NDS - Video Security Evolves for Content On the Fly
NDS’ Jesper Knutsson tackles DRM, conditional access and the state of security.
With video content starting to proliferate across multiple devices, security has become even more important for service providers, content owners and consumer electronics manufacturers. Jesper Knutsson, vice president and general manager of sales at NDS Group, recently took some time for a phone call from Copenhagen to discuss a range of topics with CED.
CED: Cable has a new set of partners when it comes to delivering Internet video to different devices in a home. What is being done to find common platforms and interfaces?
Knutsson: It depends a little bit on the power of the ecosystem that you are in. For the U.S. market in particular, a new set of partners is being brought in, and the nature of this world is going to require it to be more competitive and more standardsbased as we see elsewhere in the world.
The world is changing, with more and more over-the-top content and more and more devices. There’s a different pace of innovation, and it does require a different approach to the environment. I would say it requires a more open approach than what has been there previously, and probably more vendors to manage, as well, because not all vendors can encompass everything.
It is a challenge, but I also think it’s a big opportunity, because I think the customer relationships that the cable environment has have a very good chance at being the stronger ones that can extend into these new environments.
CED: There are various types of security at different levels through the video ecosystem. How do you parse the segments and types?
Knutsson: I think when we look at security, we normally differentiate between content protection and service protection. Where a lot of what goes on at the moment, when you look at the Internet, is focused on protecting a piece of content. So you have a DVD movie that you want to get out, or a TV series, and you look at protecting that particular piece of content at every customer relationship in a way that is unique to that content.
But if you’re an MSO or a service provider, you provide a number of channels and a subscription service, and that’s really what you protect. You need the rights that you are authorized for throughout the system. No matter what device it’s on. That’s a different challenge other than just protecting the content.
CED: In the United States, we have the Digital Entertainment Content Ecosystem (DECE) cueing up digital lockers in the cloud for consumers through its UltraViolet project. Is there something similar abroad?
Knutsson: Standardization is always difficult when you talk about security. The nature of security is that certain things are secret. There are limits on how much you can standardize because as you standardize, things become less secret.
So that’s always the paradox that you have to manage in any standardization effort, and you also have to make sure you don’t end up with the lowest common denominator as you enable more security, because then the break is just the weakest point in the chain.
The roots of DECE were Blu-ray and DVD discs. It came from the content industry, and it was about how do you enable people in the virtual world to purchase and collect DVDs and maintain ownership.
If we go back to that original definition, it definitely comes from content protection groups as opposed to the service protection groups. So as the content industry has progressed with this standard, it’s interesting to see how it develops and how much momentum it gathers.
We’re a partner of DECE, and we’ll support that on our standards as they emerge, but the trick with these things is always getting that global presence, or wide adoption, without being compromised.
CED: Given the complexities of the different video formats, is there a simplified way of delivering content anywhere to any device?
Knutsson: We have at NDS what’s called a unified headend that is delivering content across multiple platforms for satellite and cable, so we have a number of platforms that use live to-go technologies where we are delivering content to various devices.
The essence of that is to make an operating environment as simplistic as it can be, because you don’t want to have your mobile content being put out on one headend and your online streaming on a different one and your paid TV on a third one, because the operational cost explodes.
You want to have one common headend to get the formats in a uniform way. You get the metadata in a uniform way, but then you use transcoding and encryption as appropriate.
So each device gets what’s formatted for it and the resolution that is appropriate for that platform. I think that’s really key, that you have an operational environment that is still maintainable and also financially viable for you.
CED: It’s easy for cable veterans to think of DRM as a different flavor of conditional access, but will the industry reach a point where DRM actually replaces CA?
Knutsson: Generally speaking, I think CA has been used as the term for the devices that MSOs purchase themselves, own and put into consumers’ homes. The ones where they have a say in deciding what hardware is used in homes.
Whereas DRM tends to be a term used for consumer-owned devices where you put the content and service protection on top of an infrastructure that is not something you designed yourself or that you had influence on.
That adds complexity to what you can do, because whoever designs the hardware and software might be more or less secure. DRM has to be designed with that in mind. I think if I look at the differentiation, that’s how I define the two terms, and in my opinion, it will take a while before MSOs stop deploying their own hardware. Consequently, we’ll see conditional access for some time.
It might change in form or be integrated differently with various DRM and IP clients, etcetera, but I think there will be an element of it still around.
CED: At The Cable Show, CableLabs demoed an Open Media Security (OMS) stack. Can you tell us a bit about that?
Knutsson: OMS is an initiative that we’re fairly proud of. What Cablevision is trying to do with OMS is find a cost-effective way to have headend-based security implemented.
We’ve come up with a solution with them that not only serves the need in terms of legacy, but is also very well prepared for what we’re talking about here, which is rolling out to multiple devices using the same headend environment and then adding DRM later to other devices or platforms other than set-top boxes.
CED: Any lessons learned to date on security that you’d care to share?
Knutsson: One thing I want to say about security in general is the problem with security is you only really notice it when it’s broken. Because the only time it really becomes a headline or a problem for operations is when it's hacked. I think the one thing not to be shy about, or the one thing you need to understand is, the hacker environment is a very organized, advanced environment.
We all hear stories about the lone, smart IT guy that hacks into whatever. The hackers we see in this industry are a different kind. They’re organized, and they’re trying to financially exploit companies with the hacks that they come up with. The trick, as you do your security, is to try to stay a couple of steps ahead and make sure you can close holes as they come up. You have to make sure you can implement different levels of security and close down any breaches that might happen.
This only gets amplified as you move into more open platforms. The traditional legacy conditional access platform was a closed environment and had a lot of proprietary technology. As the technology becomes more open and services get delivered on more open networks, the need to strengthen security, and to work with companies that have an in-depth understanding of security, is heightened.
CED: How do you keep security from being comprised on the different platforms?
Knutsson: We base the security on the different platforms. Of course, the best security is the one that you can’t find for DRM. If you can’t find what you are looking for, then it’s pretty secure. You can’t hack it. We have tricks to make sure that the less secure platforms we work on aren’t compromised before we deliver content to them.
I think it takes a slightly paranoid company to work in-depth on security because you really have to think up all of the things that can go wrong, or think out of the box in terms of determining things. You have to think like a hacker for certain things in order to understand what the next steps are. We protect $50 billion worth of revenue annually, and we have 150 million devices with our security on them.
CED: What do you think are the most important things operators should remember when selecting a DRM vendor?
Knutsson: That knowledge is key. Living and understanding security is really, really key. When you select a vendor, I think the most important thing, going back to what I said before, is probably the roadmap of whatever vendor you select, because whatever security is there today is only good as long as it’s not comprised.
When it’s compromised, you want to know that you have things to counter it, so the roadmap and the advanced thinking of your vendor are both really, really key.
CED: Do things change when the industry moves to IP video?
Knutsson: As we move toward a world of IP, in a way it will be more bidirectional. You can use the technology of unicast a lot more and the bidirectional nature of security, as well, and not just have the content pushed and then being decrypted locally. There are various other forms of security that you can implement.
The other thing to really keep in mind as you move more toward the IP platforms, at least the open IP platforms, is the exact nature of the openness. The threats increase in an open world, like more open Internet standards. It’s easier; there are more hackers out there because there are more people who understand the technology.
Consequently, you have to be better prepared and better equipped to deal with all sorts of threats. Some of them may not be toward your content but toward bringing down your server.