Rising to the OTT Content Protection Challenge

If connected TV services are to carry premium content that people are willing to pay for, security must be highly renewable with the whole ecosystem under constant surveillance for threats. It must be possible to authenticate Consumer Electronic (CE) devices approved for access to premium content and cut them off instantly in the event of a breach, with the ability to swap out to a new security system just as happens with smartcard based CA (Conditional Access). This is the view of traditional Conditional Access (CA) vendors that hope to be custodians of security in the OTT world as well.

In this connected TV world, operators will no longer have direct control over end devices but must still maintain a one-to-one relationship with all devices allowed to access premium content, according to Fred Ellis, Director of Operations and General Manager at SecureMedia, part of the Motorola Mobility Group. Ellis recommends two types of embedded security to achieve this, either using digital certificates signed and inserted in the device by the manufacturer, or a secure software client that exploits some unique feature of the box, such as its native HLS (HTTP Live Streaming ) player. Both of these will allow the operator to authenticate the device each time a session is opened, for example by verifying the digital certificate.

Such client security methods must blend with OTT delivery methods such as Adaptive Bit Rate Streaming (ABRS), but above all they must support continuous monitoring. This is even more essential for OTT than in a traditional walled garden Pay TV broadcast infrastructure, according to Christopher Schouten, Senior Marketing Director for online services at CA vendor Irdeto, whose ActiveCloak platform is used by US OTT provider Netflix. Successful defence against OTT piracy involves a combination of continuous surveillance with dynamic security that can apply changes very quickly, Schouten argues. “The key to proactive hacking prevention is the ability to monitor hacker chatter on the web to analyse patterns and isolate instances of real threats that require expert attention,” he argues.

SecureMedia is equally convinced that sophisticated monitoring will be an essential component for OTT success. “Our SecureMedia’s iDetect tamper detection technology immediately notifies operators of any attempted breach in the delivery system and they can promptly terminate content delivery to the device,” says Ellis.

There is also the higher level issue of rights enforcement, and here too OTT extends the challenge because the CE devices may not all support the same DRMs. So operators cannot apply a single security system end-to-end as they can within their walled gardens, according to Tore Gimse, CTO at Norwegian CA vendor Conax. “There is no definite reason why there should be the same security end-to-end," says Tore. “We already offer bridges between the Conax CA and other DRMs, securely handing the protected content from one system over to another. Such solutions could, in principle, be extended to other forms of security transfer.”

In a sense, OTT creates two conflicting security demands. On the one hand, the infrastructure must be even more closely monitored and managed to combat the new piracy threats that will arise in a wide open infrastructure. But on the other hand, no single CA vendor can rule, requiring interoperability between multiple systems, and this can create points of weakness. One implication is that CE vendors may mount a challenge to Pay TV operators by arguing that the network in the middle cannot be secured anyway so you might as well put all the effort into the device. Then content owners would bypass the operators and go straight to consumers.

By Philip Hunter, Videonet