Cloud Security = IDM+ERM, BUT: who will drive it is the real question!

29.06.2010 by Sachar Paulus

My last blog on the future necessities to really, really secure applications in the cloud was heavily discussed, which I think is a good sign, obviously there is something to discuss…

But let’s get a bit more down to the real problems. Of course, DRM is not the same thing as ERM (let me stick to ERM for the time being), and most of the companies having integrated DRM technology into their content offering have absolutely no clue about the potential complexity of access rights one might need in a company context – just look at the average number of enterprise roles for a medium-sized company. BUT: they are successful for two reasons:

a)  they are simplifying the processes and interfaces to the user as much as they can, and

b) they use one specific business process.

Maybe it is just the too-generic approach of most ERM offerings that is the reason for their relatively low usage. Some companies that actually start to “profile” specific ERM usages along the line of certain business processes in verticals (Adobe, Oracle to some extend what I have seen) may have understood this. So again, content context is key for leveraging ERM technology.

But the real hard problem is of course: how will we deal with protected digital documents (including XML “records”) across company boundaries? The myth of being in the center of everything by providing a proprietary format – and thus forcing the users to accept one specific solution – will not work as soon as processes cross multiple companies, just look back at PKI… So there is need for interoperability and standards.

But who will take the lead here? The content providers? Actually, I could imagine a future where a BI-report (sales pipeline e.g., real-time, once a day) is no longer protected by deep complex authorization objects in ERP / BI-report, but, the report is generated as a piece of content (maybe including video) and equipped with consumer-like protection (“this copy is for you, and you can send it to 3 friends…”). Sounds weird, but actually it is not that far from real: it may be simpler to do it that way than to map the complex ERP authorizations and roles via federated identity management and integrated, interoperable ERM to ERM-“authorizations” and to contact Access Decision Servers using standardized formats…

Don’t get me wrong, the “BI as Content Blob” protection concept is far from ideal, and the other mechanism would be the “real” solution… But to avoid such a situation (and I am sure such a model would find vast acceptance, except by the security responsibles ;) ), we need the major players to come together to address the following issues:

1) What needs to be standardized, exactly? Document formats? Authorization semantics? Exchange protocols? Policy mapping? Communication protocols with Access Decision Servers?

2) Who can contribute what? And from where to start? Simple solutions first to get things going, or doing it right from the beginning? Would that be a similar initiative like Liberty Alliance, or more a standardization effort like WS-*?

3) How to integrate the structured with this unstructured world? There are first attempts, but only based on bilateral integrations, without any standardization thinking (back at SAP, I drove this to some point, but only now first results can be seen…).

So the topic is much more difficult in reality than one might think. It is NOT solving the problem to use one of the ERM vendors. That would only solve local issues, and thereby produce others…


  • Simon Thorpe

    Interesting follow up post. I think there are some vendors taking the lead in this space. Firstly with respects to Oracle and the approach to ERM (we call it IRM), IDM and applications that generate content, we have many things in the pipeline. I can't say a great deal in a public article, but the Oracle IRM document security technology is going to underpin the security of content exported from applications such as EBusiness Suite, PeopleSoft, JD Edwards, Oracle BI, etc etc. In fact today with some consulting, this is already possible to quite a good degree.

    Oracle IRM from an IDM perspective is seen as a way to extend the access perimeters. It allows for the same authorization and authentication controls to an application to apply to content that is exported and distributed beyond both the application and classic enterprise network perimeters.

    What is key to IDM and IRM being integrated, is IDM typically hosts the policy and process around who gets access to what. This means that IRM simply becomes the document control and cryptography service, it simply asks another technology for what a user can do and then enforces the response. Currently in all IRM/ERM technologies, the classification model is IN the technology. With the latest 11g release of Oracle IRM this classification model can be driven from anything. A good example is Oracle Beehive 2.0 which has an out of the box Oracle IRM integration. This means that the classification, or more specifically, the rights model in Beehive dictates who can access what. So when you open a Beehive IRM protected document, the request goes to the IRM server, which in turn talks to Beehive to get an answer for if the user can open, print or edit the content.

    There is definitely opportunity here for the introduction of a standard for this exchange of authorization requests. Oracle IRM already uses standard protocols for the authentication of the end user to a piece of content and with the new architecture in Oracle IRM 11g, the future is ready for the standardization of the authorization of access to content.

    With regards to document format standardization, this is ideal,but more long term. Vendors already use standards for the cryptography involved in securing these documents, but each ERM/IRM vendor has different ways in which the format is put together. Oracle IRM is in good shape here because our document format is quite simple. It comprises mostly of the encrypted source document, an XML header which defines the classification details and then the whole file is digitally signed. It isn't a complex format and could easily be written into a standard.

    Who can contribute what? Well, Oracle is already doing a lot of this work building solutions for customers who are driving the need to be more open, support more formats and platforms and have out of the box integrations with industry applications. Obviously all this work is internal to Oracle and maybe the future is working with groups like Oasis ( which I know Oracle already has a strong relationship with.

    How to integrate the structured and unstructured world is a fascinating question. I spoke with a CTO of New York City a few years ago and he mentioned the need for a centralized system that contained the policies that would apply to both structured and unstructured data. When Oracle acquired BEA we took on WebLogic and the Entitlements server, two very key pieces of technology in having a central location for dictating policy and entitlements across a wide platform of services and over the coming years we will see Oracle embed a lot of this technology into the application server layer so that it is easy to have a single, central technology maintaining policy and classification with all systems referring to it.

    So I think from an Oracle point of view, many of the items you bring up are things on the road maps of many technologies that will ultimately lead to the ability to secure access to information both in the cloud, on the desktop and on your mobile device and do this in a manner that is well integrated and open.

  • Mark Dixon

    Hello Sachar:

    Just to add a couple of thoughts to what my colleague Simon had to say …

    If we take a holistic view of data security either in the enterprise or only within the context of the cloud, we need to protect data all the way from "silicon to the desktop," as I like to say. IAM has the role of administering, provisioning, enforcing and auditing user access rights while data is online, while provisioning and monitoring IRM to extend protection beyond the online system, with rights still being maintained in harmony with the online system. Oracle provides those essential components (IAM and IRM), plus a full suite of Database Security products to protect data at rest and in transit, plus security at the operating system level (e.g. Trusted Solaris) to extend essential security protections right down to bare metal.

    I don't who will drive the market, but we certainly intend to be part of the race. It will be a fun ride!



  • Pingback: fake diploma

  • Pingback: An Introduction to Oracle Beehive - Topic Research, Trends and Surveys

  • Pingback: casio pathfinder

© 2015 Sachar Paulus, KuppingerCole