June 15, 2005

Thinking Outside the Sarbox

The other day I was reading the latest post from Nick Carr on his Rough Type site entitled The Sarbox Molehill. In the second paragraph he states:

These days, you hear the marketing pitch often: "Don't view Sarbox as just a compliance issue; use it as a lever to overhaul your systems and processes." In other words: Launch big IT projects now!

I have to disagree with his translation. While some sell-side individuals may try to position it this way, we shoud not lose sight of the fact that in compliance (Sarbox, HIPAA, GLBA - whatever) there is the potential for achieving so much more than compliance - BUT not requiring the launching of a big IT project. To agree with Nick's musings is to fall into the trap also expressed in his posting:

It was interesting, therefore, to hear the CIO of a leading manufacturer deflate the Sarbox hype during a panel discussion at a recent conference. So, she was asked by the moderator, do you view the compliance challenge as an opportunity to proactively make broader changes? No, she said calmly, we're just going to do the minimum we need to do to pass the legal tests, and then we're going to move on. Sarbox is a nuisance, she continued, but it won't be long before everyone's forgotten about it.

It's a sensible view, and my guess is that it's shared by more than a few of her counterparts at other firms - even though few would say so publicly.

This is not a sensible view but nonsense. Meeting minimal requirements will require some investment in technology. One need not go beyond any further investments in technology, necessarily, to gain additional business benefit. Innovative approaches to leveraging these technology investments do not require additional software/hardware investments, just a greater creative effort in system design and implementation.

Nick assumes that the compliance issue is a small one that is easily solved, and that anything beyone that automatically turns into a huge IT mega-dollar project. Imagine buying an automobile in order to take yourself to and from work each day. The imagine llimiting your usage of the vehicle to that purpose. Sure, you may have to invest in a bit more fuel, and a map or two - but that single initial investment could be leveraged to achieve school car pooling and cost-effective vacations. My experience has been that the investments made in content managment, process and security technologies that enable compliance are in and of themsleves fairly substantial. By thinking outside the "Sarbox", the functionality achieved can go way beyond just achieving compliance and can be used to increase internal efficiency, collaboration,  create new business value out of existing content. And all you need do is invest in a bit more fuel (creative thinking) and maps (strategy).

Posted by Carl Frappaolo on June 15, 2005 | Permalink | Comments (1) | TrackBack

May 19, 2005

Star Wars Sith Leaked Online

As should've been expected, a copy of the latest Star Wars has been leaked online, although in this case, it is a workprint complete with timecode overlaid on every frame, which is not quite the same as leaking a clean/pure digital copy of the version that millions will be watching in the theater, but still, problematic in the theoretical lost revenuee, or a fantastic promotional opportunity for the launch of Star Wars EP3. Plenty of conspiracy talk around this already.

In any case, assuming it was an insider, this illustrates at least two things for intellectual property protection concerns.

  1. Insiders can more easily compromise systems, with their ready access to systems and content, whether maliciously intended, accidental (unlikely in this case), or for publicity purposes (for good or bad)
  2. Putting security on the finalized content is one area to be addressed, but what about roughs, final drafts, or Golden Masters? Is all of your content secured, throughout the lifecycle, or do you wait until it's about to be released to the world, or a partner, before wrapping security around it? Is it up to authors, editors, admins to add security, or is security process built-in to the creation/editing/distribution/destruction process?

For more details...

Link: Waxy.org: Daily Log: Star Wars EP3 Workprint Leaked Online
Link: Reuters: Final 'Star Wars' film leaked to the Internet

Posted by Dan Keldsen on May 19, 2005 | Permalink | Comments (0) | TrackBack

May 17, 2005

Star Wars: Revenge of DRM

An interesting overview (Link: Security and Digital Cinema: The Last Big Question) of the techniques, processes and technologies being used to secure digital film, begs the question - if it the content is already in digital form, why is so much effort being made to specifically secure digital film as a separate medium?

Of course the answer is... there is a good deal of money at stake, and the industry wants some assurance that going digital does not also mean going bankrupt.

So the movie industry, via:

Digital Cinema Initiatives (DCI), a limited liability company that was established in March 2002 and whose members include Disney, 20th Century Fox, MGM, Paramount, Sony Pictures Entertainment, Universal and Warner Bros...

...has created a draft of standards to put forth and enforce with content licensees (theaters), to ensure that content can not be leaked, sold, stolen, etc..

Many companies do not understand the value of protecting content itself, particularly outside of the realm of content/data that it they are mandated/regulated to secure - such as healthcare information, credit card information, and the like.

Content that is being distributed for sale, is a more clear cut case, although it seems that buyers/implementors of solutions (such as Digital Rights Management - DRM, as is the case in the digital film example) tend towards the extremes, either doing almost nothing to secure their content, or pursuing these capabilities to the ends of the earth.

A quote that troubles me from this article is:

"This biggest issues now are over fingerprinting and watermarking, and we need to be careful. How do we set those standards without telling the bad guy how to do it?"

This is a well known area of faulty thinking in security, the issue of "security through obscurity." If security measures/technologies can not stand up to scrutiny of the direct code or processes themselves, then it is essentially not secure. For anyone who recalls the controversy when the 'encryption' scheme (Content Scrambling System or CSS) was broken by a Norweigan teenager in 1999 (Link: DeCSS) - the primary issue of that security mechanism was the idea that the algorithm itself could be kept secret, and the wonder of reverse engineering proved that it was not a secret for long. Weak security is weak security, and hiding the details only buys a finite amout of time.

The entertainment industry has gone down this path many times, and while there are some signs that they are getting more saavy about doing this well, there are still hiccups that echo back to past mistakes, directly from their own industry, let alone best/worst practices from the business world at large. At least in this case, they are using more established, strong encryption techniques (AES-128 bit) - rather than the 40-bit (and limited keyspace at that) techniques from CSS, and separating the key mechanism from the storage medium, so progress is being made, but not as quickly or comprehensively as the current available state of the art would indicate.

While Star Wars is now coming to a close, Digital Rights Management and Content Security (the larger roll-up of all technologies securing content at rest, in motion, regardless of file format, transmission medium, etc.) is in relative infancy, although it is much farther along than most organizations realize.

Posted by Dan Keldsen on May 17, 2005 | Permalink | Comments (0)