Protecting Your Content using Adobe Primetime

How does Video Cloud protect your content using Adobe Primetime?

Video Cloud DRM offers the option of using Adobe Primetime to secure your content. DRM employs encryption to protect underlying content files, as opposed to a protocol like RTMPe that only encrypts the content during network transport. Rather than protecting access along the network of distribution, such as a website or mobile delivery service, each video asset is encrypted at rest.

In addition to taking care of the encrypted packaging of your assets, Video Cloud DRM also manages the license policies for your DRM solution. The Player will request a license at play time, which will be returned with a default set of secure policies. The DRM Packaging servers are supported by Brightcove's Hardware Security Modules that provide the highest level of industry standard protection for sensitive key information. The DRM solution is compliant with strict and extensive guidelines supported by Adobe for secure content delivery.

Creating DRM packages

DRM packages are created during the process of ingesting videos. Packaging is specified in custom ingest profiles. For details of how to add DRM packages to your ingest profiles, see Content Security (DRM and HLSe).

Signing up for DRM

This feature requires an additional fee. Video Cloud offers other options for protecting your content across devices. See Content Protection and Digital Rights Management for more information. Contact your Account Manager about bundling DRM protection so that you can secure your content wherever it plays.

What happens after Adobe Primetime DRM implementation

After Adobe Primetime DRM implementation, Brightcove handles assigning policies and packaging your video assets, each with a unique encryption key. The first time a DRM-packaged video plays, the Video Cloud player silently takes a few seconds to install the required DRM protection for that video. Once installed, the player will request a license from the Primetime service.

Video Cloud packages and encrypts all renditions of newly uploaded videos as the first priority. Video Cloud DRM also triggers a process to package and encrypt the backfill of all renditions for previously uploaded videos, as a second priority, until all the content of a subscribing publisher is protected. Any videos uploaded before DRM implementation will continue to be available for play in an unencrypted state until the DRM process encrypts it.

Videos protected with Adobe Primetime DRM will display a lock icon next to the video thumbnail in the Media module.

Sample content

The video in this player is protected using Adobe Primetime DRM.

If you open the Brightcove Debugger in another browser tab and play the video, you can see the see the call being made to the Adobe Primetime license server.

To learn more about the Brightcove Debugger, see Debugging Video Cloud Players.

Implementation options and strategies

When implementing Video Cloud DRM, consider the following options for asset protection and performance:

• Brightcove strongly recommends implementing SWF verification along with DRM to protect your assets from capture and replay in another Adobe Primetime enabled Flash Player or AIR application. The Primetime license server checks that the video file's policy is valid and that a publisher is enabled for DRM, while SWF verification checks that playback occurs in one of your authorized players. Without SWF verification, Video Cloud DRM will still prevent a user from gaining access to a video file to change its content or format. Video Cloud SWF verification checks a player to verify its permissions to play a certain asset and works in tandem with DRM to provide a second layer of protection. See Enabling Custom SWF Verification for details.
• To enhance performance, licenses cache for 30 days and need do not need to be download when a viewer returns to a DRM packaged video before that time.
• Playback for content served via Apple HTTP Live Streaming (HLS) will not be impacted by DRM but will open a security backdoor that could compromise protection. To assure full DRM protection, Brightcove recommends either disabling Apple HLS, moving content with looser restrictions to an account without DRM protection and enabling Apple HLS there, or implementing Google Widevine, which provides DRM protection for video over HTTP for playback on iOS devices. See Protecting Your Content using Google Widevine for details.

Limitations when using Adobe Primetime

1. Video Cloud DRM using Adobe Primetime is available for Flash players only, with no current support for HTML5 players. DRM-protected assets require players running in Flash 10.1 or later.
2. Videos secured using Adobe Primetime will not play in players that are embedded in a Flash container (using the ActionScript player publishing code).
3. Previewing videos in the Video Cloud Media module requires a Flash DRM runtime client that silently installs when a DRM-protected video plays in a Flash player. If you cannot play video previews in the Media module, first install the runtime client by playing a DRM-protected video in a Flash player on the machine where you login to Video Cloud Studio. To do this, select a video you know to have DRM protection in the Media module, and then from the Quick Video Publish area, copy the URL, paste it into a browser, and play the video. Alternatively, you can play this DRM-protected video on the machine where you log into the Video Cloud Studio.
4. While Universal Delivery Service will provide HTTP access to DRM packaged files, videos can be delivered using UDS only to platforms that support Adobe Primetime.
5. The content encrypting key (CEK) will not protect all rendition files for videos uploaded via the batch upload process that sends assets in a different manifest from the titles. Publishers can modify the batch upload process to upload title information at the same time as the video information to resolve this. Likewise, files will not have consistent CEKs across all renditions when assets are manually added to titles after the initial upload.