Your Cloud in My Company: Modern Rights Management Services Revisited

We provide a security analysis of modern Enterprise Rights Management (ERM) solutions and reveal security threats. We first take a look on Microsoft Azure, and discuss severe attack surfaces that companies enabling Azure in their own trusted infrastructure have to take care of. In addition, we analyze Tresorit, one of the most frequently used End-to-End encrypted cloud storage systems. Tresorit can use Azure and its Rights Management Services (RMS) module as an additional security layer: a user should be able to either trust Tresorit or Azure. Our systematic evaluation reveals a serious breach to their security architecture: we show that the whole security of Tresorit RMS relies on Tresorit being trusted, independent of trusting Azure.

[1]  Jaehong Park,et al.  Security architectures for controlled digital information dissemination , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[2]  Jan H. P. Eloff,et al.  Electronic commerce: the information-security challenge , 2000, Inf. Manag. Comput. Secur..

[3]  Sai Ho Kwok Digital rights management for the online music business , 2002, SECO.

[4]  Jaehong Park,et al.  Towards usage control models: beyond traditional access control , 2002, SACMAT '02.

[5]  Eberhard Becker,et al.  Digital rights management : technological, economic, legal and political aspects , 2003 .

[6]  Deirdre K. Mulligan,et al.  How DRM-based content delivery systems disrupt expectations of "personal use" , 2003, DRM '03.

[7]  Dongkyoo Shin,et al.  A Study on the Digital Right Management of MPEG-4 Streams for Digital Video Library , 2003, ICADL.

[8]  Yang Yu,et al.  Digital Rights Management : Solutions against Information Theft by Insiders , 2004 .

[9]  Alapan Arnab,et al.  Digital Rights Management — A current review , 2004 .

[10]  Tero Päivärinta,et al.  Enterprise Content Management: An Integrated Perspective on Information Management , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[11]  Stefan Schmid,et al.  Cryptree: A Folder Tree Structure for Cryptographic File Systems , 2006, 2006 25th IEEE Symposium on Reliable Distributed Systems (SRDS'06).

[12]  Ahmad-Reza Sadeghi,et al.  Flexible and secure enterprise rights management based on trusted virtual domains , 2008, STC '08.

[13]  Guido Schryen,et al.  Open source vs. closed source software: towards measuring security , 2009, SAC '09.

[14]  Levente Buttyán,et al.  Tresorium: Cryptographic File System for Dynamic Groups over Untrusted Cloud Storage , 2012, 2012 41st International Conference on Parallel Processing Workshops.

[15]  Edgar R. Weippl,et al.  Digital forensics for enterprise rights management systems , 2012, IIWAS '12.

[16]  Giuseppe Ateniese,et al.  "To Share or not to Share" in Client-Side Encrypted Clouds , 2014, ISC.

[17]  Juan Luis,et al.  On the security of cloud storage , 2015 .

[18]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[19]  Bulu Maharana,et al.  Digital right management and its application to library and information science , 2015 .

[20]  S. Talaat Azure Rights Management Services , 2015 .

[21]  Jörg Schwenk,et al.  How to Break Microsoft Rights Management Services , 2016, WOOT.

[22]  C. Grünloh To Share Or Not To Share , 2019, Case Medical Research.