Comments on: The wrongs of enterprise rights management http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/ IT mixology and other thoughts about tech, life the universe and everything Mon, 21 Dec 2009 18:40:07 +0000 http://wordpress.com/ hourly 1 By: Pareto and the security industry « Capital SCF http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/#comment-275 Pareto and the security industry « Capital SCF Tue, 28 Jul 2009 10:31:12 +0000 http://thestateofme.wordpress.com/?p=18#comment-275 [...] data suffers the same (or worse) than enterprise rights management (ERM) in that it’s not fit for purpose. The other trouble is that controls over unstructured data as it moves around web, email and file [...] [...] data suffers the same (or worse) than enterprise rights management (ERM) in that it’s not fit for purpose. The other trouble is that controls over unstructured data as it moves around web, email and file [...]

]]> By: Plausible Deniability » Identity, Shmidentity http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/#comment-54 Plausible Deniability » Identity, Shmidentity Thu, 03 Apr 2008 15:21:51 +0000 http://thestateofme.wordpress.com/?p=18#comment-54 [...] iceberg in terms of communicating the semantics of these identities across domains - although as Chris Swan notes the mechanism for cross-domain authentication exists. The realization that user identities are some [...] [...] iceberg in terms of communicating the semantics of these identities across domains – although as Chris Swan notes the mechanism for cross-domain authentication exists. The realization that user identities are some [...]

]]> By: Chris Swan http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/#comment-52 Chris Swan Wed, 02 Apr 2008 18:08:33 +0000 http://thestateofme.wordpress.com/?p=18#comment-52 Vishal, I think interesting things can potentially happen when an OpenID (as an alternative to an email address) might be used as the sting for IBE. The weaknesses I refer to are documented at https://www.blackhat.com/presentations/bh-usa-07/Tsyrklevich/Whitepaper/bh-usa-07-tsyrklevich-WP.pdf. Frankly none of them are showstoppers, and you can tick off a some by mashing up with information cards. Vishal, I think interesting things can potentially happen when an OpenID (as an alternative to an email address) might be used as the sting for IBE.

The weaknesses I refer to are documented at https://www.blackhat.com/presentations/bh-usa-07/Tsyrklevich/Whitepaper/bh-usa-07-tsyrklevich-WP.pdf. Frankly none of them are showstoppers, and you can tick off a some by mashing up with information cards.

]]> By: Vishal http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/#comment-51 Vishal Tue, 01 Apr 2008 14:36:55 +0000 http://thestateofme.wordpress.com/?p=18#comment-51 Hi Chris, Agree with you completely !! I would however like to know your views on the weaknesses of OpenID like systems. My ideal world scenario is a flexible identity management system which will maintain individual identities as a common, Open ID like system but also allow for linking these to enterprise identity management systems on need. Reminds me of my bank account which gets linked as a salary account to different companies based on the place that I work .. For documents, the ideal would be a web based document management system which uses Open ID for identity management and IRM for rights management based on identities. What say ?? Vishal gupta_vish@yahoo.com Hi Chris,

Agree with you completely !! I would however like to know your views on the weaknesses of OpenID like systems.

My ideal world scenario is a flexible identity management system which will maintain individual identities as a common, Open ID like system but also allow for linking these to enterprise identity management systems on need. Reminds me of my bank account which gets linked as a salary account to different companies based on the place that I work ..

For documents, the ideal would be a web based document management system which uses Open ID for identity management and IRM for rights management based on identities. What say ??

Vishal
gupta_vish@yahoo.com

]]> By: Plausible Deniability » The ERM and Data Loss Debate. About $0.66 of 451’s 2¢ http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/#comment-50 Plausible Deniability » The ERM and Data Loss Debate. About $0.66 of 451’s 2¢ Mon, 31 Mar 2008 21:34:27 +0000 http://thestateofme.wordpress.com/?p=18#comment-50 [...] Swan makes a few great points in his blog post of 22 March. His post brings up a number of things that we are thinking about, and I will let my colleagues [...] [...] Swan makes a few great points in his blog post of 22 March. His post brings up a number of things that we are thinking about, and I will let my colleagues [...]

]]> By: Directories 2.0 - entitlements services « Chris Swan’s Weblog http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/#comment-39 Directories 2.0 - entitlements services « Chris Swan’s Weblog Tue, 25 Mar 2008 18:18:51 +0000 http://thestateofme.wordpress.com/?p=18#comment-39 [...] Directories 2.0 - entitlements services 25Mar08 I promised a more detailed post about this in my previous one about ERM. [...] [...] Directories 2.0 – entitlements services 25Mar08 I promised a more detailed post about this in my previous one about ERM. [...]

]]> By: Chris Swan http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/#comment-38 Chris Swan Mon, 24 Mar 2008 07:45:21 +0000 http://thestateofme.wordpress.com/?p=18#comment-38 Thanks for the comment Vishal. I'm not sure that I agree with the "daddy" concept. This might work fine in a tightly integrated static value chain, the whole point of my reference to 'The World is Flat' is that value chains are becoming more dynamic (and global). If user provisioning becomes a precursor activity to doing business (with anybody) then I think that quickly becomes a problem. That's why I lean towards something that can be self service and uses a global namespace (and OpenID ticks that box, but has a bunch of weaknesses of its own). Once you accept that there's a need for a global IDM namespace (rather than one scoped by an enterprise directory) then you can't just use file system ACLs for classification purposes. I think the heart of this problem is that we've often thought about content solely in the context of how it's used within the enterprise electronic border (e.g. inside the firewall). As that border is forced to become more permeable (and reperimiterized around key data centre assets) then that forces a rethink about who outside the organisation has a need to use (and various regulatory things also force more serious consideration of who inside the organisation does not). Hopefully my forthcoming post on entitlements services will clear up the last point. I'll try to get it out this week. Thanks for the comment Vishal.

I’m not sure that I agree with the “daddy” concept. This might work fine in a tightly integrated static value chain, the whole point of my reference to ‘The World is Flat’ is that value chains are becoming more dynamic (and global). If user provisioning becomes a precursor activity to doing business (with anybody) then I think that quickly becomes a problem. That’s why I lean towards something that can be self service and uses a global namespace (and OpenID ticks that box, but has a bunch of weaknesses of its own).

Once you accept that there’s a need for a global IDM namespace (rather than one scoped by an enterprise directory) then you can’t just use file system ACLs for classification purposes. I think the heart of this problem is that we’ve often thought about content solely in the context of how it’s used within the enterprise electronic border (e.g. inside the firewall). As that border is forced to become more permeable (and reperimiterized around key data centre assets) then that forces a rethink about who outside the organisation has a need to use (and various regulatory things also force more serious consideration of who inside the organisation does not).

Hopefully my forthcoming post on entitlements services will clear up the last point. I’ll try to get it out this week.

]]> By: Vishal http://blog.thestateofme.com/2008/03/22/the-wrongs-of-enterprise-rights-management/#comment-37 Vishal Mon, 24 Mar 2008 05:26:37 +0000 http://thestateofme.wordpress.com/?p=18#comment-37 Identity management : I think we are all going to end up going back to "public" providers of identity i.e. Open ID and Verisign. Verisign's PIP is a great service I believe and might be the future of identity management anyways !! Integration of the extended value chain into ERM systems is happening provided there is one "daddy" in the chain who is pushing it down everyone's throat and my guess is that it is going to continue for some time. The technologies however will be the same old AD/LDAP :-( Client Integration : No solution except for standardization .. Content classification : I have seen an extremely simple yet effective solution to the problem .. the solution is instead of everyone trying to figure out which policy to apply for the rights to be applied to specific folders within a file server or a document management system. The file servers / DMS already provide the required access control mechanisms and by a one to one association with the folder a specific policy can be applied without the end user really knowing about the details. Educating end users on which documents to place in each folder is by itself not an easy task but its a challenge that the enterprise has to live with anyways !! I am not sure I understand what you mean by the "entitlement services" bullet so ... Check out the following blog on this topic ... http://www.edrm.blogspot.com/ I have not been posting for the last few weeks but intend to keep it updated often going forward .. Vishal Identity management : I think we are all going to end up going back to “public” providers of identity i.e. Open ID and Verisign. Verisign’s PIP is a great service I believe and might be the future of identity management anyways !! Integration of the extended value chain into ERM systems is happening provided there is one “daddy” in the chain who is pushing it down everyone’s throat and my guess is that it is going to continue for some time. The technologies however will be the same old AD/LDAP :-(

Client Integration : No solution except for standardization ..

Content classification : I have seen an extremely simple yet effective solution to the problem .. the solution is instead of everyone trying to figure out which policy to apply for the rights to be applied to specific folders within a file server or a document management system. The file servers / DMS already provide the required access control mechanisms and by a one to one association with the folder a specific policy can be applied without the end user really knowing about the details. Educating end users on which documents to place in each folder is by itself not an easy task but its a challenge that the enterprise has to live with anyways !!

I am not sure I understand what you mean by the “entitlement services” bullet so …

Check out the following blog on this topic …

http://www.edrm.blogspot.com/

I have not been posting for the last few weeks but intend to keep it updated often going forward ..

Vishal

]]>