Cloud Security = IDM+ERM, BUT: who will drive it is the real question!

29.06.2010 by Sachar Paulus

My last blog on the future necessities to really, really secure applications in the cloud was heavily discussed, which I think is a good sign, obviously there is something to discuss…

But let’s get a bit more down to the real problems. Of course, DRM is not the same thing as ERM (let me stick to ERM for the time being), and most of the companies having integrated DRM technology into their content offering have absolutely no clue about the potential complexity of access rights one might need in a company context – just look at the average number of enterprise roles for a medium-sized company. BUT: they are successful for two reasons:

a)  they are simplifying the processes and interfaces to the user as much as they can, and

b) they use one specific business process.

Maybe it is just the too-generic approach of most ERM offerings that is the reason for their relatively low usage. Some companies that actually start to “profile” specific ERM usages along the line of certain business processes in verticals (Adobe, Oracle to some extend what I have seen) may have understood this. So again, content context is key for leveraging ERM technology.

But the real hard problem is of course: how will we deal with protected digital documents (including XML “records”) across company boundaries? The myth of being in the center of everything by providing a proprietary format – and thus forcing the users to accept one specific solution – will not work as soon as processes cross multiple companies, just look back at PKI… So there is need for interoperability and standards.

But who will take the lead here? The content providers? Actually, I could imagine a future where a BI-report (sales pipeline e.g., real-time, once a day) is no longer protected by deep complex authorization objects in ERP / BI-report, but, the report is generated as a piece of content (maybe including video) and equipped with consumer-like protection (“this copy is for you, and you can send it to 3 friends…”). Sounds weird, but actually it is not that far from real: it may be simpler to do it that way than to map the complex ERP authorizations and roles via federated identity management and integrated, interoperable ERM to ERM-”authorizations” and to contact Access Decision Servers using standardized formats…

Don’t get me wrong, the “BI as Content Blob” protection concept is far from ideal, and the other mechanism would be the “real” solution… But to avoid such a situation (and I am sure such a model would find vast acceptance, except by the security responsibles ;) ), we need the major players to come together to address the following issues:

1) What needs to be standardized, exactly? Document formats? Authorization semantics? Exchange protocols? Policy mapping? Communication protocols with Access Decision Servers?

2) Who can contribute what? And from where to start? Simple solutions first to get things going, or doing it right from the beginning? Would that be a similar initiative like Liberty Alliance, or more a standardization effort like WS-*?

3) How to integrate the structured with this unstructured world? There are first attempts, but only based on bilateral integrations, without any standardization thinking (back at SAP, I drove this to some point, but only now first results can be seen…).

So the topic is much more difficult in reality than one might think. It is NOT solving the problem to use one of the ERM vendors. That would only solve local issues, and thereby produce others…

Cloud Security = Interoperability for DRM

17.06.2010 by Sachar Paulus

This week was very interesting for me. I have had a number of calls and meetings with people dealing with software components and architectures that will make  the cloud secure.

And the most interesting observation is: actually everything is there. We as an industry could simply start doing secure clouds right away. It is of course not so much about the standard stuff that we often hear: trust into the cloud providers, their ability to deal with data privacy requirements, or multi-tenancy capabiltiies of enterprise cloud services.

No. It is actually about how to secure the data between and within cloud services. And the key to achieve this is DRM Technology. Well, it is pretty straightforward when one thinks about data storage in the cloud, obviously Information Rights Management or Enterprise DRM will take over the role of drive encryption in cloud-based models for data sharing and storing.

But what seems to be less obvious is that the same technology can in principle also be used for protecting information within applications. Note that the media industry has already addressed a number of issues, such as streaming with DRM protection or multiple copies of the data.

There is one missing piece, though, well not really a missing piece: interoperability. The formats of DRM protected information are widely different from vendor to vendor, and there are three big players again: Microsoft, Adobe and Apple. It will be interesting to see how especially the battle between to two latter will affect how the protection formats will evolve.

And as with other battles for standardization, there will be room for companies to use this missing interoperability for developing tools helping with that. i’d be curious about who will take on that challenge…

My new iPad and Identity Management

01.06.2010 by Sachar Paulus

Today, I ordered my new iPad. I am really eager to use it, especially as a multi-purpose information and media home device. So far, so good. Obviously a device like this will be THE front end for the brave new Cloudy Web Services world. Whether via classical http(s) requests or via WS-*, the Apps on these kind of devices will make the Cloud happen to the average home user.

But: I am not sure how this fits into the identity management demands of these services. Haven’t we seen so much integration and convergence trends in the identity space in the last months? How does these actually match the front-end development trends? Obviously, the latter will be making the market, so how will the security guys follow?

Or, simply put: who does care about my credentials on the devices? Do I need a credential per app or what? We have put so much effort to get rid of this problem on standard platforms – how will the mobile market adopt these? Or will it simply be the provider who will take care – he knows our identity anyway…

Lots of unsolved security questions, not mentioning the need for data encryption at rest – rest? What rest? Aeh I mean “in memory encryption”…

So in the end I am not sure whether the iPad will make us more secure. I cannot even give a guess. That is bad.

© 2014 Sachar Paulus, KuppingerCole