ultimately upgrade the DRM platforms that are essential for the majority of service provision.
“In the past, providers would build their own DRM platforms which would effectively become a software platform needing maintenance and upgrades in line with changes to the underpinning technologies and business evolution,” explains Giorgio Tornielli, VP Product Engineering, Piksel. “The cloud model shifts to a case of integration and customisation with the ongoing platform development and expansion taken care of by the service provider. This approach benefits from economies of scale, specialisation and the ability to provide more ancillary features that would be prohibitively expensive to develop for a single in-house installation.”
Several consumer DRM products (PlayReady, Adobe or Widevine for instance) are already offered as a cloud service. Cloud DRM is also an emerging trend for implementing operator DRM products, and, in particular for smaller operators, suggests NAGRA's Senior Product Marketing Director, Christopher Schouten, as cloud services are an efficient way to optimize their own operations while getting a robust level of service.
Looking further, Schouten sees large operators “starting to run their own cloud infrastructure, implementing a generic IT infrastructure server virtualization approach that brings cost benefits as well as added elasticity.” Such an approach, he informs, “usually relies on a combination of a private cloud environment with some highly scalable online services put on a public cloud or using third party cloud services, for functions such as multi-DRM management.”
So there are two broad reasons why migration of DRM in hosted or cloud environments for pay-TV (VOD) operators is occurring:
1 There are core benefits shared with other cloud technologies
As discussed, it is part of a wholesale shift of the video prep and delivery infrastructure towards pure software subsystems, fundamentally dependent on IP connectivity, which can then be implemented in physical data centres or in cloud CPU resources.
In this case, according to Steve Christian, SVP Marketing, Verimatrix, “DRM technology and business logic does not change.” Some vendors have taken generic implementations of DRM technologies (Verimatrix is one) and are offering a SaaS model of key management based on cloud resources. This, says Christian, “tends to shift the business model for DRM costs rather than the underlying technology.”
2 OTT multiscreen content delivery
Cloud-based DRM is an effort to address subscriber interest in viewing online content that is encrypted in various DRM formats and is made available through multiple online video providers. This results in operators needing to support different content packaging and content protection formats like MPEG-DASH and Common Encryption Scheme (CENC).
As more device functionality is moving to the cloud (user interfaces, DVR storage, preference management etc) vendors sees a greater share of the core rights management logic moving upstream.
“Traditional pay-TV operators have been limited to supporting a single DRM vendor given the operational complexity in rolling out multi-DRM library support into their device footprint,” Sachin Sathaye, VP, Product Strategy and Marketing, ActiveVideo. “The compliance rules associated with supporting DRM vendors further inhibit expanding the DRM solutions to existing devices that lack sophisticated cryptographic features.”
Security and business drawbacks
Deploying DRM in the cloud in a manner that is secure and in agreement with the DRM vendors studio compliance rules, is non-trivial.
“It is very important that DRM infrastructure deployed in the cloud is done so in a manner ensures studio compliance,” stresses Steve Plunkett, CTO, Red Bee Media. “The storage of key material is subject to particular restrictions that must be met to ensure compliance. It also makes more sense to use cloud based DRM when media processing workloads in general are moving into the cloud. Doing so in isolation, while general media processing remains on-premise, can slow down the media transit path and increase workflow execution times.”
Christian emphasises the point: “If the security approach is simply an isolated subsystem divorced from the rest of the deployment architecture, there can be potential barriers to success, including those that arise from managing vital keys and other essential consumption management control information uniformly across multiple delivery formats and device screens.”
The failure to provide a seamless user experience when wanting to transfer viewing mid-stream of Netflix' House of Cards from an iPad to a Samsung smartTV, at best risks alienating the subscriber to another service, at worse pushes them toward pirate sites.
“The real business challenge for operators who wish to target the broadest number of devices is to eliminate service distribution and consumption silos that serve only to frustrate consumers and may nudge them towards alternative sources,” says Christian. “One aspect of this is the need to enable support for multiple native DRM systems on the devices and browsers in use, and to provide the user with a transparent consumption experience.”
The purpose of security goes far beyond the defensive aspects of addressing piracy and theft of service, says Christian, “to that of ultimately enhancing the subscriber’s quality of experience (QoE) while also underpinning the operator’s bottom line.”
Partly for this reason we've not yet seen the wholesale movement of DRM into virtualised environments. “The cloud aspect of DRM is not a process that aggregates large amounts of sensitive customer information, billing or account accessibility,” explains Tornielli. “In essence, it is a streamlining of a well-understood process that has typically resided in-house and can now be consumed as an externalised service due to the maturity of connectivity and virtualised computing technologies.”
André Roy, Head of Security Practice, Farncombe warns that not all cloud-based DRMs are optimised to handle content preparation. “We audit CA (conditional access) systems and can say that there are few cloud-based DRM systems that meet studio content handling requirements for handling unencrypted content. Primarily, having studio quality mezzanine files unencrypted in the cloud would not meet MPAA (Motion Picture Association of America) requirements. All encryption would need handling in a physical facility rather than in the cloud.”
One cloud workflow that does meet MPAA requirements is Akamai's. According to Akamai content providers need only upload a single source file to the Akamai Cloud – “which will then facilitate DRM processing in addition to transcoding and stream packaging for optimized, secure delivery to connected devices” the initial reception and encryption is believed to occur in a non-cloud based secure facility.
Verimatrix suggest that Full DRM systems (generally consisting of digital rights to manage, encryption, license management, and a DRM-enabled client) can be deployed in the cloud “very easily as a part of an overall video delivery system” but it doesn't see this as the gold standard right now for pay-TV. “Physical data centre deployment and virtual machine deployments are still quite popular, although interest in cloud implementations is growing,” reports Christian.
Another potential drawback is flexibility. In certain cases, cloud based services will only support a limited set of DRM technologies. “If a particular feature is not available then it is not always possible to just build it yourself and add it to the mix,” reports Tornielli. “The cloud can be defined as a shared multi-tenant environment so the timescale of upgrades, features and fixes are dependent on the diligence of the provider.”
Piksel suggests cloud DRM solutions are a relatively small percentage of deployments (probably less than 1%) “although growing faster than on-premise implementations.”
Only a partial shift of the DRM infrastructure to the cloud is expected from Telekom Innovation Laboratories, the research wing of Deutsche Telekom. “This shift implies the adaptation of the current DRM infrastructure towards more centrally hosted key servers and therefore an overall reduction in the number of key server APIs for the service operator,” says Dr. Oliver Friedrich. “It also implies the adaptation of content servers hosting files encrypted by means of common encryption scheme, which could also simplify the DRM encryption infrastructure.” Therefore, he says, a real move into the cloud is not taking place.
The primary DRM innovation for Friedrich, is driven by the browser and multi-device scenarios and technologies, such as MPEG DASH with CENC and HTML5 EME. The most important factor is the de-coupling of the content from the DRM system itself.
Fragmentation of the DRM market coming from the deprecation of the plug-in APIs on the Google Chrome browser and the emergence of a DRM-per-device platform environment has focussed attention on cloud deployment as a solution, argues David Leporini, EVP of Marketing, Products and Security, Viaccess-Orca.
The recent Chrome update is only the beginning of a series of changes to DRM support on web browsers. All browser vendors are moving to embed a specific DRM technology on each of their web platforms. This means that any OTT service viewed on a PC, Mac or the browser of any CE device will need to support multiple DRMs in order to ensure that all viewers can playback the content.
“This is just the start of an industry-wide evolution,” contends Ben Gidley, Director, Multiscreen Solutions, Irdeto. “A single DRM for your OTT service will no longer be sufficient to reach multiple platforms. But as the different DRM technologies are becoming increasingly device- and browser-specific, the impact will not be limited to DRM selection alone.”
As this fragmentation continues, managing multiple DRMs, devices and browsers will become increasingly difficult. “Operators will need to ensure they either have the resources internally or a partner that can provide a multi-DRM platform designed to remove all that complexity,” says Gidley. “This challenge extends beyond just multi-DRM to both the head end and client side.”
Opinion seems divided as to how a cloud solution can solve the issue. “The scenario is now unfolding where each browser vendor is headed towards implementation of a protected media stack implemented around a specific proprietary DRM with no mechanism to expand the default option,” says NAGRA's Christian.
“This seems likely to move the market from a form of streaming fragmentation based around protocols to one divided by proprietary device and browser silos. There’s nothing about cloud implementations of DRM per se that seem to be able help with this self-inflicted wound.”
Some vendors, like Piksel, point to the compatibility and simplification as significant benefits offered by cloud-based DRM. “Each DRM schema has a cost and technical requirement to meet the needs of the addressable audience,” says Tornielli. “These factors are not set in stone and as business evolves, cloud DRM enables organisations to dynamically change which DRM technologies they use, for which devices and services. This simplicity allows DRM to be agnostic to much more critical changes in business strategy.”
Leporini also points to the the reduced complexity afforded by cloud deployments. “The complexity introduced by various content packaging formats, streaming protocols, and DRMs to be supported can be managed using a single platform in a multi-tenant mode of operations,” he says. “In situations requiring real-time on-the-fly packaging of content, such as in certain network PVR and catch-up deployments, content service providers may benefit from the scalability and elasticity of cloud infrastructures.”
For ActiveVideo there are three obstacles that need to be overcome for cloud-based DRM to solve fragmentation: First, the reality that in the pay-TV environment, the DRM is 'baked into' the set-top box or the set-top browsed and cannot be changed; Second, that few IP STBs support multi-DRM, and the increased cost of multi-DRM devices is an impediment to deployment of those devices at scale; and third, not all content owners are able to or willing to invest in multi-DRM solutions.
For an organisation with no existing investment such as a new OTT, SVoD or TVoD entrant, it’s hard not to make the case for cloud based DRM from day one. Little CAPEX, fixed OPEX, rapid time to market and an easy scale up or even down model that reduces risk.
Telekom Innovation Laboratories says it will wait and asses what the strategies of suppliers are. “There are limitations in current implementations,” emphasizes Friedrich. “Moreover, support for interoperability is currently not being offered by most market-leading DRM providers.”
For an organisation with an existing DRM investment, it is a case of examining the numbers, advises Tornielli. “Organisations need to understand how much current DRM actually costs including licences, training, data centre and server costs, upgrades and support. These numbers also need to be considered against the direction of travel of the business. For example, will the service need to support new device types or operating models such as TVoD. Also, ask the same questions of the cloud provider. Get definite costings and pose some ‘what if?’ scenarios to see how alternatives stack up. All clouds are not created equally.”
Viaccess-Orca’s approach consists of solving the DRM fragmentation issue facing the industry through its multi-DRM solution called Connected Sentinel, which is available as a hosted service and also integrated with cloud infrastructures for DRM management and content preparation.
ActiveVideo’s CloudTV StreamCast is described as a “comprehensive solution for delivery of online video to any existing pay-TV STB”. It addresses - in the cloud and in real time -- Content Experience and Content Delivery, in addition to Content Protection. “These are the three key technological hurdles pay-TV operators face in bringing online video to STBs at scale,” says Sathaye.
Verimatrix offers cloud-based instances of its Video Content Authority System (VCAS) to help facilitate integration for virtual end-to-end solutions. “While yesterday’s legacy systems tended to have large, proprietary hardware components —making it complex and cumbersome to integrate multiple solutions — software- and IP-based components can better support a cloud-based approach that relies on virtual resources,” says Christian. Verimatrix MultiRights also brings CE devices with embedded, non-Verimatrix clients under the VCAS security umbrella.
Irdeto's service maps a central list of operator owned content with the users entitlements and then maps that to each DRM according to the business rules for each content play. It does this for Liberty Global, Australia's Foxtel and ITV among others.
NAGRA says its MediaLive Services Platform, featuring multi-DRM capabilities and available as a cloud service, provides an efficient architecture for delivering a complete end-to-end content preparation and delivery solution. It includes secure player apps for multiple consumer devices that leverage studio-approved NAGRA anyCAST PRM. MediaLive can also deliver specific vertical functions, such as multi-DRM support and related workflow capabilities, to be integrated into an existing operator platform (that can be in-house or 'cloudified').