Wibu-Systems CodeMeter Technology provides security for software and data in the cloud
What is cloud?
Cloud is an abstract, virtual environment where software and data are stored instead of on the user's PC. Three types of cloud computing exist:
Application (SaaS): independent software vendors (ISV) host their applications in the cloud from where they can be accessed by the user .
Platform (PaaS): ISVs host their applications in the cloud but, in contrast to SaaS, lets the user define his own business logic.
Infrastructure (IaaS): users lease the infrastructure (a virtual computer) from where they host and run instances of their programs in the workspace.
Implications for licensing and data protection
In most cases, SaaS and PaaS are licensed on a per user basis. The number of users currently logged on or created on the server is counted. The ISV is responsible for the server which it is assumed is secure. CodeMeter® provides support for both the ISV and the user. CodeMeter® is a unique combination of dongle and token. It not only stores access rights in the form of license entries, but also private keys which can be used to authenticate users instead of username/password combinations. Unlike a password or password hash, the public key must not be kept secret. It only needs to be protected against manipulation.
CodeMeter® Solutions (flexible deployment)
Mobile solution where access rights and keys are stored in separate hardware, i.e. CmDongle (as a USB stick).
CodeMeter® PC-specific solution using CmActLicense
The PC-specific solution stores access rights and keys in a licence file which contains details about the client PC.
A vital issue relating to the acceptance of SaaS and PaaS-based solutions is data security. If a hacker is able to access user data simply by executing a SQL injection – as was the case with Sony in July 2011 – no security-conscious user will save data in the cloud.
Of course, you can write program script to prevent SQL injection. This will no doubt prevent the next attack – if you know when it is coming. A much better solution however is data encryption because this is a generic solution. Data is encrypted on the client, during transmission and when it is stored in the cloud. Only the client with the matching license, i.e. matching key, can locally decrypt the data. The key resides on the user's PC and is not complied in the software stored in the cloud.
If you want to implement an SaaS or PaaS application for your customers, WIBU Consulting Services Team will be happy to provide you with assistance.
Protecting the business logic of a PaaS
Protecting a company’s business logic in the cloud is just as important as data security. Here too CodeMeter® solutions use encryption to ensure access and source code modifications are well protected.
As the ISV of a PaaS application, you can rely on WIBU Consulting Services to assist you with the development of your individual solution.
Operation by a partner
If you develop SaaS or PaaS solutions to be operated by a partner, you need to answer two questions:
How do I protect my intellectual property against reverse engineering?
How do I manage software licensing?
CodeMeter® provides the answer to both questions. The partner receives the required number of licenses – as CmDongle or CmActLicense. By encrypting the data or executable code the software is protected against reverse engineering. Without the matching license the software cannot be analyzed or illegally used.
The license (as dongle or license file) is located on a special license server. The server allocates the corresponding license as a floating license for each instance of the application. Cold and hot standby licenses and a "2 out of 3" server solution can be implemented for high availability solutions.
Protection of IaaS solutions
Protecting IaaS solutions presents a proper challenge to ISVs. The fact that the cloud is not a dedicated server means a CmActLicense cannot be tied to it, nor can a CmDongle can be connected to it.
CodeMeter® provides the solution for protection and licensing. This solution comprises two parts:
a special untied version of the CmActLicense (CodeMeter® NoneBind) is used which only protects your software against reverse engineering. The software can always be executed.
a check of the data to be calculated must be compiled into your software. Your application subsequently only accepts signed data.
The user can now upload the IaaS version of your software to the cloud as required. The data can only be signed and hence executed by a user with a matching license. Your software is useless without the signed data.
CodeMeter® provides you with a complete portfolio of license models for data signatures:
Single-user licenses: either a CmDongle is connected to a local PC or a CmActLicense is tied to a local PC. Data has to be signed on the local PC before being uploaded to the cloud.
Network licenses: a CmDongle or a CmActLicense resides on a license server in the network.
Time-limited licenses: CodeMeter® offers you three options: you can select a fixed expiry date, a fixed time period or the actual usage period. Each CmDongle and CmActLicense contains an internal clock to prevent time manipulation.
Pay-per-use licenses: a Wibu-Systems model specially developed for IaaS solutions. The user purchases units which are deducted from his account whenever data is signed and uploaded to the cloud. You can decide upon the basis used to deduct the units. For example, they can be deducted on a per action basis or a data volume basis. More units can be easily purchased online from CodeMeter License Central. More information on CodeMeter License Central.
Modular software protection: each functionality is assigned its own key which is used for the signature and checked in the software. This allows features to be individually activated and licensed. Activation can take place at any time via the Internet.
Cloud Licenses for Local Applications
In this scenario, your software is a classic desktop application, which you sell to your users either on a traditional CD or as a download. Your user receives not only the software itself, but also an activation code in the form of a ticket that you create with CodeMeter License Central. When creating that ticket, you can determine how many devices the software can operate on at the same time and for how long it can be used without a permanent connection to the Internet.
Your user installs the software on a PC. When it is started for the first time, he or she is asked to enter the ticket. The software contacts CodeMeter License Central and sends the ticket and a fingerprint of the computer (in the form of a WibuCmRaC file) up to the cloud. CodeMeter License Central checks whether the ticket is valid and, if it is, creates a temporary license for an offline cache. The license is returned to the user (by WibuCmRaU file) and imported locally into the CodeMeter Runtime. The ticket is also stored locally, e.g. in the license. Your software then launches and works perfectly without any need for a permanent Internet connection.
Shortly before the temporary license expires in the offline cache, the application phones home to CodeMeter License Central and renews the license.
Should the user install the software on another device, he or she would enter the ticket again. Depending on your choices and settings, your software could react to this in three ways:
The license is moved into a local cache as a temporary offline license, and the software is launched.
The user selects the “old” license, which is automatically flagged as “deactivated” in CodeMeter License Central. A temporary offline license is then created, and the software starts.
The user is notified that the number of licenses has been exceeded and that he or she would either have to deactivate the old license manually or wait for the temporary license to end its set duration.
The second option has proven itself as the best practice: It is flexible enough for the user who can continue to work with the software even after reaching the maximum number of devices, and transparent enough for you as the developer to uncover fraudulent use and take the necessary countermeasures.
Cloud Licenses for SaaS Applications
You can offer your users a SaaS application with unrestricted or temporary licenses for different features. CodeMeter Cloud Lite offers you a simple and lean way of reconciling the online and offline worlds, especially when you are already using CodeMeter for on-premise software and have integrated the license creation processes with your SAP, Salesforce, or any other ERP, CRM or e-commerce system.
The licenses for SaaS applications are created in the same manner that is used for on-premise licenses; they only differ in the binding scheme, using CodeMeter Cloud Lite in the place of CodeMeter SmartBind or CmDongles. A license is created and assigned to a user in a process that does not differ from the activation of a local license – you can even combine both forms. You can integrate your user admin processes with Single-Sign-On solutions like OAuth2 or SAML.
CodeMeter Cloud Lite comes with a simple API to check active licenses, which would access the SaaS applications, verify the available licenses, and determine which functions are available for how long.
Authentication for SaaS Applications
On top of its comprehensive licensing and powerful software protection capabilities, CodeMeter comes equipped with a third star trait: The private keys used for authentication can be stored securely on a CmDongle or a computer-bound CmActLicense. This makes CodeMeter the right choice for user authentication in SaaS scenarios.
The solution can be integrated via the CodeMeter API, specifically when you supply your users with a dedicated local application that works in tandem with a SaaS application in the cloud. The SaaS software creates a challenge that the local application responds to by signing it with the private key kept in the local license. Up in the cloud, the SaaS application uses the public key to verify the identity of the user, with the users’ identities managed and recorded in the cloud according to your specific needs.
For browser applications, client certificates have established themselves as the standard solution. A middleware is used to transfer standard x.509 certificates on a CmDongle. Two standardized interfaces (PKCS#11 and Microsoft CSP) are available for applications like Internet Explorer, Firefox, Chrome, Safari, Outlook, or VPN clients to use these certificates. Some applications might only need a valid certificate to allow access to the SaaS application. Others can extract more granular data like user names, organizations, or other attributes to identify named users or user groups. If you wish to control access to your SaaS application with this level of certainty, you need to create, manage, and always keep track of the necessary client certificates, which need to be known to the SaaS application. Vice versa, the certificate with which the SaaS application identifies itself to the user should be a server certificate created by a trusted certification authority (e.g. VersiSign or GlobalSign).
Standard Applications in Private Clouds
A private cloud would typically be a farm of virtual machines operated in a company’s own data center or at a specialized provider on other hardware known neither to you nor to the user. It might not even have USB interfaces to connect to. Again, CodeMeter has the capabilities needed to handle this scenario and protect your rights as the developer of the software. You have several options at your disposal:
USBoverEthernet: Your user is given a license in the form of a CmDongle. Common USBoverEthernet products can now be used to connect that CmDongle to the virtual machine in question – many data centers have this technology as standard practice. You do not have to make any changes to your software or to your established distribution methods.
Network Server: Your user operates a network server in the data center. CodeMeter offers a special lean CodeMeter Runtime for such servers, designed to operate even on Raspberry Pis. The CmDongle is hooked up by USB to that server. Your software only has to support the CodeMeter networking protocol (CmLAN), which implies only a minor change in the configurations for your software. You still deliver your software in the standard manner.
Server in the Cloud: A CmWAN server can be operated by you directly or by your users. The licenses can then be kept in the LAN, WLAN, or the cloud, using CmDongles or CmActLicenses on the CmWAN server. As with the network server, your software needs to support the right protocols, and the distribution processes still remain unchanged.
SmartBind with VM Move: You create a SmartBind license with a “loose” level of tolerance. This makes sure that the license remains intact when the virtual machine it is kept on is relocated in the cloud. It would be invalidated when the virtual machine is copied. Alternatively, you could define the machine SID as the binding property. You do not need to change anything in how you integrate the system in your application; all you need to do is create special licenses for the users who will run your software in their private clouds.
Licensing with CodeMeter Cloud Lite: You can leave the licensing of your software to CodeMeter Cloud Lite. Your application would be given a Protection Only License to prevent reverse engineering and regularly check the Wibu cloud to see whether the license is still valid or whether it is being used elsewhere. This type of licensing requires some changes to your software and a permanent Internet connection between the user’s private cloud and the Wibu cloud. The creation of the license itself is not made more difficult: all it needs is the addition of CodeMeter Cloud Lite as another binding property.