The demand for digital learning materials and online modalities is growing, and this rapid digital expansion can jeopardize content integrity and security. Publishers’ intellectual property, revenue, and reputation may be at risk, whether from bad actors seeking to steal and commercialize stolen content, or unauthorized sharing and usage of material.
After decades of commitment to protecting content and putting industry-leading parameters in place, we believe we are uniquely qualified to evaluate content security and help you figure out if you're in good hands. We put together a list of questions that will help you understand and evaluate security measures during every critical step of the content storage and distribution process, so you can be assured that your content is properly protected.
How is content protected during delivery?
It’s during the transfer process that your content is most vulnerable. The answer you should expect to this question is a well-explained workflow for content delivery, a delivery mechanism which is secure, including a secure transport (i.e., sftp or https for web interface), and delivery systems that are routinely scanned and audited for vulnerabilities, with issues quickly addressed as found. On top of that, there should either be a unique set of credentials for each user that delivers content or a secure API with unique credentials. It’s even better if there is an external firm auditing these measures.
How is content kept/stored securely?
Content that is not properly protected while stored can be vulnerable to breaches. You should expect that your vendor has measures in place so that all content is stored securely at rest and during transition using at least AES256 encryption; access to content is restricted to a limited number of people internally with this list of people audited routinely; and content that is no longer needed for distribution is routinely and safely purged. Exemplary security would also include secure logging and auditing of internal access to content.
What digital rights management (DRM) and piracy countermeasures are in place while distributing and licensing content?
Without proper DRM, content protection and content access may not meet the publisher’s requirements, resulting in loss of revenue and putting intellectual property at risk. You should expect the answer to this question to be that your vendor has proper rights management in place when making content accessible to a licensee. This should include a unique license key and encryption of the content for that specific licensee, which in turn is used during the movement of content between any two devices or platforms. This licensee-specific encryption should be the only way content is stored on a personal device. Web browser-based access should be limited to one concurrent login.
What monitoring and alert systems are in place, and how are customers informed of an intrusion?
As new threats emerge, they need to be identified and addressed to minimize exposure. A vendor with good content security systems in place will have active monitoring and alerting for intrusion and piracy attempts. They will be monitoring well-known internet locations where content piracy is discussed, and they will properly set their user and system thresholds to alert on improper activity. It’s a bonus if they have staff on call to respond to security alerts and issues 24/7.
How and how often are external validations performed?
There are risks if your vendor has gaps in the implementation of their security and anti-piracy programs. They should have platforms hosted in data centers certified as ISO 27001 along with third-party systems and services that undergo thorough third-party technical and contractual due diligence, ongoing intrusion and penetration testing, and third-party audits on a regular basis.
How do you know that security controls which protect your content are proper and followed?
Any vendor should be able to show you the security controls and processes they have in place, but even better, they should have an external third-party audit confirming that the controls are proper and actually being followed. The gold standard here is a SOC 2 Compliancy audit report for security, which compares the vendor’s controls and practices to a list of industry standard practices for security and reports on the vendor’s compliance.
Your content is your business. Protecting it is ours.
At VitalSource, we provide the highest level of protection for our customers—it is paramount to our mutual success. Our commitment extends beyond our platforms; our goal is to educate our partners on the critical security measures needed to protect content, regardless of where that content lives.
Al Issa can be found on Twitter @acissa.