My last blog on the future necessities to really, really secure applications in the cloud was heavily discussed, which I think is a good sign, obviously there is something to discuss…
But let’s get a bit more down to the real problems. Of course, DRM is not the same thing as ERM (let me stick to ERM for the time being), and most of the companies having integrated DRM technology into their content offering have absolutely no clue about the potential complexity of access rights one might need in a company context – just look at the average number of enterprise roles for a medium-sized company. BUT: they are successful for two reasons:
a) they are simplifying the processes and interfaces to the user as much as they can, and
b) they use one specific business process.
Maybe it is just the too-generic approach of most ERM offerings that is the reason for their relatively low usage. Some companies that actually start to “profile” specific ERM usages along the line of certain business processes in verticals (Adobe, Oracle to some extend what I have seen) may have understood this. So again, content context is key for leveraging ERM technology.
But the real hard problem is of course: how will we deal with protected digital documents (including XML “records”) across company boundaries? The myth of being in the center of everything by providing a proprietary format – and thus forcing the users to accept one specific solution – will not work as soon as processes cross multiple companies, just look back at PKI… So there is need for interoperability and standards.
But who will take the lead here? The content providers? Actually, I could imagine a future where a BI-report (sales pipeline e.g., real-time, once a day) is no longer protected by deep complex authorization objects in ERP / BI-report, but, the report is generated as a piece of content (maybe including video) and equipped with consumer-like protection (“this copy is for you, and you can send it to 3 friends…”). Sounds weird, but actually it is not that far from real: it may be simpler to do it that way than to map the complex ERP authorizations and roles via federated identity management and integrated, interoperable ERM to ERM-”authorizations” and to contact Access Decision Servers using standardized formats…
Don’t get me wrong, the “BI as Content Blob” protection concept is far from ideal, and the other mechanism would be the “real” solution… But to avoid such a situation (and I am sure such a model would find vast acceptance, except by the security responsibles ), we need the major players to come together to address the following issues:
1) What needs to be standardized, exactly? Document formats? Authorization semantics? Exchange protocols? Policy mapping? Communication protocols with Access Decision Servers?
2) Who can contribute what? And from where to start? Simple solutions first to get things going, or doing it right from the beginning? Would that be a similar initiative like Liberty Alliance, or more a standardization effort like WS-*?
3) How to integrate the structured with this unstructured world? There are first attempts, but only based on bilateral integrations, without any standardization thinking (back at SAP, I drove this to some point, but only now first results can be seen…).
So the topic is much more difficult in reality than one might think. It is NOT solving the problem to use one of the ERM vendors. That would only solve local issues, and thereby produce others…