How Cloudpaging Digital Rights Enables Software-as-a-Service

With the advent of cloud computing, more and more independent software vendors (ISVs) are moving their software products and offerings to a software-as-a-service (SaaS) model. A typical SaaS offering involves software licensing and delivery in which the software is licensed on a subscription basis and serviced from the cloud. For many ISVs, converting their existing software estate to a SaaS model is a difficult objective to achieve due to the high costs involved with software porting, re-writing, or even creating new software that can work from a cloud delivery model. While some relatively small, light-weight applications have made the move to SaaS, many of the larger, CPU/GPU intensive applications do not work well in a cloud environment. Even after moving to the cloud, ISVs must then consider adding additional mechanisms to deal with subscription management. Cloudpaging technology is a software provisioning tool that can be used to deliver any Windows-based software to end-users desktops, physical or virtual, from the cloud. In addition, Cloudpaging provides a digital rights management security model to fully control the application from the cloud and enables subscription management.

Digital rights management (DRM) is a term that typically refers to access control techniques used by copyright holders to limit usage and copy protection of digital media, such as music and video.  DRM for application extends access control to not only limit the usage and copy protection to software application but also metering the application usage. Cloudpaging DRM protects applications from piracy and is fully integrated with Numecent’s delivery and virtualization technologies to synergistically provide stronger and more sophisticated application security than traditional DRM wrapper mechanisms, even ones requiring re-compiling of ISV application.  The Cloudpaging implementation includes data compression and encryption, protocol and caching encryption, file and resource level access control protection, and rights management.  These features combine to provide the best protection for online software applications.

ISVs have access to concurrent (pooled) or per seat license controls and can count seats depending on process usage (actual use of the application) or when the end user is ready to run the application on their system.  Enforcement is further applied with the platform and version constraints which can be placed on end users for target software applications, including which target operating end users are allowed to execute on and the ability to force end users onto a specific version of the target application.  Below are key features of our flexible, security architecture:

  • Multiple license policies can be used to control application seats and usage metering, or controlled rollouts to end-users
  • Management of applications policies is provided for applications with a web-based user interface
  • Allows control of the platforms that the application can run on e.g. Windows OS’s
  • License policies are always enforced, regardless if the client machine is online or offline
  • Access token-based security easily integrates into third-party mechanisms for subscription management
  • ISVs know exactly how many application seats are in use and historically how long each user requires a seat
  • Works with most existing ISV’s license mechanisms, including dongles and license keys
  • Virtualization is fully integrated and leveraged to provide security beyond traditional mechanisms (via architecture) and application security
  • Robust encryption is used, including AES 256 on application containers and in any local, end-user device cache
  • The patented DRM is novel, as is the delivery and virtualization mechanisms
  • Same trusted web security mechanisms that financial industries rely on for both authentication and encryption of content delivery over the Internet

To understand how Cloudpaging DRM works, first the Cloudpaging packaging process is used to place the application inside a container and then configures key parts, or all of the application, to be protected and invisible to all (including the operating system) but the privileged executing processes.  Next, the Cloudpaging Server has implemented access tokens, which are passed between the server and client, to grant access to execute applications.  The token itself is encrypted, signed with an asymmetrical key to protect data and to securely authenticate, and delivered over SSL/TLS to further encrypt the transmission between the client and server.  Each access token has a short time-to-live and unique ID that are enforced by the Server during Server’s callback registration process before establishing a session, preventing duplication, relay, and cloning attacks.  The sessions are very small, independent, unique and relatively infrequent which allows this service to be very scalable.  Session integrity checks during registration and running is another key component for monitoring and alerting unusual activities to the administrators. Finally, the Cloudpaging Player, a privileged kernel level application that intertwines closely with the operating system, ensures that all of these policies are enforced during execution of the application by utilizing its key fundamental technologies, virtualization and paging to enforce and provide most aspects of its security.  The Cloudpaging Player is hardened against tampering and protected by secure session management on the server. Therefore, secure execution relies on both Cloudpaging Server and Player.

After this point, each time a new application is authorized for a user, Cloudpaging Player virtualizes a new virtual container with all of the application assets and virtual resources to make it appear that the application has been installed locally. The only difference is that on any attempt by any Windows process to access a resource from the virtualized space will require a renewed access token from the Cloudpaging Server to be generated and then decrypted by the client periodically.  If not, the Cloudpaging Player will terminate the application sessions, after a warning and a grace period for the user to save any open files, etc. Subscription management can then be integrated of the DRM, leveraging web API’s, to control who can use the application and how long they can use it for with mechanisms to revoke access when the subscription ends.

The security technology behind Cloudpaging has been battle tested for more than a decade on premises and over the Internet. It has delivered and continues to deliver some of the most commercially expensive, complex, and desirable software applications.  In addition to its inherently secure foundation with digital rights management, Cloudpaging is quite feature-rich.  It includes monitoring, metering, auditing, enforcement, and integration capabilities with other authentication and commerce systems to enable ISVs the ability to transform their software applications into a commercial SaaS platform for a modern audience.


About the Author:

Doug Pfiffner is the Chief Technology Officer for Numecent. He has been with Numecent, and previously with Endeavors since 2001, and is currently responsible for technology and product objectives and execution including project management, development, quality assurance, and technical support. Doug brings over 20 years of experience in software development, technical management, and leadership. Previously he worked for AOL on large-scale, highly-available client/server projects that have successfully deployed to millions. Doug has a CS degree from Cal Poly Pomona and an MBA. In September 2017, Doug was named a finalist for Best Tech Manager by Tech In Motion.