Enterprise Resource Metadata Attribution

Modern security needs an integrated architecture to securely manage operations across domains.

Proposed OMG Standard

Enterprise Resource Metadata Attribution (ERMA) is an OMG initiative designed to extend software bills of materials (SBOMs) processes to include the data centric security and real-time metadata related to hardware, system, licenses, standards and network components. 

ERMA Overview

ERMAs data sets are building blocks for real-time computing and support services. ERMA information sets support advanced implementation capabilities needed to help resolve issues such as: inventory, risk management, connectivity, life cycles, secure sharing, assurance or attestation. 

ERMAs differ from BOMs in scope and intent. Like SBOMs, ERMAs collect metadata needed for risk management but ERMAs are intended to improve real-time computing operations. ERMA metadata is used to drive processes for risk management, connectivity, life cycles, inventory (software & software), operations, health and assurance or attestation. Trust is important to secure computing. Data for trust processes used for verification and validations are integrated into ERMA standard.

ERMA creation is motivated by the need to create a quality metadata set describing computer operations within an environment whether there is a single system or a network of systems. This approach reduces risks while helping resolve security, privacy and operational issues associated with access control, networking, sharing, data custody, data transport, and system health. 

An ERMA is the standard for capturing real-time metadata related to the computing environment. ERMA implementations require method(s) for metadata collection. Real-time metadata collection is an option. Additional processes are needed to utilize ERMAs including storage, use, and sharing. The ERMA standard is platform and implementation independent. The use of the ERMA is impacted by the method of implementation for storage and access to the metadata and by the analysis and use of the metadata. 

Network ERMA (nERMA)

A computer is a complex environment made more complex when networked to other computers. Computers are a commodity supported by a complex hardware and software supply chain. Little continuity exists between the supply chain, the build process and the end computer environment. 

SBOMs are a static representation of a parts of a computing environment with limited build connection. 

ERMAs are designed to use data contained within the computing environment to define operational capacity, tie together the build processes and maintain a stable operational environment.

ERMAs of different types fit several roles such as operations, support, and process support. As seen below, a linkage exists between the roles, data collection and usage. This diagram provides a sampling of the data elements and attributes collected.

ERMAs Type and Roles

Three operational ERMAs include: 

Additional ERMAs - System (sysERMA), Action (aERMA), License (licERMA), Standards (stdERMA), 

ERMAs Define Computing Environments and Relationships 

In the following ERMA flowchart image, ERMAs help you can track the relationships between hardware, software and standards through the network, nERMA. Data Centric Security (DCS) defines data access and distribution.

ERMAs include the metadata required for defining inventory, relationship, quality of service and operational integrity. The method and architecture required to optimize the process is a different discussion. 

Real Operations in Real Time - (as seen in Image above)

The nERMAs illustrate the power of real time power of ERMAs. There are 2 interfaces shown, a I2C and USB interface. Metadata related to each interface is captured in detail including hardware, software and network information (jitter, latency, etc.). 

In this example, we refer to Zephr. Zephr supports virtualization as part of a safe and secure solution. Connectivity to the container can be tracked independently as it is a physical connection. Digital twinning is illustrated using QEMU emulation.

To learn more email