I recently spent time talking with Ian Walsh, Director of Product Marketing for Approva Corporation. Approva provides applications used in conjunction with certain major enterprise software systems that materially increase the management, security, transparency, and auditability of these systems. Approva is a leader in the application domain called Enterprise Controls Management and should be of interest to security professionals, auditors, and corporate executives and business managers and others interested in permissions, entitlements, controls, rights management, and audit information.
Consumer and Enterprise DRM
Compared with the Consumer market, Enterprise Digital Rights Management encompasses a much broader area. Consumer DRM is mostly concerned with the authorized use of digital information and with the consequences of use, such as payment processing and the collection and reporting of usage or audit information. Consumer DRM takes place--or at least should take place--with clear notification to consumers regarding the nature of the license they are acquiring, its cost, and whether any usage information will be collected, and if so, what will be done with the Consumer’s information. Consumers should be afforded an opportunity to “opt in” or “opt out” as appropriate to context.
Like the Consumer space, Enterprise rights management also entails the authorized use of corporate and third party information together with use consequences. The three main competitors in the document DRM market in the United States are Authentica, Liquid Machines, and Sealed Media. AegisDRM and startup AvocoSecure compete mainly in the European market. Increasingly there is overlap between Digital Content Management (or Digital Asset Management) applications and document DRM capabilities. Content management software vendors such as Artesia and Documentum also compete in the Enterprise DRM space Documentum and Sealed Media are working together.
In addition to document-oriented solutions, a broader view of Enterprise DRM includes entitlements, permissions, access controls, and identity management. Enterprise scale IT infrastructures typically include corporate directory services that, among other capabilities, enable a person to sign on to virtually any computer regardless of location. Under the banner of Identity Management, Microsoft, Novell, and Oblix/Oracle are among the competitors in this space. Corporate directories may also hold information concerning the role of the individual employee, public encryption keys associated with each individual, and permissions or entitlements regarding the employee’s access to classes of devices, documents, and processes. Such permissions are often based on the person’s role and/or group within the company.
Enterprise Resource Planning (ERP) is another class of Enterprise infrastructure applications, of which SAP, PeopleSoft/Oracle, Microsoft Navision, SSAGlobal and IBM are among the competitors in this space. ERP applications provide a very complex, but important foundation for documenting, managing, and operating the key functions and business transactions of the company.
And Now For Something Completely Different
Following the accounting scandals that rocked numerous American corporations—Enron, WorldCom, HealthSouth, and, unfortunately, too many others—Congress passed the Sarbanes Oxley Act (SOX), whose goals include making CEOs and CFOs more accountable with respect to SEC filings, making corporate management more accountable to Boards of Directors, and making corporate financial reporting more transparent, managed, and auditable.
Because most of the major frauds and alleged frauds perpetrated on shareholders, employees, customers, and the public generally went undetected for long periods of time, SOX has provisions to make internal processes more transparent as well, processes that are typically managed at least in part by, or through the company’s ERP system. Public companies are now required to demonstrate that they are actively managing and auditing their transactions and internal business processes. This is one of several places where Approva’s BizRights software fits nicely.
Established in January 2002, Approva competes in the Enterprise Controls Management market to help companies move beyond mere SOX compliance documentation. Senior management has strong backgrounds in Enterprise-scale software applications.
Based on an extensive rule base, BizRights provides visibility into user activity within business transactions and processes to detect conflicts, anomalies, violations, and exceptions. BizRights’ value is detecting these conditions as they occur, enabling them to be addressed in near-realtime.
ERP and related application environments are extraordinarily complex. Consequently, BizRights was designed to monitor transactions and to alert security professionals, managers, and auditors to potential conflicts and problems.
The BizRights rules engine monitors monitors the ERP system based on a set of predefined conditions that authorities wants to observe, such as overrides to a Purchase Order, newly created vendor accounts, or payment authorizations above a specific dollar amount. Once a conflict or exception is detected, BizRights provides notifications through on screen alerts and/or email alerts to the appropriate people, providing direct access to the details of the potential problem so that it can be viewed and acted upon. These pre-defined rules serve as a starter set and are designed for easy customization for specific customer environments.
An important concept in Enterprise rights is that of Segregation of Duties (SOD), which means that ERP duties should be segregated out across users and roles, so that no single user has the ability to perform combinations of activities, which on their own are fine, but when combined, form a security or control risk. Such rules are likely to depend on the individual’s role and responsibilities within the organization. For example, an individual may have the authority to create a new vendor in the accounts payable system should not have the ability to approve a check to that vendor.
To provide greater visibility and better control within enterprise applications, Approva’s BizRights solution can provide answers to specific questions such as:
“Who is executing specific business processes within enterprise applications” and “Should they be executing those processes in that way?” Other possible questions include “Are employees performing their jobs in a manner that was intended?”, and “Is the business operating in a manner that violates internal or external rules, polices, and regulations?”
In addition to realtime monitoring, alerts, and controls, Approva’s BizRights software also provides an important modeling capability as well. The application’s rule base can be run against an extract of data (e.g., authorization information, transactions, and configurations) from the ERP system, thus enabling managers, auditors, and security professionals to determine if the existing rules in the ERP system conform to best practices for permissions based on Segregation of Duties and other pertinent criteria. Having documented conflicts and sub-optimal permissions, authorities can then modify the relevant rules to improve the security and auditability of the environment.
As is the case in other rights domains, the rules, monitoring, and alerting functions need to be implemented to balance security and auditability with efficiency and effectiveness.
Customers and Channels
Approva BizRights reference accounts include GM’s Allison Transmission, Microsoft, Coke Cola, John Deere, Siemens Westinghouse, Colgate-Palmolive, and Intel. Approva recently announced a strategic partnership with Consider Solutions to market BizRights software in Europe. Current Approva European customers include Novartis and Sony Europe.
BizRights provides security professionals, auditors, and C-level executives with means to verify compliance and security. Approva’s BizRights software provides a powerful tool that models and monitors access, use, and transaction-related rules in conjunction with Enterprise Resource Planning applications including SAP and PeopleSoft / Oracle.