If you sell or license video content, DRM is unavoidable. The market has fragmented around three systems — Widevine (Google), PlayReady (Microsoft), FairPlay (Apple). Each is required on its respective platform. You package once and serve license requests per-platform.
Why three?
Each platform vendor controls a key-protection chain anchored in hardware. Widevine for Chrome and Android, PlayReady for Edge / Xbox / Windows, FairPlay for Safari / iOS / tvOS. There's no negotiating around the platform owner.
Common Encryption (CENC)
MPEG-CENC defines two encryption modes — cenc (subsample AES-CTR) and cbcs (AES-CBC). cbcs is supported by all three; cenc is supported by Widevine and PlayReady. Encrypt your content once in cbcs and you can ship to all three DRMs from the same media file.
License server architecture
Client (Widevine)
↓ Init Data + Challenge (POST)
License Proxy (yours)
↓ User Auth + Entitlement check
↓ Forward to Widevine License Server (Google or self-host)
↑ Wrapped license response
Client decrypts content key, decrypts videoHosted vs self-hosted servers
Hosted (Widevine SaaS, Microsoft Azure Media Services, BuyDRM): per-license fees, ~$0.001-0.01 per license. Self-hosted (Shaka Packager + custom proxy): operational cost only. For < 1M licenses/month, hosted is cheaper. Above that, self-host.
Security tiers
Each DRM has tiers — Widevine L1/L2/L3 (L1 = hardware-rooted, required for 4K). PlayReady SL150/2000/3000. FairPlay has only one tier but enforces hardware. Set tier requirements based on content value: L1/SL3000 for premium 4K, L3/SL150 for SD trailers.