System security

Is there really such a thing as true system security? When asking this question, the first issues that must be answered are “what do you want protected” and “what level of inconvenience are your users willing to tolerate”?

We can physically secure our servers from theft by putting them in locked rooms with lockdown cables and limited access. Alarms, scramble pads and biometrics are all available to make us feel safe and free from worry that someone might come in and walk off with our equipment and physically steal our precious data.

Security gets a little dicey when theft or unauthorized access is through electronic means as opposed to physical. We can take matters into our own hands by incorporating some rudimental security, such as implementing a good password and pertinent access policies. These may include a mandatory password renewal or keyboard and screen lockouts for both hardware and software access. Firewalls, VPNs, secure IDs and dial-back networks are also available to ensure that only the approved users have access to the servers.

Firewalls are not enough

Corporate networks have become diverse multi-protocol infrastructures supporting multimedia servers, storage area networks, PCs, PDAs, phones and a whole host of new data appliances. More and more of our employees are working from remote locations, and these networks are no longer limited to their physical boundaries. Organizations now rely on firewalls to implement security policies on their Internet gateways. Firewalls are tremendous tools that protect networks through controlling multiple connections. However, traditional firewalls do not inherently provide any mechanisms to prevent viruses or vandals from entering the network. As enterprises continue to take advantage of Internet connectivity, they open the door to viruses, vandals and other threats that cost businesses billions in lost productivity and data.

Like all good physical security, firewalls are meant to keep the honest out and make it a little harder for the determined intruder. Unfortunately, there are no access-proof systems. Instead, there are viruses that can sit on a network and record all computer use, and at the appropriate time, these can be transmitted to the intruder for easy access.

But we are in the content business and our jobs depend on sharing information and allowing as many users access as possible. This is our problem. How do we allow dissemination of our content while still maintaining the ability to control its use? Piracy is, and will continue to be, a nagging problem.

Content security is about:

  • Making sure you know what information goes in and out of your computer network
  • Ensuring that your systems are not abused for personal use by employees
  • Protecting your organization against misuse, mischief and accidents
  • Maintaining control of data and avoiding piracy

Scared yet? You should be. Access to your most precious data is only a keystroke away. Or worse yet, a delete command for the malicious intruder.

So how do we go about protecting our content assets in a logical way that still makes them accessible? What should a secure system be?

Here are the ground rules:

  • A secure content system needs to have compatibility with all major streaming technologies, including Real Networks, Windows Media and QuickTime.
  • It needs to support industry standards, including TCP/IP, UDP, HTTP and RTP/RTSP.
  • It must be open enough to allow compatibility with future streaming technologies.
  • It should allow for seamless deployment and integration, with minimal changes to the server cluster and a small but scalable footprint.
  • Installation of any client-side software needs to be transparent and all upgrades need to be automatic.
  • The end users should be able to access content using their favorite media player application like Winamp or QuickTime.
  • It must have a secure return channel for quality-of-service monitoring, microbilling, copyright protection and other application-specific uses beyond media control.
  • It has to be relatively transparent to the end user; the user should not know or care that a secure technology is being used to protect the copyright holder's content from unauthorized use.
  • The system must be a reasonable deterrent to piracy.

A company called Widevine Technologies ( offers a solution to some of these problems. Their system is based on a real-time hardware encryption device that gets inserted after your multimedia storage and allows for on-the-fly hardware protection of your content. (See Figure 1.) This opens a new type of protection that is not available in a pre-encrypted system — we can now encrypt real-time broadcast streams, which adds another level of content protection. More specifically, since content is protected at the source, this streaming media solution allows a different encryption/decryption “key” to be sent to each and every user. Additionally, the same user can actually be given multiple “keys” during subsequent viewings.

Streaming in this system is made secure by having the ability to use multiple encryption techniques that can be made unique each time the content is viewed. The byproduct of this system is that the algorithm for encryption can be updated on the fly without affecting the content itself.

Streaming media is a valuable asset that, until recently, was difficult to protect in real time, but with systems like Widevine's protection is only another hardware device away.

Steven M. Blumenfeld is currently the vice president of advanced services for America Online.