The term DRM, or digital rights management, refers to access control technologies used to limit usage of digital media. Digital rights management technologies attempt to control use of digital media by preventing access, copying or conversion by end users to other formats, among the various types of control. Digital media files may be duplicated an unlimited number of times with no degradation in the quality of subsequent copies and, thus need special protection. The protection of digital media is important for many reasons, for example for maintaining the confidentiality of company professional secrets especially when working with partners and also for protecting the privacy of personal information that is kept in organizations such as banks etc.
At present, a majority of security systems are based on authentication and authorization methods which are focused on ensuring access to a given system, using schemas of username and password, smart cards or physical device identifiers. Such systems do not take into consideration parameters such as the physical location of the device or the content of the information, etc. Current systems also save the policy for accessing the files in a central server or in a specific device, limiting the usage of the rules to the specific device or a specific network. Unfortunately these systems do not provide protection when electronic data is transferred to another device.
Other systems hold the policy with the file. One example of such a system is Microsoft Windows Rights Management Services (also called Rights Management Services or RMS). RMS provides the encryption of information, and through server-based policies, prevents the protected content from being decrypted, except by specified people or groups. This system controls limited number of operations like printing, copying, editing, forwarding, and deleting. Unfortunately RMS is limited in many ways such as reliance on user set-up, no separation of duties and fixed rather than dynamic policy structure.
The limitations described above do not provide a solution to the problem of information leakage by authorized users such as employees, partners, vendors, customers etc, nor do they provide an easy and transparent solution for sharing data between organizations without losing the security policy that is enforced on the data, nor does it provide any solution to the identification and tracking of key information.