Licensing in the Cloud
At the turn of the century, ASP (Application Service Providing) was all the rage. “Customers won’t buy and download software in the future, instead they will lease it online”. With ASP, software such as Microsoft Office runs on a terminal server and customers only need a client to use it. The concept never caught on. Lack of confidence in user data security, service availability and the blurry situation of software vendor and software licensing are some of the reasons which explain its rejection. Now the same idea is back under a new name - cloud computing. The time is now right for it and the technology has matured.
Who uses the cloud?
The cloud is anything online and includes software and services. Hence the cloud is much more than just Application Service Providing. Use of the cloud can be divided into the following categories:
- Infrastructure Vendor: provides the hardware (and the operating system software) in the cloud. He is responsible for availability and backup.
- Service Vendor: provides the software or service. He is responsible for his own application.
- Corporate User: uses the infrastructure, software and services in the cloud for business purposes. He has a special status as he himself installs the software in the cloud and manages his staff’s access to it.
- Private User: uses the cloud privately. He is a consumer of software and services and mainly uses the cloud to store data or play online gambling games.
The classical Application Service Provider which offers third-party software such as Microsoft Office hardly exists anymore. The provider has a similar status to that of the Corporate User i.e. he operates third-party software in the cloud.
Software Vendor: is not actually present in the cloud. The Corporate User and Application Service Provider use his software though in the cloud.
What is the cloud?
The following types of services are available in the cloud:
- Infrastructure as a Service (IaaS): the Infrastructure Vendor provides a basic structure (hardware only or hardware plus operating system). The Corporate User normally leases the infrastructure (a virtual computer).
He installs, distributes and starts instances of programs (any software from any software vendor) on this computer. A typical example here is the Amazon computer center.
- Software as a Service (SaaS): the Service Vendor operates his software and services in the cloud. Either he is an Infrastructure Vendor himself or he buys the services. The Corporate User and Private User are online consumers of his products. Typical examples here include Google Maps and CRM System Sales Force.
- Platform as a Service (PaaS): this service is similar to SaaS. The only difference is that the Service Vendor allows the user (normally the Corporate User)to optionally define the business logic. Other providers can extend the functionality. CRM System Sales Force and SaaS belong to this category.
- Webspace: the Infrastructure Vendor allows the Private User to store his data in the cloud. Examples of this are the PlayStation Network (PSN) from Sony which allows players to store the current state of their games online, and the Telekom cloud.
Protection interests of providers
Regardless of whether your concern is Private User data in the webspace or the sales figures in a hosted ERP application, security is an important issue. There has been a succession of bad news recently: data relating to millions of users stolen from Sony, or security breaches at a mail-order company operating online prize games. Who wants to protect what in the cloud and how can Wibu-Systems help?
It is in the interest of the Infrastructure Vendor to limit physical access to his computing center.
The protection interests of the Service Vendor depend on his business model; some provide their services for free and earn money via advertising. Others bill customers depending on how often and how long they use their service. In this case, protecting access directly makes money. The Service Vendor has an indirect interest in protecting data on his server as this increases customer acceptance of his service.
The protection interests of the Private User are obvious. He wants to be sure his access data is protected against misuse and that his data is stored securely in the cloud. Just like the Private User, the Corporate User also wants his access data and own data securely stored in the cloud.
Wibu-Systems has numerous products to meet these interests e.g. CodeMeter Password Manager, CodeMeter Identity, a PKCS#11 middleware and a powerful encryption API. The password manager allows the user, be it the Private User or the Corporate User, to choose good strong passwords and to securely store them in a CmDongle. By using CodeMeter Identity and the encryption API the Service Vendor can integrate personalized security into his solution. The PKCS#11 middleware transforms a CmDongle into a standard token which can be integrated into the existing architecture of the Corporate User.
Protection and licensing for the Software Vendor
Although he didn’t originally want to be, the Software Vendor is present in the cloud. The Application Service Provider or Corporate User upload their software to the cloud which can then be used by their own users or customers.
Two requirements co-exist:
- The software should never be resold and can be used as often as necessary.
- It is difficult to license the software as tying it to a computer or dongle contradicts the philosophy of the cloud. The software doesn’t run on a specific computer in the conventional sense. The Infrastructure Vendor can modify the hardware during operation without prior notice, or move the service to a completely new hardware.
The time is now ripe for a new strategy which the Software Vendor can and must pursue. One option is to migrate to a pay-per-use model.
What implications does this have for the Software Vendor? Wibu-Systems can help him to develop a special cloud-ready version of his software which can run anywhere at any time but which only processes the entered data associated with a specific license. The Software Vendor integrates the license into the application with the aid of the CodeMeter API.
But isn’t this unsafe? “If the software runs anywhere at any time, can’t I then modify the software to run without a license? As a software vendor, the protection offered up till now by AxProtector was very important to me.” No problem: you can still use AxProtector; indeed it is an important part of the protection concept.
The cloud-ready version of your software is encrypted using AxProtector which means it is impossible to detect where the API verifies the license. Hence manipulation is ruled out. By using a special untied CmActLicense you guarantee your software runs everywhere immediately, in other words on any computer in the cloud, while still being sure it is protected against reverse engineering and manipulation.
How can the license and the entered data be linked to each other? Initially the user’s data exists locally.
His purchased license or pay-per-use units are also located locally. A special local client from the Software Vendor uses the license to sign the data. This can only be done by the license owner as only this person has the private key for the signature which is securely stored in the CmDongle or a CmActLicense. An important aspect here is that the client deducts the pay-per-use units in accordance with the data.
You don’t have any local data to upload? No problem! Our Professional Services team will help you implement your individual solution.
When the cloud-ready version of your software starts, it checks the data signature is correct. If it is, the software executes the corresponding action or uses the entered data for the calculation. AxProtector thus guarantees your software is protected against manipulation. The software only contains the public key needed to verify the signature. Even if this key is extracted, it does not contain enough information to generate a valid signature.
Wibu-Systems will be happy to help you implement your own protection concept in the cloud-ready version of your software.
And finally one last word
The cloud covers everything which does not run locally on your computer. The benefit for the user is that he doesn’t have to invest in or maintain any local computing power. Instead he uses the computing power of the cloud and only pays for what he actually uses, and that he can use anywhere and everywhere.
If the concept is applied to software, migration to a pay-per-use model is necessary.
CodeMeter provides a framework for easy and individualized migration. A CmDongle or CmActLicense can contain several thousand counters which allows precise billing of each client in the cloud.
When the security aspects are solved, cloud computing offers excellent opportunities. We are working on standard solutions for the cloud which involve participation in research projects such as S4Cloud and MimoSecco in conjunction with research institutions and other companies. What are your cloud requirements? Talk to us about them and we’ll find a solution together.
We are ready for the cloud!
KEYnote 22 – Edition Fall 2011