SHIELD DRM Core Technology
1. Cloud-Native DRM Conversion
Overview
SHIELD DRM is a service that automatically applies DRM encryption to documents distributed in a cloud environment. It supports the seamless use of existing DRM-encrypted documents by automatically converting them into Microsoft’s MIP (Microsoft Information Protection) labeled documents for the Microsoft 365 environment.
Operating Principle
Existing DRM Environment
1. 로컬 PC에서 DRM 암호화 문서 생성
2. 클라우드(OneDrive/SharePoint)에 업로드
3. Microsoft 365에서 열람 불가 (호환성 문제)
└─ 문제: DRM 문서는 클라우드 협업 환경에서 사용 제약
SHIELD DRM Application Environment
1. DRM 암호화 문서를 OneDrive/SharePoint/Teams에 업로드
2. SHIELD DRM이 이벤트를 감지
3. DRM 문서를 MIP 레이블 문서로 자동 변환
4. Microsoft 365에서 열람/편집/공동편집 가능
└─ 효과: 기존 DRM 보안 정책을 유지하면서 클라우드 협업 지원
Target for conversion
DRM Encryption Types
- DAC (Document Access Control) — Fine-grained permission control by user
- MAC (Mandatory Access Control) — Mandatory Access Control Based on Document Classification
- GRADE — Access control based on document classification (confidential, internal use, etc.)
Supported Storage
- OneDrive for Business
- SharePoint Online
- Microsoft Teams (Files Tab)
2. Event-Based Real-Time Detection
Overview
SHIELD DRM automatically applies encryption policies by detecting file events occurring in Microsoft 365 storage in real-time. Security policies are applied immediately as documents are uploaded without user intervention.
Event Reception Method
Event Receiver Method
1. SharePoint/OneDrive에서 파일 이벤트 발생
(생성, 수정, 이동, 업로드)
↓
2. Event Receiver가 이벤트 감지
↓
3. SHIELD DRM 서버로 이벤트 전달
↓
4. 조건부 정책 평가
↓
5. 정책에 따라 DRM/AIP 변환 실행
Detected Target Events
| Storage | Detection Event | Description |
|---|---|---|
| OneDrive | Add/Modify/Move Files | Document Change Detection in Personal Cloud Storage |
| SharePoint | Document Library Changes | File events in team sites and communication sites |
| Teams | File Tab Upload | File Sharing Events in Teams Channels |
3. Conditional Policy
Overview
Conditional policies are the core policy engine of SHIELD DRM that automatically apply encryption based on various conditions such as user, location, time, and document type.
Policy Type
Endpoint Policy
대상: 로컬 PC의 Document Security 6
제어: PC에서 직접 문서 암·복호화 정책 적용
- DRM ↔ MIP 변환 정책
- 문서 등급별 접근 제어
- 확장자별 변환 대상 지정
Cloud Storage Policy
대상: OneDrive, SharePoint, Teams
제어: 클라우드에 업로드되는 문서에 정책 자동 적용
- 업로드 시 자동 암호화
- 스토리지별 차등 정책
- 사용자/그룹별 정책 분리
SDF (Sensitive Docs Flow)
대상: 조직 내 문서 전체
제어: 세분화된 문서 보안 정책
- 암호화 / 복호화
- 반출 제어
- 은닉 정보 적용
Policy Condition Elements
| condition | Description | example |
|---|---|---|
| User/Group | Applying Policies to Specific Users or Groups | Executive Group: Automatic Application of Confidentiality Levels |
| IP Range | Network Location-Based Control | Company IP: Allow Decryption |
| Time Zone | Specific Time Conditions | Outside of business hours: Export blocking |
| Document Type | Control by File Extension and Encryption Type | .docx: AIP conversion, .pdf: DRM preservation |
| Policy Priorities | Determining Execution Order in Case of Multiple Policy Conflicts | High Priority Policy First Apply |
4. DRM-MIP Permission Mapping
Overview
Automatically maps the permission structure of the existing DRM encryption document to Microsoft’s MIP label permissions, maintaining the same level of security after conversion.
Mapping Structure
DRM 권한 MIP 권한
───────── ─────────
읽기 (Read) → View
편집 (Edit) → Edit
출력 (Print) → Print
반출 (Export) → Extract
해제 (Decrypt) → Full Control
권한 변경 → Change Permissions
프린트마킹 → Print (with watermark)
유효기간 → Content Expiration
Key Management
| Method | Description |
|---|---|
| BYOK (Bring Your Own Key) | Document protection by the customer providing their encryption key |
| HYOK (Hold Your Own Key) | Directly holding encryption keys in the customer's key management server |
| SCI Server Integration | Key Management in conjunction with the Document Security encryption key server |
5. High Availability and Reliability
Overview
SHIELD DRM provides a high-availability architecture to reliably handle large volumes of document conversion requests.
Main Mechanisms
Retry Logic
1. 문서 변환 요청
↓
2. 일시적 오류 발생 (네트워크, API 제한 등)
↓
3. 재시도 큐에 등록
↓
4. Backoff 전략에 따라 자동 재시도
↓
5. 성공 시 큐에서 제거 / 실패 시 관리자 알림
MS Throttling Management
Microsoft Graph API applies throttling based on the request volume. SHIELD DRM detects this and automatically adjusts the request rate to ensure service stability.
| status | Description | Response |
|---|---|---|
| normal | Normal processing of API requests | Immediate processing |
| Throttling Detection | Receiving 429 Response | Automatic Request Speed Adjustment |
| Retry-After | Specify Wait Time | Retry after specified time |
Multi-Tenant Support
Minimize the impact between tenants through independent event handling and resource separation for each tenant.
6. Document Security 365 Integration
Overview
Document Security 365 is a client solution that supports bidirectional conversion between DRM documents and MIP documents in a local PC environment.
Main Features
DRM ↔ MIP Bidirectional Conversion
- Instant conversion through the mouse right-click shell menu
- Automatic Mapping Between DRM Policy and MIP Policy
Label Visualization
- Display of dedicated icons for MIP label application documents
- Instantly check encryption status with label color
Requirements
| item | requirements |
|---|---|
| Document Security | Version 6.0.3.24 or higher |
| Microsoft 365 Plans | Business Premium or E3 or higher |
| Sensitivity Label | Completion of label creation and publishing in Microsoft Compliance Center |