Data Securities International
Encyclopedia
Data Securities International, DSI is a company based in San Francisco, California
that escrow
s source code for licensees.
s' were on their own: no more support, no more enhancements, and no more future product releases.
This risk, sometimes called “software intellectual property investment risk”, proved a deterrent to the adoption of innovative software from smaller vendors. In the early eighties there were only small software companies. DSI wanted to find a way to control this software investment risk. If software source code
could be stored in a safe place — a place where only a neutral third party could access it, and the developer still in control of it, then users could obtain it in the event that the owner-originator went bankrupt.
The source code could be released to those who had an escrow agreement and a license for it in the event that the software company simply no longer existed and in some instances for mission critical software when the software provider materially breached a support agreement.
Such an idea would work only if a neutral third party held the software source code for the benefit of both the software developer and user. Thus, software escrow
was born. DSI's vision enabled the software industry to flourish.
Data Securities International, started in 1982 and grew slowly and steadily for over 25 years, and was eventually sold to Iron Mountain
.
In order to provide additional assurance of the usability and usefulness of the content of the escrow deposit, the concept of “Software Escrow Verification” was developed.
Verification of the escrow account content was highly recommended since with potentially so much riding on the deposit, waiting to inspect contents until after release could be catastrophic as by that time it would be too late to correct any deficiencies.
Depending upon the risk tolerance of the deposit account beneficiary several possible types of verification were implemented.
The first and least rigorous consisted of simple inspection of the deposit which served to verify that the deposit is accessible. This confirms that digital media can be accessed. If the deposit is encrypted/password protected it confirms that the correct password has indeed been provided. Confirms that any tools necessary to extract the software are known and catalogued - note that without compiling the software this can only be regarded as a provisional confirmation. Finally, confirms that documentation describing the configuration of the build environment and build procedures have been provided. This is even more important today than in 1982 given the complex and distributed nature of modern software build environments.
Next and more rigorous was the creation of executable files. This verified that all required components can be compiled from the source code provided in the deposit, using the instructions provided to configure the required build environment and the build procedures provided. Verified that all required environmental parameters have been completely specified; hardware specifications, operating systems, compilers, third party tools and specific configurations that may not be intuitively obvious without direct previous experience with the escrowed software. Certification of required tools is important since the absence or unavailability of even a single tool, library or API necessary to support compilation could render a deposit useless in the event of a release.
The highest and most rigorous was to functionally exercise the executable components created from the escrowed source code. This required configuration of a test environment and running a set of tests to confirm that the executable files created are indeed the correct software and that these executable files behave in a manner consistent with expectations. Often this requires configuration of application servers, database engines and other third party components to completely setup a functional environment. This type of testing can be most important for those applications that are delivered via an ASP model where the beneficiary of the account does not have any license to possess even a copy of the executable files until a release occurs and would therefore have no knowledge or experience configuring a system suitable to support continued operation of the application and would be totally dependent upon any documentation within the deposit describing the configuration of the functional system.
Data Securities International introduced the concept in the mid 1980’s for a Total software Value (TSV) that uses the composites of Ownership Value (OV) or the software inventory, Market Value (MV), and Internal Cost Savings (ICS) as values and influencing variables of software as a financial asset. A TSV software inventory valuation (OV) analysis looks at the sum total (or bundle) of the various software components or intellectual assets that make software usable as a product.
In 1992 Data Securities International was asked to become an associate member of the American Bar Association
’s Information Security Group (ISC) of the Science and Technology Section working on Digital Signature
s. The digital signatures document was released in 1996 and DSI became co-chair of the Key Recovery or Key escrow
Working group of the ISC to develop additional Key Recovery requirements for the use of asymmetric encryption keys for security and authenticated transactions. DSI was an initial member of the Key Recovery Alliance, a consortium of major corporations working to deliver commercial software products for security of E-commerce using Digital Signatures on the internet. The Key Recovery Alliance (originally at KRA.org) was an industry organization of 30 international companies that supported key recovery, including the leading firm RSA Security, but it disbanded in 1999 under pressure from civil rights groups. Individual countries such as the US and UK have since moved to try to implement key recovery systems on their own.
San Francisco, California
San Francisco , officially the City and County of San Francisco, is the financial, cultural, and transportation center of the San Francisco Bay Area, a region of 7.15 million people which includes San Jose and Oakland...
that escrow
Escrow
An escrow is:* an arrangement made under contractual provisions between transacting parties, whereby an independent trusted third party receives and disburses money and/or documents for the transacting parties, with the timing of such disbursement by the third party dependent on the fulfillment of...
s source code for licensees.
History
In 1981, mathematician Dwight Olson saw an opportunity in the infant software product industry. Software companies often were unpredictable and difficult-to-understand let alone invest in. They were frequently formed and dissolved, merged or acquired. If you wanted to use one of their software products, you had to accept the substantial risk that the software company would be gone before the software products useful life was over and had to be replaced. When the software company was gone, the licenseeLicensee
A licensee is someone who has been granted a licence.- Tort law :The term is used in the USA law of torts to describe a person who is on the property of another, despite the fact that the property is not open to the general public, because the owner of the property has allowed the licensee to enter...
s' were on their own: no more support, no more enhancements, and no more future product releases.
This risk, sometimes called “software intellectual property investment risk”, proved a deterrent to the adoption of innovative software from smaller vendors. In the early eighties there were only small software companies. DSI wanted to find a way to control this software investment risk. If software source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
could be stored in a safe place — a place where only a neutral third party could access it, and the developer still in control of it, then users could obtain it in the event that the owner-originator went bankrupt.
The source code could be released to those who had an escrow agreement and a license for it in the event that the software company simply no longer existed and in some instances for mission critical software when the software provider materially breached a support agreement.
Such an idea would work only if a neutral third party held the software source code for the benefit of both the software developer and user. Thus, software escrow
Source code escrow
Source code escrow or source code repository is the deposit of the source code of software with a third party escrow agent. Escrow is typically requested by a party licensing software , to ensure maintenance of the software...
was born. DSI's vision enabled the software industry to flourish.
Data Securities International, started in 1982 and grew slowly and steadily for over 25 years, and was eventually sold to Iron Mountain
Iron Mountain Incorporated
Iron Mountain Inc , founded in 1951, is a company whose headquarters are located in Boston, Massachusetts. It offers records management, information destruction and data backup services to more than 120,000 customers throughout North America, Europe, Latin America and Asia...
.
In order to provide additional assurance of the usability and usefulness of the content of the escrow deposit, the concept of “Software Escrow Verification” was developed.
Verification of the escrow account content was highly recommended since with potentially so much riding on the deposit, waiting to inspect contents until after release could be catastrophic as by that time it would be too late to correct any deficiencies.
Depending upon the risk tolerance of the deposit account beneficiary several possible types of verification were implemented.
The first and least rigorous consisted of simple inspection of the deposit which served to verify that the deposit is accessible. This confirms that digital media can be accessed. If the deposit is encrypted/password protected it confirms that the correct password has indeed been provided. Confirms that any tools necessary to extract the software are known and catalogued - note that without compiling the software this can only be regarded as a provisional confirmation. Finally, confirms that documentation describing the configuration of the build environment and build procedures have been provided. This is even more important today than in 1982 given the complex and distributed nature of modern software build environments.
Next and more rigorous was the creation of executable files. This verified that all required components can be compiled from the source code provided in the deposit, using the instructions provided to configure the required build environment and the build procedures provided. Verified that all required environmental parameters have been completely specified; hardware specifications, operating systems, compilers, third party tools and specific configurations that may not be intuitively obvious without direct previous experience with the escrowed software. Certification of required tools is important since the absence or unavailability of even a single tool, library or API necessary to support compilation could render a deposit useless in the event of a release.
The highest and most rigorous was to functionally exercise the executable components created from the escrowed source code. This required configuration of a test environment and running a set of tests to confirm that the executable files created are indeed the correct software and that these executable files behave in a manner consistent with expectations. Often this requires configuration of application servers, database engines and other third party components to completely setup a functional environment. This type of testing can be most important for those applications that are delivered via an ASP model where the beneficiary of the account does not have any license to possess even a copy of the executable files until a release occurs and would therefore have no knowledge or experience configuring a system suitable to support continued operation of the application and would be totally dependent upon any documentation within the deposit describing the configuration of the functional system.
Data Securities International introduced the concept in the mid 1980’s for a Total software Value (TSV) that uses the composites of Ownership Value (OV) or the software inventory, Market Value (MV), and Internal Cost Savings (ICS) as values and influencing variables of software as a financial asset. A TSV software inventory valuation (OV) analysis looks at the sum total (or bundle) of the various software components or intellectual assets that make software usable as a product.
In 1992 Data Securities International was asked to become an associate member of the American Bar Association
American Bar Association
The American Bar Association , founded August 21, 1878, is a voluntary bar association of lawyers and law students, which is not specific to any jurisdiction in the United States. The ABA's most important stated activities are the setting of academic standards for law schools, and the formulation...
’s Information Security Group (ISC) of the Science and Technology Section working on Digital Signature
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
s. The digital signatures document was released in 1996 and DSI became co-chair of the Key Recovery or Key escrow
Key escrow
Key escrow is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys...
Working group of the ISC to develop additional Key Recovery requirements for the use of asymmetric encryption keys for security and authenticated transactions. DSI was an initial member of the Key Recovery Alliance, a consortium of major corporations working to deliver commercial software products for security of E-commerce using Digital Signatures on the internet. The Key Recovery Alliance (originally at KRA.org) was an industry organization of 30 international companies that supported key recovery, including the leading firm RSA Security, but it disbanded in 1999 under pressure from civil rights groups. Individual countries such as the US and UK have since moved to try to implement key recovery systems on their own.