Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Content Management (in a De-Perimeterised Environment) Presentation at ISACA/IIA Wellington Prof. Clark Thomborson 27 th July 2007.

Published byJade Gray Modified over 8 years ago

Similar presentations

Presentation on theme: "Electronic Content Management (in a De-Perimeterised Environment) Presentation at ISACA/IIA Wellington Prof. Clark Thomborson 27 th July 2007."— Presentation transcript:

1 Electronic Content Management (in a De-Perimeterised Environment) Presentation at ISACA/IIA Wellington Prof. Clark Thomborson 27 th July 2007

2 Questions to be Addressed  What is Enterprise Content Management? How does it differ from Digital Rights Management? What do we want from an ECM system?  What are the technical constraints on ECM?  What features can we expect to find in next-generation ECM systems?

3 Digital Rights Management Digital Rights Management (DRM) systems were “hot properties” in the dot-com era. Stefik ’012 (filed 1994) discloses a “system for controlling the distribution and use of digital works having a fee reporting mechanism”. References include R. Weber, “Digital Rights Management Technology”, October 1995. Assignee: Xerox. Johnson ’876 (filed 1996) discloses an “electronic rights management and authorization system”. Assignee: Copyright Clearance Centre, Inc. Kahn ’646 (filed 1997) discloses a “digital object management system”. Assignee: CNRI of Reston VA. Ginter,..., Weber ’683 (filed 1998) discloses a “secure content delivery method”. Assignee: InterTrust. 2001: InterTrust sued Microsoft over DRM,.Net, trusted computing. 2004: Microsoft licensed InterTrust’s patents for $440 million. DRM systems allow authors to create and enforce licenses on the use of their digital works.

4 DRM for Corporations? DRM systems could be used to control access to company-confidential documents. InterTrust and MediaSnap spent hundreds of millions of dollars developing and marketing unsuccessful DRM systems. InterTrust’s “DocBox” plugin is still available in Adobe Acrobat. Why were these systems unsuccessful? How much would your company pay (in cash per year, and in reduced employee productivity) to improve your confidentiality controls, and to manage other people’s copyright licenses? Wouldn’t you prefer a system which improves, rather than impedes, communication and collaboration?

5 Enterprise Content Management DRM systems control access to documents, by defining licenses for created content. Goal: Enforce corporate policies on confidentiality and authorship, without unduly impeding profit-making activities. Enterprise Content Management systems facilitate the distribution of documents. Goal: Improve communication and cooperation, without unduly running the risk of violating corporate policies on confidentiality and authorship. The only difference is in the emphasis. DRM is security-first, and ECM is feature-first. This difference is very important in marketing, but it is not a sharp technical distinction. DRM will restrict access “when in doubt”, but ECM will allow access “when in doubt”. DRM enforces a “need-to-know” policy, whereas ECM enforces a “reason-to-exclude” policy. Which is the bigger market? Can’t one system do both?

6 Communication Security 101 (a single hierarchy, focused on confidentiality) Anyone can send information to their superior. Downwards email traffic is trusted: it is a security risk; it is not allowed by default; it should be filtered, audited, controlled, … Spymaster, King, President, Chief Justice, Pope, or … Informants, peons, illegal immigrants, felons, excommunicants, or … Definition: Trustworthiness (an assurance) implies that trust (a risk-aware basis for a decision) is well-placed. We cannot act unless we trust!

7 Intracorporate Communication Hierarchical communication is very inefficient. The King is a performance bottleneck. We want all our employees to share information freely – but without information overload! Contemporary ECM systems provide virtual “meeting spaces”, “notice boards”, and other information sharing opportunities within the corporate perimeter.

8 Intercorporate Communication Q: How do we handle email between hierarchies? Answers:  Merge/Federate  Subsume  Bridge Company XAgency Y Emperor  Who will be the Emperor = King(X+Y)?  Note: a federation is similar to a merger, where the constitution of the system is administered by its Emperor. The peers agree to abide by the constitution.  Merging isn’t enough to solve the problem, until there is one empire.

9 Email across Hierarchies Q: How do we manage email between hierarchies? Agency X Company Y Answers:  Merge  Subsume  Bridge

10 Bridges Q: How do we communicate between empires? Answer: Bridge! Company X Agency Y Bridging connection: trusted in both directions. The person forming the bridge has a separate “persona” who is a low- privilege member of the other corporation or agency or... Employees will use hotmail, instant messaging, blogs, USB devices,... Bridges are a nightmare for security analysts! Bridges are necessary for success, unless your empire is completely self-sufficient!

11 Bridging Trust: B2B e-commerce Use case: employee C of X purchasing supplies through employee V of Y. Employee C creates a hotmail account for a “purchasing” persona. Purchaser C doesn’t know any irrelevant information. Company X Company Y Most workflow systems have rigid personae definitions (= role assignments). Current IT systems offer very little decision-support, security, or governance for bridges: a key ECM requirement. C, acting as an employee C, acting as a purchaser Employee V

12 Communication Security 201 (within a single peerage) Information flows upwards by default (“privileged”). Downward information flows are “trusted” (filtered, audited, etc.) Most businesses have some peerages within their hierarchy: partnerships, job-shares, shareholder votes,... Facilitator, Moderator, Democratic Leader, … Peers, Group members, Citizens of an ideal democracy, …

13 What should an ECM system do? ECMs should build (and advertise) bridges to 1.facilitate intra-enterprise communication, 2.facilitate intra-federation communication, and 3.facilitate inter-federation communication. Current-generation ECM systems handle #1 and some of #2. Bridges are extremely important for performance, but they create security risks. Every bridge to an external organisation should be subject to managerial oversight. The “rules of the bridge” must be defined before a bridge can be used safely. (Should a contract be signed? What are your requirements for IT security on the other end of the bridge?) Employees need guidance and technical support, when forming and using external bridges. How important are bridges of types #2 and #3, to your organisation? What are your corporate policies on these bridges, and how do you enforce them?

14 2. Technical Constraints We haven’t yet agreed on our “public key infrastructure”. Leading creators of “identity certificates”: Verisign, PGP/Thawte. Confederations or empires of “identity managers”: Microsoft’s Passport/Live ID, Liberty Alliance,... We can’t build a secure bridge unless we can securely identify a persona (organisational role) “on the other side”. I want to form a contract with an authorised purchasing agent for NZ Telecom, and not with someone who makes a false claim to this identity. Is your corporation willing to create and maintain digital certificates for all its authorised agents? Would you want to restrict access to this information?

15 Endpoint Compliance We haven’t yet agreed on security standards for trusted endpoints. Copy of SAS 70 certification (in the US)? Assured compliance (by whom?) with (which?) ISO 17799, 27000 series standards? Assured (by whom?) compliance with (what?) site-specific, jurisdiction-specific, industry-specific, culture-specific, standards and understandings regarding physical security, employment practices, system security, network security,...? “TPM inside”? (If a Trusted Platform Module reports that its platform was booted with a known BIOS and known hardware configuration, does this address any of our security concerns?) We can’t build a secure bridge without secure foundations!

16 A Small Matter of Programming Hundreds of millions of dollars have been spent on unsuccessful DRM/ECM systems for the corporate (C2C) market. A few DRM systems for the consumer market (= B2C distribution of media content) have been successful. B2C DRM systems don’t stop all “piracy”, but they do control it – for a while. Building a secure ECM with type-2 (intra-federation) bridges is over-ambitious, except for well-structured communications among well-defined groups. In 2002, Wal-Mart required all its suppliers to use EDIINT AS2 for their (structured) data exchanges. Building a secure ECM for general-purpose type-3 (inter-federation) bridges will be a monumental task.

17 Technology Isn’t Enough We’ll need international agreements: standards and assurances. We’ll need legal support in all participating jurisdictions, to deter and respond to personal- identity frauds, machine-identity frauds, assurance frauds, etc. We’ll need investigative support in all participating jurisdictions, to deter and detect frauds. A modest proposal: TPMs (in “trusted computers”) really should be licensed to owners, and owners should have responsibilities. Automobiles, aircraft, gun owner/operators are licensed in most jurisdictions. SIMcards are registered to owners in some jurisdictions. What are the privileges and responsibilities of computer ownership?

18 Feasible and Desirable ECM Our identity management, persona (role) management, reputation management, trust management, and end-point assurance procedures are non-standard and don’t interoperate. Our ECM systems will be limited by these shortcomings. We can’t expect strong control on confidentiality. Computers aren’t sufficient to enforce confidentiality constraints. If someone can read a document, they can take a picture of it – this is the “analog hole” in all DRM systems. If we allow people outside our zone of legal/physical control to read our documents, they can copy them without our knowledge. We can expect good control on document integrity and authorship identification, if our authors and readers are willing (and are trained) to work with digital certificates. We can expect more efficient and effective distribution of our corporate documents, if we web-publish them instead of squirrelling them away on our workstations and shared fileservers.

19 Browser-Based ECMs It’s not hard to imagine a browser-based ECM architecture GoogleApps with security governance; SharePoint with open-standard interfaces; Lotus Connections with type-2 and type-3 bridges;... Use HTTPS rather than HTTP; unencrypted or encrypted with keys held by corporation (so that it can be filtered); two-way authentication. A licensed TPM owner could generate adequately-secure digital certificates for their end-users. TPM owners should be de-licensed if their computers don’t pass a periodic “warrant of fitness”. Certificates issued by a corporate TPM could (except when anonymity is required) be signed with company authority. This would greatly simplify ECM design: existing webservices could be converted into type-3 ECM bridges. A corporate workstation could keep track of all certificates it has accepted (= bridges it has built), for managerial oversight and security auditing. Would you ever want to take an inventory of these bridges? Would your employees think it’s an invasion of privacy? What do you want from an ECM system?

20 Acknowledgement This research was supported by your tax payments, via New Zealand’s Foundation for Research Science and Technology. Thank you!

Download ppt "Electronic Content Management (in a De-Perimeterised Environment) Presentation at ISACA/IIA Wellington Prof. Clark Thomborson 27 th July 2007."

Similar presentations

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
A Foundation for System Security Invited talk at AISC 09 Clark Thomborson 21 February 2009.

A Foundation for System Security Invited talk at AISC 09 Clark Thomborson 21 February 2009.
Secure Communication Architectures.

Secure Communication Architectures.
Issues of Security and Privacy in Networking in the CBA Karen Sollins Laboratory for Computer Science July 17, 2002.

Issues of Security and Privacy in Networking in the CBA Karen Sollins Laboratory for Computer Science July 17, 2002.
Creating a Winning E-Business Second Edition

Creating a Winning E-Business Second Edition
Creating a Winning E-Business Second Edition Operating Your E-Business Chapter 5.

Creating a Winning E-Business Second Edition Operating Your E-Business Chapter 5.
Information Security Policies and Standards

Information Security Policies and Standards
Licensing Division Reengineering Project Requirements Workshop Copyright Owners 1/26/2011.

Licensing Division Reengineering Project Requirements Workshop Copyright Owners 1/26/2011.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Understanding Active Directory

Understanding Active Directory
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Network security policy: best practices

Network security policy: best practices
Understanding Active Directory

Understanding Active Directory
Legal Audits for E-Commerce Copyright (c) 2000 Montana Law Review Montana Law Review Winter, 2000 61 Mont. L. Rev. 77 by Richard C. Bulman, Jr., Esq. and.

Legal Audits for E-Commerce Copyright (c) 2000 Montana Law Review Montana Law Review Winter, Mont. L. Rev. 77 by Richard C. Bulman, Jr., Esq. and.
 Business is owned and run by one individual  Nearly 76% of all businesses  Owner receives all of its profits and bear all of its losses.

 Business is owned and run by one individual  Nearly 76% of all businesses  Owner receives all of its profits and bear all of its losses.
CNRI Handle System and its Applications

CNRI Handle System and its Applications
Vilnius, October 21st, 2002 © eEurope SmartCards Securing a Telework Infrastructure: Smart.IS - Objectives and Deliverables Dr. Lutz Martiny Co-Chairman,

Vilnius, October 21st, 2002 © eEurope SmartCards Securing a Telework Infrastructure: Smart.IS - Objectives and Deliverables Dr. Lutz Martiny Co-Chairman,
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.

Similar presentations

Ads by Google