Cloud Security = Interoperability for DRM

17.06.2010 by Sachar Paulus

This week was very interesting for me. I have had a number of calls and meetings with people dealing with software components and architectures that will make  the cloud secure.

And the most interesting observation is: actually everything is there. We as an industry could simply start doing secure clouds right away. It is of course not so much about the standard stuff that we often hear: trust into the cloud providers, their ability to deal with data privacy requirements, or multi-tenancy capabiltiies of enterprise cloud services.

No. It is actually about how to secure the data between and within cloud services. And the key to achieve this is DRM Technology. Well, it is pretty straightforward when one thinks about data storage in the cloud, obviously Information Rights Management or Enterprise DRM will take over the role of drive encryption in cloud-based models for data sharing and storing.

But what seems to be less obvious is that the same technology can in principle also be used for protecting information within applications. Note that the media industry has already addressed a number of issues, such as streaming with DRM protection or multiple copies of the data.

There is one missing piece, though, well not really a missing piece: interoperability. The formats of DRM protected information are widely different from vendor to vendor, and there are three big players again: Microsoft, Adobe and Apple. It will be interesting to see how especially the battle between to two latter will affect how the protection formats will evolve.

And as with other battles for standardization, there will be room for companies to use this missing interoperability for developing tools helping with that. i’d be curious about who will take on that challenge…


  • Peter Abatan

    Interesting post Sachar. However I am not sure how you came to the conclusion that Microsoft, Adobe and Apple are the big players in the Enterprise DRM marketplace. Will you still consider Oracle, EMC, Seclore and Fasoo as small players? Apple, may be a major player in the DRM space, but definately not in the Enterprise DRM space.

    Regarding interoperability, while many agree there is a need for it. It is a big ask that may require all ERM vendors to develop programming interfaces for this to happen. As you said it will be interesting to see how this develops.

  • Sachar Paulus

    Well, actually, those companies that offer ERM / E-DRM "on top" of applications will not play a significant role in that battle, therefore I did not mention them. I believe that the only ones that can make that happen are those that already are "in" the market, by providing technology that is equipped with DRM technology, or can be simply "switched on".
    And regarding E-DRM vs. DRM: the content will not make the difference. More and more content types will integrate with each other (documents with videos in it etc.), so that players that are successful in either of the spaces will play a significant role. And Apple is a successful player in that market: not only Music, but also Films, and, very interestingly when it comes to content delivery, apps.

  • Peter Abatan

    I completely disagree with your viewpoint because if you have been following the market trends there has been a sustained effort to separate DRM from e-DRM so content does make a big difference. It will be good if you can justify your claim that those companies that offer ERM / E-DRM "on top" of applications will not play a significant role in that battle. Even if you stand by this comment have you not contradicted yourself by leaving EMC and Oracle out?

    At the moment I cannot see any convergence between DRM and e-DRM to which you claim. Please can you point me in the direction that Apple is involved with e-DRM when it comes to content delivery as I am not aware that it is involved in this area yet?

  • Sachar Paulus

    Ok, fair. But my perception is that the separation of DRM and e-DRM started approx. 10 years ago, but the massive integration of content down the road (e.g. E-Mail-Videos and things like these) will create a need to integrate them back again.
    I believe DRM companies will suffer the same destiny than PKI vendors went through in the last 15 years (and I know that, I was once part of the story…): the technology will be used "under" the water level, and by the major players managing systems and information. The only market piece that is left for PKI expert companies is the key management for specific purposes. That is why I think this will happen.
    I don't think that EMC and Oracle will play a significant role here, because their footprint with user interfaces managing information is relatively small. And you need user interaction for the e-DRM-Standardization to fly. But I agree in that respect that for the business applications infrastructure Oracle, SAP, EMC need to be on the table, too.
    I think the most valuable e-DRM application (with most potential for the future) is the iTunes Store, esp. for selling Apps to the iPhone, iPad etc. The software is protected by DRM technology, and can be installed only on devices associated accordingly.

  • Peter Abatan

    Sachar, enterprise rights management is all about protecting content not applications, therefore I would not classify what Apple does with their apps as e-DRM. On the other issues raised, it will be interesting to see what other readers of this post will say.

  • Sachar Paulus

    Peter, I know what enterprise rights management is. But this is a blog here with my personal view on how things might evolve, not a thorough market analysis. I am not talking about major players in the e-DRM space, but about how this whole technology might evolve over the next 5-10 years. This is something different.

    But regarding apps and content: I disagree. Have a look into the app store, many books, picture etc. (so, content) are delivered as an app. So is it content or an application? My point is, that I believe the separation between those will blur over time.

  • Sachar Paulus

    Maybe related to this discussion an interesting reading:
    http://www.future-internet.eu/fileadmin/documents

  • Simon Thorpe

    Interesting comments. DRM and IRM are similar in nature, but have typically addressed very different requirements for protecting content. My comments on the differences are here. http://blogs.oracle.com/irm/2009/10/irm_erm_edrm_

    Rights management in general, both DRM and IRM, are good extensions to existing security of business information when it lives in the cloud. A current problem with the cloud is the obvious cost savings of someone else running the servers, managing system upgrades etc. But the big downside of not having control over the security of that information. Once IRM has secured the data, you can allow the cloud to manage the data, but you own the keys to manage the access to the data.

    So key to this solution, is a model which allows the business to control the security, whilst the cloud manages storage, networks etc. Whatever solution is used MUST also support the constant change of business roles and policy. For example, someone secures an engineering research document with IRM and stores it in the cloud. Then lets say the engineer leaves the company… who owns the file? Who can take ownership? This is where DRM fails.. both IRM and DRM use cryptography and a rights model, but IRM focuses on the use cases which separate rights information from the information itself. DRM classically doesn't do this.

    The leading technologies that could really solve the issue of protecting documents, rich media (video, images, music) and emails in the cloud come from Oracle, Microsoft and EMC via IRM solutions. Will these models start to integrate with DRM technologies to provide a wider array of security across more formats, more devices and also applications? It is likely… but this is a space which will be led from IRM not DRM.

    Would Apple design and sell a DRM solution to a company to secure their intellectual property, engineering data, HR information, financial documents? Unlikely… Do Oracle, who sell the leading business application software, running on the industry leading middleware platforms, secured by the industry leading security software… integrate and deliver a solution for ensuring a business has total control over its information even beyond their enterprise perimeters and into the cloud?

    They already do…

    DRM is, and always has been, consumer focused. So there may well be DRM in the cloud solutions, but they will not work well for the business. IRM is business focused and already is securing business data that exists beyond the traditional enterprise networks…

  • Simon Thorpe

    I should also comment on application versus content rights. Application rights split into two areas. Who can access the application and who can install/deploy it. Application access is already well matured with a range of identity and access management technologies with which readers of this blog will be very familiar. Application deployment/install or rather, distribution, is what you are saying DRM is helping solve. I would agree that DRM works very well for this scenario because you are typically allowing the distribution of an application to a single user. The games industry has many solutions for rights control to their games… Apple has a successful rights model for the purchase and distribution of iPhone and iPad applications. However this model doesn't translate well to documents and rich media. DRM has been successful in securing access to videos and music because this is a model which has similarity to the application DRM model. A model which has a single user with rights to a video, song or say a finance report in PDF form.

    Where this model breaks is when the content (a video, email, spreadsheet, etc) is being used in a highly collaborative environment or where the rights to the content changes and crosses many boundaries/domains. IRM allows you to secure information by simply classifying it. The rights are totally separate on a server which can be changed at any time. A customer list spreadsheet could be stored in the cloud, a thousand sales people have access to it. After 6 months, 1/2 that sales force leaves the company and we hire more… access changes on the IRM server… but the same document resides in the cloud. The rights change, the document doesn't. This is a core difference between IRM and DRM.

    So I disagree that the iTunes store is the next big eDRM/IRM application. the iTunes store is ALREADY a successful DRM solution. But from the perspective of storing your sensitive information in the cloud, IRM is currently solving that problem and leading the way.

  • Simon Thorpe

    One more comment! Oracle IRM already supports images (gif, jpeg and png) as well as HTML. Therefore giving you the ability to protect information *IN* the application. It doesn't need to be in a PDF or a Word document, Oracle IRM can protect the web application interface AND it can protect this content in real time. We have had solutions designed that proxy web content to an IRM server, secure it in real time, then deliver to the browser. Take a look at this video which shows a sample banking application with certain parts of the application interface protected with Oracle IRM…
    http://www.youtube.com/oracleirm#p/u/14/yOEnrk_sj

  • Sachar Paulus

    Simon, thank you very much for this very interesting contribution. I'd be happy to have a closer look at the Oracle solution, this sounds really compelling to me (I've looked at the video). How much applications of Oracle as using that (in %)? That would be interesting to know…

    But bear in mind, most of the IT innovations came through consumer apps (e.g. Banking), so I hope that Oracle will be successful with these types of applications…

  • Simon Thorpe

    Sachar

    Thanks for the response. You'll find a lot of in depth information on the technology on the Oracle IRM blog, http://blogs.oracle.com/irm/. The quick guide takes you through the process of installing and piloting an IRM solution. You'll also find the following articles give a good background on the technology. If you really want to get your hands dirty, please contact me and I can arrange for a evaluation of the technology. We have prebuilt VM's which require only a hostname and IP address and you are ready to secure some documents.

    Oracle IRM allowing the business to balance security, usability and manageability for document security. http://blogs.oracle.com/irm/2009/11/the_importanc

    Oracle IRM and the evolution of "information-centric" security http://blogs.oracle.com/irm/2009/11/oracle_irm_an

    Oracle IRM contexts, a smart way to implement your corporate classification policies http://blogs.oracle.com/irm/2009/10/oracle_irm_co

    With regards to applications, we have already released one integration with the Oracle Beehive 2.0 collaboration suite. We have customers who have integrated IRM into SharePoint, SAP, Oracle applications and we are currently working with the leading DLP vendors to create synergy between IRM and DLP solutions.

    The future of Oracle IRM is that it will be the document security solution for protecting sensitive content available for export from all the Oracle applications. As one CIO said in a meeting, "I understand the need to have centralized and strong security to my applications to ensure as employee's leave they no longer have access. However a greater risk and fear is how to control access to the hundreds of documents they've already copied to their external drives and DVDs"

  • Simon Thorpe

    Sachar

    After reading your post I see you were asking about Oracle technologies that actually protect the interface (HTML, images) itself. We've not yet created this sort of protection in the product mainly because the biggest risks right now are documents and in general, application access controls are adequate. We have built some very nice technology demonstrators which redirect entire application web based UI's via an Oracle IRM proxy which simply seals, in real time, all the traffic and sends onto the client.

  • Vishal Gupta

    I had blogged on this topic quite some time back on the (now defunct) blog here ..

    http://edrm.blogspot.com/2008/02/hiccups-in-consu

    Frankly I think the DRM and IRM markets are unlikely to converge.

    The DRM market will, in my opinion be dominated by "player" providers where they build in the rights management capabilities within the app itself like what itunes does or Windows player or Kindle.

    The IRM market will be dominated by exactly the opposite profile i.e. cross-application rights management providers who give enterprises the freedom to choose their IT infrastructure and make sure that rights management can be an under lying infrastructure powering data within desktop, mobile devices, applications, …

  • Vishal Gupta

    On another note I think one of the most important things which will define the IRM market specifically will be, how application agnostic is the IRM system. Approaches which rely on application specific plugins will run into problems as the matrix of applications, OS, versions etc. just explodes.

    I had a chat with Martin Kuppinger on this some months ago and he has also blogged on the topic here ..

    http://blogs.kuppingercole.com/kuppinger/2009/10/

    Cheers,

    Vishal

  • Monika Maidl

    I can see a nice use case for IRM/ERM when applying IRM protection to documents stored in the cloud, either applying a "Compony A only" type of protection, or collaborating with a well-defined group of people.

    However, this only works for documents that are processed by "classical" desktop applications.

    What about SaaS, where data are not processed locally, but everything is done in the cloud – e.g. with Google Apps or similar? If access control of the SaaS service is reliable (and manageable), in such a scenario one can collaborate without having to worry about uncontrolled dissimination. But I do not see how to use ERM/IRM to control the cloud service provider in that scenario. (Maybe SaaS is just not the way to go for critical company data…)

  • Simon Thorpe

    I just learned of a partner who are using Oracle IRM as part of a "cloud" service to protect their online mergers and acquisitions solution.
    http://blogs.oracle.com/irm/2010/07/lafarge_secur

    This is an excellent example of IRM being used in a cloud environment.

Services
© 2014 Sachar Paulus, KuppingerCole