The wrongs of enterprise rights management

22Mar08

This isn’t a post about consumer DRM, which I think has been covered well enough before by Cory and others (though some of the Bob=Carol issues still apply). Enterprises have a load of stuff that they need to (or are obliged to) protect. This is a post about the issues that I see with entitlements enforcement products using encryption that pitch themselves at enterprise use cases:

  1. Identity Management Integration. Most stuff will happily integrate with the usual directories, but this isn’t enough in a world is flat enterprise. What about customers, suppliers, offshore development centres, outsourced workers – are these people really going to find their way to the directory? Some try to deal with this using PKI, but that just brings the onset of another pain with key distribution. If PKI really worked as advertised a decade ago then we’d all be quite accustomed to working with key selectors, and we’d all have a bunch of private keys to fuss over; but we aren’t and we don’t. Information cards do a great job of hiding the complexity of PKI, and when the identity metasystem becomes more ubiquitous I’m sure that it will help with this problem. Until then I hand victory to the identity based encryption (IBE) guys. This is a solved problem, just not yet ubiquitously.
  2. Client Integration. ‘If you want to do business with me then please just install this plugin’. This is an unreasonable request for business partners, doubly so for customers. This problem only gets solved by standards. Initially it will be the de facto standards of the most popuilar client software providers, but ultimately it must be open standards that support user choice.
  3. Content classification. Enforcement depends on policy, and to write a meaningful policy one must understand the assets that the policy refers to. Manual classification of information assets can (painfully) be made to work in a small silo, but to make anything to scale to an enterprise it needs to be highly automated. To succeed at automating this process means dealing with the multiple dimensions of content (search), specific regulatory requirements (which can often be dealt with by regex), internal taxonomies (e.g. URI stubs), who actually creates and uses stuff (something that I’ve heard called ‘identity for data’, or ‘chain of custody’) etc. Most of what I’ve seen attempts to do a few of these things, but I’ve not yet seen a complete solution to this multi-dimensional problem.
  4. Reinventing entitlements services. This probably isn’t a fair point (in 2008), and is a recent addition to this list that I’ve been carrying around in my head for some time. I think it will however become more important as entitlements services emerge to become ‘directories 2.0’ (which is probably a worthwhile topic for an entirely different blog post). The point is that roles and policies should really not need to be defined separately for each enforcement point, and at the end of the day ERM is just another policy enforcement point (PEP) – so it would be great to see something that could make use of existing policy administration infrastructure.

Of course ERM is just one means of dealing with the broader anti-data leakage (ADL) / data leakage prevention (DLP) problem, though I feel that most of the points above apply equally to ADL/DLP products.



8 Responses to “The wrongs of enterprise rights management”

  1. Identity management : I think we are all going to end up going back to “public” providers of identity i.e. Open ID and Verisign. Verisign’s PIP is a great service I believe and might be the future of identity management anyways !! Integration of the extended value chain into ERM systems is happening provided there is one “daddy” in the chain who is pushing it down everyone’s throat and my guess is that it is going to continue for some time. The technologies however will be the same old AD/LDAP :-(

    Client Integration : No solution except for standardization ..

    Content classification : I have seen an extremely simple yet effective solution to the problem .. the solution is instead of everyone trying to figure out which policy to apply for the rights to be applied to specific folders within a file server or a document management system. The file servers / DMS already provide the required access control mechanisms and by a one to one association with the folder a specific policy can be applied without the end user really knowing about the details. Educating end users on which documents to place in each folder is by itself not an easy task but its a challenge that the enterprise has to live with anyways !!

    I am not sure I understand what you mean by the “entitlement services” bullet so …

    Check out the following blog on this topic …

    http://www.edrm.blogspot.com/

    I have not been posting for the last few weeks but intend to keep it updated often going forward ..

    Vishal

  2. 2 Chris Swan

    Thanks for the comment Vishal.

    I’m not sure that I agree with the “daddy” concept. This might work fine in a tightly integrated static value chain, the whole point of my reference to ‘The World is Flat’ is that value chains are becoming more dynamic (and global). If user provisioning becomes a precursor activity to doing business (with anybody) then I think that quickly becomes a problem. That’s why I lean towards something that can be self service and uses a global namespace (and OpenID ticks that box, but has a bunch of weaknesses of its own).

    Once you accept that there’s a need for a global IDM namespace (rather than one scoped by an enterprise directory) then you can’t just use file system ACLs for classification purposes. I think the heart of this problem is that we’ve often thought about content solely in the context of how it’s used within the enterprise electronic border (e.g. inside the firewall). As that border is forced to become more permeable (and reperimiterized around key data centre assets) then that forces a rethink about who outside the organisation has a need to use (and various regulatory things also force more serious consideration of who inside the organisation does not).

    Hopefully my forthcoming post on entitlements services will clear up the last point. I’ll try to get it out this week.

  3. Hi Chris,

    Agree with you completely !! I would however like to know your views on the weaknesses of OpenID like systems.

    My ideal world scenario is a flexible identity management system which will maintain individual identities as a common, Open ID like system but also allow for linking these to enterprise identity management systems on need. Reminds me of my bank account which gets linked as a salary account to different companies based on the place that I work ..

    For documents, the ideal would be a web based document management system which uses Open ID for identity management and IRM for rights management based on identities. What say ??

    Vishal
    [email protected]

  4. 4 Chris Swan

    Vishal, I think interesting things can potentially happen when an OpenID (as an alternative to an email address) might be used as the sting for IBE.

    The weaknesses I refer to are documented at https://www.blackhat.com/presentations/bh-usa-07/Tsyrklevich/Whitepaper/bh-usa-07-tsyrklevich-WP.pdf. Frankly none of them are showstoppers, and you can tick off a some by mashing up with information cards.


  1. 1 Directories 2.0 - entitlements services « Chris Swan’s Weblog
  2. 2 Plausible Deniability » The ERM and Data Loss Debate. About $0.66 of 451’s 2¢
  3. 3 Plausible Deniability » Identity, Shmidentity
  4. 4 Pareto and the security industry « Capital SCF

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: