As one of the top five longstanding content security specialists, Verimatrix almost disappeared from view during its protracted acquisition by Paris-based Inside Secure, which finally closed February 2019. Since then though matters have looked up in various ways, not least with the enlarged group’s adoption of the Verimatrix brand for all products and services while dropping the Inside Secure name which was little known beyond the immediate client base in IoT and connected car protection for example.
The Inside Secure link is only acknowledged by retention of its tagline, “Driving Trust,” below the Verimatrix logo. For Verimatrix, the logic of the takeover, apart from greater financial stability, is the addition of complementary technology for its push out into the IoT and connected car, with the aim of harnessing its pedigree in content protection there.
Naturally, the new Verimatrix was eager to have a new customer acquisition to trumpet as evidence that the enlarged company retains its competitive edge in the traditional revenue protection field. It has now got that as a newly launched Spanish OTT service called Plataforma Multimedia de Operadores has chosen Verimatrix to provide multiscreen security across its platform. Created by the rump of Spain’s legacy cable TV industry, comprising the four operators Procono, Opencable, ACUTEL and AOTEC, this is delivered via Android set tops, smartphones, tablets, laptops and smart TVs, with the aim – or hope – of attracting 600,000 subscribers quickly.
Supported by partners Mirada and Anevia, this was very much a gain for the multi-DRM platform that Verimatrix had already developed before the Inside Secure takeover, as was acknowledged by Jose Carrillo, CTO, Plataforma Multimedia de Operadores. “In addition to significant market recognition as a leading content security provider, Verimatrix presented a multi-DRM offering that is both flexible and reliable with a security framework that can be seamlessly integrated.”
Of course, Verimatrix is not alone in having a multi-DRM offering since that is the way the OTT world has been moving for several years. Before that there were several initiatives either to create an interoperability layer enabling multiple DRMs to interwork, for example the Coral Consortium, or to enforce deployment of a single universal DRM, such as Intertrust’s Marlin. Intertrust then developed ExpressPlay XCA as a software-as-a-service (SaaS) using the Marlin DRM for broadcasters and operators to deliver content to a set top or smart TV via DVB channels. The selling point was that this would give operators just one DRM that would work across all target platforms, including those lacking their own native DRM.
However, the streaming world has converged more towards multiple DRMs, leaving operators and content providers having to cater for them all if they are to maximize their reach. This has happened partly because a native DRM operates efficiently on its device and eliminates DRM client licensing cost because it is usually free on its own platform. But it creates a need for a multi-DRM approach to ensure that only a single copy of each asset needs to be stored rather than one for each DRM. It is also important to ensure that a single encryption process can target all the different platforms with their native DRMs, again to reduce costs and complexity. Another key requirement is ability to integrate and operate multiple license services, so that they all communicate via the same entitlement language.
Such capabilities are minimum requirements for any multi-DRM package, spanning the principle DRMs. There are three main ones, Microsoft’s PlayReady, Google’s Widevine and Apple’s FairPlay. PlayReady is implemented natively on every Windows device and some Android ones, and available through software SDKs on virtually any platform. Widevine is natively implemented in every Android device, in Chrome, and in some other devices, while being supported in Firefox and Opera browsers over DASH.
FairPlay is available on iOS, macOS and tvOS and so is native on smartphones, iPads, Macs and Apple TV devices. The multi-DRM package must support the basic workflow across all three of these to appeal to most service or content providers. This means first authenticating the user, then creating an authorization token while downloading to the player the manifest comprising content that is still encrypted. Finally, the player submits a license acquisition request to license servers, together with a key ID and the authorization token, to enable playback after decryption.
Services such as Plataforma Multimedia de Operadores are looking for more than just the basic multi-DRM support and that’s where Verimatrix was able to exploit its pedigree with implementations going back several years. A key point is that the DRMs vary in their inherent content protection capabilities and in all cases they fall short of what is required to protect premium assets. Therefore, service providers are looking not just for the efficiency and cost savings a multi-DRM security package can provide, but also additional security controls. These include breach recovery, so that when an issue does occur at the DRM level, recovery can be achieved quickly without waiting for a patch from the DRM provider. It also includes forensic watermarking, which again Verimatrix has integrated and has become mandatory not just for premium movie content at UHD resolution but also increasingly for live sports.
Alongside watermarking integration, Verimatrix provides advanced code protection techniques and detection of screen recording with ability to block that. It also supports a Trusted Execution Environment (TEE) where keys can be stored and cryptographic processing isolated from the device OS.
Verimatrix also likes to highlight its analytics deriving insights from device, network and usage data for business intelligence and optimization, reducing costs through process improvements and boosting revenues by improving recommendation and targeting. More relevantly in the specific multi-DRM context, Verimatrix recently announced interoperability of its multi-DRM package and the Secure Packager Encoder Key Exchange (SPEKE) API developed by AWS. This was a significant step because it defines a standard way endorsed by Amazon of communicating between the three critical components of the video pathway, encryptors, the DRMs and players.
Encryptors are where the encryption executes, receiving requests from operators and retrieving the required keys from the DRM key provider to secure the encrypted content. The DRM platform in turn provides encryption keys to the encryptor, here through a SPEKE-compliant API, while delivering licenses to media players for decryption. Then the Player requests keys from that DRM platform key provider and uses these to unlock the content for serving to viewers.
As Verimatrix pointed out, in the absence of multi-DRM support for SPEKE, complex integrations between proprietary DRM APIs and encryptors from different vendors are required, which delays deployment. Even when such support is not directly required, as presumably in the Plataforma Multimedia de Operadores deployment, it demonstrates Verimatrix is committed to efficient multi-DRM for cloud-based services, along with a handful of other players such as Kudelski’s Nagra and Irdeto.