AWS for M&E Blog

How DoveRunner Multi-DRM Cloud integrates with AWS media services

This blog post was co-authored by Erik Peña, Multi-DRM Product Manager at DoveRunner

Viewers, content owners and over-the-top (OTT) services face a significant challenge: balancing content accessibility with strong security measures, particularly digital rights management (DRM), to protect against unauthorized streaming. This is a top concern for the media industry, as the U.S. Chamber of Commerce estimates that digital piracy costs the United States economy $29–$71 billion every year.

A multi-DRM solution can help address this concern by enabling platforms to manage licenses across the leading DRM types (PlayReady, Widevine, and FairPlay) ensuring compatibility with major web browsers and mobile operating systems. When you implement DRM protection, you’re not only securing content but also protecting your entire business model. Without such a strategy, companies risk revenue losses and reduced audience engagement through piracy. These impacts extend beyond direct financial losses, affecting advertising revenue, brand reputation, and subscription growth.

A concerning threat to streaming platforms occurs when bad actors leech content and redistribute it through unauthorized portals for potential monetization. This creates a dual challenge: unauthorized, off-platform viewing jeopardizes subscription and advertising revenue on the official platform while simultaneously forcing platform owners to bear the bandwidth costs of streaming unauthorized content. To safeguard intellectual property and infrastructure investments, preventing the phenomenon known as CDN leeching is now essential.

To combat these risks, content providers from media platforms to corporate and educational institutions must secure premium content across multiple platforms against increasingly sophisticated piracy techniques while maintaining smooth delivery and scalability. DoveRunner Multi-DRM Cloud offers thorough content security by integrating with AWS Elemental media services through the Secure Packager and Encoder Key Exchange (SPEKE) API v1.0 and v2.0 protocol.

The SPEKE protocol provides a straightforward, secure REST interface that DRM vendors and encryption engines can use to establish trusted communication channels for exchanging content keys during video streaming workflows. This enables the Multi-DRM Cloud solution to provide studio-grade protection for both live and video-on-demand (VOD) content, with enhanced security through its License Cipher feature, which adds an extra layer of protection to Widevine and PlayReady, preventing client-side exploits and ensuring content and license integrity.

About DoveRunner

DoveRunner is an AWS Partner offering their Multi-DRM Cloud licensing solution. This solution helps organizations quickly and easily apply content security, which is a prerequisite to premium content services such as OTT streaming platforms containing Hollywood-grade content.

Managing multiple DRMs separately while providing scalability has historically been technically complex and cost intensive. DoveRunner addresses this challenge with Multi-DRM Cloud by offering centralized key management, security, and licensing across platforms, which reduces costs, improves security, and simplifies operations. By taking advantage of the elasticity of the cloud and AWS global infrastructure, DoveRunner seamlessly scales to handle peak workloads while maintaining consistent performance and reliability across multiple Regions, giving customers confidence in the platform’s robustness and availability.

Although this post focuses on the DoveRunner Multi-DRM solution, the company also offers a comprehensive suite of protection technologies that safeguard content distribution and delivery all the way to the playback application. DoveRunner Forensic Watermarking embeds a unique identifier into content, enabling the source of any leak to be traced. Its Anti-Piracy service actively monitors and detects pirated content across multiple channels, including social media platforms, Telegram, and piracy websites. Finally, the DoveRunner Mobile App Security  protects Android and iOS apps from tampering, decompilation, and repackaging through a low-code or no-code integration.

DoveRunner offers two billing models for their multi-DRM product. Monthly Active Licenses (MAL) charges based on the total number of licenses in use during a given month, and Monthly Active Users (MAU) charges based on the number of unique users assigned licenses in that month. DoveRunner provides both options to make their DRM solution as accessible and flexible as possible, to align with customers’ business models.

How DRM works

To understand how DoveRunner Multi-DRM protects you from unauthorized access, it helps to examine how DRM technology works.  DRM restricts playback of encrypted video content to users who have successfully authenticated with a third-party DRM license server. This is accomplished by:

  • Incorporating a DRM header into the file segments during the packaging process.
  • The DRM package contains essential information for contacting the license server and the necessary encryption details for file playback.
  • After packaging is complete, any authenticated device attempting to access the content through a content delivery network (CDN), such as Amazon CloudFront, must obtain a license from the license server to decrypt and play the video and audio content.

Three of the most widely used DRM systems (Apple FairPlay, Google Widevine, and Microsoft PlayReady) are all fully supported by DoveRunner. The following DoveRunner diagram shows the Multi-DRM Cloud orchestration architecture for DRM-protected content delivery.

Digital rights management (DRM) workflow. The live or VOD video source is sent to the encoder or transcoder. The encoded video is sent to the packager. The packager requests a key from the key management server, which then queries the key database and DRM license server. The client player also requests a DRM license with token from the DRM license server. The video is sent over CDN to the client player and the decrypted video is sent to the screen for playback.

Figure 1: Workflow depicting DoveRunner Multi-DRM Cloud orchestration architecture.

DRM integration: Content preparation and client playback

Video and audio content must be DRM-encrypted before a CDN delivers it to end users. DoveRunner streamlines this by integrating AWS Elemental MediaConvert for file-based encryption and AWS Elemental MediaPackage, which handles just-in-time packaging (JITP) and origination. JITP works by dynamically customizing video streams and generating a device-compatible manifest when a playback device requests content.

When selecting an implementation method, carefully consider your target devices and their supported formats, particularly HTTP Live Streaming (HLS) and Dynamic Adaptive Streaming over HTTP (DASH). If your target devices support the Common Media Application Format (CMAF), you can significantly reduce duplicative encoding and storage costs by using the same audio and video streams for both HLS and DASH clients.

Client playback devices must be configured to process DRM-encrypted content and include the necessary settings for license procurement and playback. Fortunately, most popular video players already include DRM support and only need API configuration to enable DRM license acquisition. The DoveRunner DRM Client Integration documentation provides reference code samples to help you begin implementation.

With these principles in mind, let’s explore how DoveRunner seamlessly integrates with AWS services.

Implementing DoveRunner with AWS Elemental services

DoveRunner seamlessly integrates with MediaConvert and MediaPackage. In this section, we detail a high-level overview of the integration process.

Multi-DRM implementation for video-on-demand

MediaConvert connects to the DoveRunner Multi-DRM system to generate encryption keys for DRM-protected content using the SPEKE protocol. SPEKE defines the communication standard between encryption tools (such as MediaConvert) and DRM license providers. When encoding on-demand videos, the same encryption key used in MediaConvert is reused to create DRM licenses for compatible playback devices.

The following diagram illustrates a file-based VOD workflow for integrating MediaConvert with DoveRunner Multi-DRM.

The AWS architecture and flow for this video-on-demand solution. A step-by-step explanation of the diagram's flow is detailed within the body of the blog post.

Figure 2: The file-based VOD workflow for integrating MediaConvert with DoveRunner Multi-DRM.

For detailed configuration instructions, refer to MediaConvert integration in the DoveRunner documentation.

Multi-DRM implementation for live video

MediaConvert supports file-based encryption, and MediaPackage supports dynamic JITP encryption at the time of packaging and supports the SPEKE protocol. This makes MediaPackage DRM integration solutions particularly valuable for content providers. Workflows that support MediaPackage, including ones using AWS Elemental MediaLive for live video transcoding, can work with MediaPackage and DoveRunner.

The following diagram illustrates the architecture for a live workflow with MediaPackage.

The AWS architecture and flow for this live DRM solution. A step-by-step explanation of the diagram's flow is detailed within the body of the blog post.

Figure 3: Live workflow using MediaPackage.

Refer to MediaPackage integration in the DoveRunner documentation for more information and specifics.

Advancing threat protection further

Although DRM provides strong protection for media delivery, increasingly sophisticated pirate attacks require additional security layers to address emerging vulnerabilities. The DoveRunner License Cipher solution, available through a software-as-a-solution (SaaS) offering, addresses these advanced threats by applying an additional layer of encryption to thwart license requests generated by compromised environments.

License Cipher creates a two-way trust between client players and DoveRunner License Service during the DRM license request. Using white-box cryptography, necessary security information is protected from tampering. This results in compromised environments being rejected from receiving a DRM license if trust can’t be guaranteed. Device platform support includes Android, Web, UWP, Tizen, and webOS.

Conclusion

As digital piracy continues to cost billions annually, protecting premium content has never been more critical for media platforms, educational institutions, and corporate content providers. Throughout this post, we’ve explored how DRM technology safeguards valuable content and why a multi-DRM approach is essential for reaching audiences across all major platforms and devices.

The DoveRunner Multi-DRM Cloud solution addresses the complexity of managing multiple DRM systems by providing centralized key management and seamless integration with AWS Elemental media services through the SPEKE protocol. DoveRunner Multi-DRM Cloud is available for purchase in AWS Marketplace, making it straightforward to get started protecting your valuable media assets today. DoveRunner also offers complementary solutions including Forensic Watermarking and Mobile App Security with runtime application self-protection (RASP) for comprehensive content and application protection.

For more information on AWS media solutions, visit AWS for Media & Entertainment or contact an AWS representative to know how we can help accelerate your business.

Further reading

Jason O'Malley

Jason O'Malley

Jason O’Malley is a Sr. Partner Solutions Architect at AWS supporting partners architecting media, communications, and technology industry solutions. Before joining AWS, Jason spent 13 years in the media and entertainment industry at companies including Conan O’Brien’s Team Coco, WarnerMedia, and Media.Monks. Jason started his career in television production and post-production before building media workloads on AWS. When Jason isn’t creating solutions for partners and customers, he can be found adventuring with his wife and son, or reading about sustainability.