A Security Architecture for Enterprise Rights Management

  • Ammar Alkassar
  • Rani Husseiki
  • Christian Stüble
  • Michael Hartmann


Securing electronic business documents is an increasing necessity nowadays. Enterprise Rights Management (ERM) is a comparatively new technical approach aimed at enforcing access and usage rights policies to sensitive electronic documents throughout their lifecycles within and across organizations [YuCh05]. While ERM systems in the market are increasingly deployed in today’s enterprises, they still lack fundamental security properties. One important security weakness is the ERM client software running on the end-user’s machine [TuCh04]. Users can always circumvent the rights enforcement by running exploits and manipulating their operating system or particular components of the ERM client application, thereby obtaining an unprotected copy of the document’s content [SeSt06, ReCa05]. In this paper, we emphasize this particular security weakness, and propose a security infrastructure based on Trusted Computing technology that can thwart most possible attacks on an ERM client, preventing therefore any circumvention of the policy enforcement over the document.


Security Policy Content Provider Digital Right Management Trust Computing Security Architecture 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Avoc07]
    Avoco Secure: Choosing an Enterprise Rights Management System: Architectural Approaches, http:// www.windowsecurity.com/uplarticle/AuthenticationandAccessControl/ERM-architectural-approaches.pdf, 2007Google Scholar
  2. [SeSt06]
    Sebes, J., Stamp, M.: Solvable Problems in Enterprise Digital Rights Management, http://www.cs.sjsu. edu/faculty/stamp/papers/DRMJMCS2.doc, 2006Google Scholar
  3. [YuCh05]
    Yu, Y., Chiueh, T.: Enterprise Digital Rights Management: Solutions against Information Theft by Insiders. http://www.ecsl.cs.sunysb.edu/tr/TR169.pdf 2005Google Scholar
  4. [Stam03]
    Stamp, M.: Digital Rights Management: The Technology Behind the Hype, http://www.csulb.edu/web/ journals/jecr/issues/20033/paper3.pdf 2003Google Scholar
  5. [Kuba05]
    Kubasch, B-O.: Informations und Documentschutz im Unternehmen, SAP AG — Corporate Security, 2005, p. 45–47.Google Scholar
  6. [ScSW06]
    Scheibel, M., Stueble, C, Wolf, M.: Design and Implementation of an Architecture for Vehicular Software Protection. Embedded Security in Cars Workshop (escar, 06), 2006Google Scholar
  7. [ReCa05]
    Reid, J. Caelli, W.: DRM, Trusted Computing and Operating System Architecture, http://crpit.com/ confpapers/CRPITV44Reid.pdf 2005Google Scholar
  8. [TuCh04]
    Yu, Y., Chiueh, T.: Display-Only File Server: A Solution against Information Theft Due to Insider Attack. http://www.ecsl.cs.sunysb.edu/tr/TR170.pdf 2004Google Scholar
  9. [LiMi06]
    Liquid Machines, Inc. Microsoft Windows Rights Management Services: Liquid Machines and Microsoft RMS: End-to-end Rights Management for the Enterprise, 2006.Google Scholar
  10. [Liqu06]
    Liquid Machines: Enterprise Rights Management: A Superior Approach to Confidential Data Security. Enterprise Strategy Group, 2006.Google Scholar
  11. [Micr03]
    Microsoft Corporation: Microsoft Windows Rights Management Services for Windows Server 2003 — Helping Organizations Safeguard Digital Information from Unauthorized Use. Whitepaper, 2003.Google Scholar
  12. [Auth02]
    Authentica Inc.: Page Recall: The Key to Document Protection, 2002Google Scholar
  13. [Adob06]
    Adobe Systems Inc.: Adobe LiveCycle Policy Server: Document-level persistent protection and dynamic control for multiformat enterprise rights management, http://www.adobe.com/de/products/ server/policy/pdfs/psdatasheet.pdf 2006Google Scholar
  14. [Gart06]
    Gartner, Inc.: Navisware E-DRM Buy Could Give Adobe a One-Stop-Shopping Solution. http://www.adobe.com/manufacturing/pdfs/gartner_1691.pdf 2006Google Scholar
  15. [Emsc06]
    EMSCB Project Consortium: The EMSCB project, http://www.emscb.org, 2006.Google Scholar
  16. [Univ06]
    University of Cambridge Computer Laboratory: Xen virtual machine monitor, http://www.cl.cam.ac.uk/Research/SRG/netos/xen, 2006.Google Scholar
  17. [Adva06]
    Advanced Micro Devices, Inc.: AMD virtualization solutions. http://enterprise.amd.com/us-en/Solutions/Consolidation/virtualization.aspx, 2006.Google Scholar
  18. [Inte06]
    Intel Corporation: Intel virtualization technology, http://www.intel.com/technology/computing/vptech/, 2006.Google Scholar
  19. [SZJv04]
    Sailer, R., Zhang, X., Jaeger, T., and van Doom, L.: Design and implementation of a tcg-based integrity measurement architecture. 13th Usenix Security Symposium, San Diego, California, August 2004.Google Scholar
  20. [BGJ+05]
    Bussani, A., Griffin, J.L., Jansen, B., Julisch, K., Karjoth, G., Maruyama, H., Nakamura, M., Perez, R., Schunter, M., Tanner, A., Van Doom, L., Van Herreweghen, E.A., Waidner, M., Yoshihama, S., Trusted Virtual Domains: Secure Foundations for Business and IT Services (Whitepaper, RC23792), 2005.Google Scholar

Copyright information

© Friedr. Vieweg & Sohn Verlag | GWV Fachverlage GmbH, Wiesbaden 2007

Authors and Affiliations

  • Ammar Alkassar
    • 1
  • Rani Husseiki
    • 1
  • Christian Stüble
    • 1
  • Michael Hartmann
    • 2
  1. 1.Sirrix AG Security TechnologiesGermany
  2. 2.SAPAGGermany

Personalised recommendations