Trust, But Verify: Experimental innovations in AEM Assets Trust and Governance
As digital assets grow in volume and value, ensuring their safety and authenticity becomes mission-critical. In this session, I will introduce two forward-looking features currently in development for AEM Assets: native malware scanning for uploaded assets and invisible watermarking for content authenticity and provenance, based on TrustMark – a GAN-based watermarking method.
These features are part of AEM’s VIP initiatives – experimental projects developed in close collaboration with customers to shape the future of the product. I will share the current state of these capabilities, walk through how they are being built into the AEM Assets pipeline, and discuss the potential impact they could have on secure, trusted content operations.
Attendees will get an early look at what is coming, insights into the architectural direction and learn about the opportunity to guide these features as they mature – possibly ahead of general availability.
Amine
How does your approach to asset provenance handle conflicting audit trails or potential tampering at the metadata level, especially in multi-tenant cloud environments?
Radu Cotescu
This is guaranteed by the C2PA standard. The part we need to clarify is which metadata you mean. AEM metadata is now only written into the DAM and not back into the asset. This means it won't affect the manifest. However, if you were to edit the metadata of a signed asset (i.e. one that has a C2PA manifest), you would be breaking the manifest. You'd have to use software that understands C2PA to edit the metadata in the binary.
Jörg
How do you handle the situation that you upload malware, which is not detected by today's signature, but only with the signatures which appear in a week? In that case to detect them you would to regularly re-scan your entire DAM. Is support for that planned?
Robin
Virus scanners also produce false positives sometimes. If I move an asset from the quarantine to the regular assets, does it automatically also further train the system to make sure it isn't marked as false positive in the future? Or would there be at least a flow to make sure we can further train / improve the system?
Radu Cotescu
It's not right now, but you could unquarantine the asset after you have made sure that it was a false positive. Once you unquarantine you can the restart asset processing, i.e. producing renditions and extracting metadata.
Yegor Kozlov
Will Dynamic Media preserve the watermarks?
Mehdi Al.
As per my understanding, this is only puting watermark, what about reading some existing watermark during the upload too ?
Amine
How do you ensure the invisible watermark remains resilient against advanced image manipulation techniques?
Radu Cotescu
MOHIT KATARIA
How do we know that asset is already watermarked? With out reading any metadata on asset? What if a water marked asset reaches Aem can we get rid of the asset?
Radu Cotescu
You can verify the asset using C2PA before uploading, either on the web (https://contentauthenticity.adobe.com/inspect, https://contentcredentials.org/verify) or using the c2pa tool (https://github.com/contentauth/c2patool). I don't understand the second quetion.
Sławek
Is there any feedback for author that the file was moved to quarantine? Otherwise he may try to upload it multiple times.
Radu Cotescu
Yes, you can configure which user groups get notified about this and they will only get the notification if they are actually allowed to see that asset. We also have some events, similar to the new cloud native events that the Assets APIs emit (https://developer.adobe.com/experience-cloud/experience-manager-apis/api/stable/assets/author/#tag/Events), but they are not yet sent out to IO Events, where you could consume them from.
Pakira
Are you using diffusion models from Google or Adobe to check asset authenticity?
Radu Cotescu
Jörg
Have you delivered that presentation as-is also in the french parts of Switzerland? :-)
Radu Cotescu
I adapt it to the audience, there are various versions of it. Not kidding! :D
sabdouni
Is there a date for the GA of the 2 features? Will it need a specific license?
Radu Cotescu
We aim early next year. At least malware won't require a specific license. It's based on Assets Compute, so we treat it like any other rendition processor.
Tad
Is it on the roadmap to have the media bus in Edge Delivery to preserve (and thereby possibly display) the content credentials?
Radu Cotescu
A lot of the teams at Adobe who deal with Assets have started integrating with the CAI services to provide and maintain content credentials. While I haven't had a chance to directly talk to my Edge Delivery colleagues, I'm sure it will also come there. The Assets View asset details micro frontend (MFE) already provides that information, if it could be reused it should be fairly easy to display the Content Credentials.