"Policies can be hard-coded into an application and we'd have to go in there, find where the policy is stored, find the entitlement mechanism, alter it and redeploy the application to make the policy change to implement our rules," says Moore, who is now general manager of technology services at Diligent Enterprises. "It would take forever and it would cause a lot of frustration to the business."
Using Securent, Moore says, allowed him to abstract the entitlement outside of the application and apply policies across multiple applications. Securent technology included features that Moore used to enable business managers to assign roles as well.
"We didn't have the ability to delegate and carve out policies in the past," Moore says. "The software is very focused on the business perspective and provides those administrative services that let IT delegate policy administration in business terms to others in the business domain. It cuts down on a lot of administrative headaches."
Don Scott, CEO of enterprise security, risk and compliance management consultancy Adverant in Las Vegas, says he uses Imperva application data security software in concert with entitlement management technologies to enforce fine-grained security policies.
"Imperva offers a lot of capabilities around securing applications and prevents malicious activities on the application side," Scott explains. He says Imperva provides visibility into the application and helps IT managers move up to automating processes and then they can start thinking about entitlement management. "A significant part of managing risk is getting control of entitlements and coupling that information with systems that manage building access rights. Customers must slowly develop a model around such security best practices."
And if best practices aren't followed, entitlement management technology provides a comprehensive audit trail of who has accessed what and when, which could help companies during regulatory audits but also serve a role in investigating security breaches. And in some cases, IT security managers on top of entitlement management can stop breaches before they happen.
"There are a lot of reports out there that say more threats come from inside the company than outside," Gartner's Perkins says. If IT security executives have their policies and processes in place, then "entitlement management [technology] can help make an organization more secure and help them do it in a more uniform fashion, more efficiently and faster."
Entitlement work to be done
While entitlement technologies provide centralized management of entitlements across multiple applications and systems, help secure data and cut down on administrative headaches, industry watchers and customers alike say there is still a lot of work to be done.
To start, software vendors such as SAP, which has been doing entitlement management in a proprietary sense for years, need to open up their code to entitlement management systems. For instance, each application deals with entitlements differently, whether they are legacy, homegrown or packaged applications. Until all applications expose their entitlements in a standard method, true enterprise-scale entitlement management is not going to happen.
"The biggest barrier to entitlement management right now is internalized entitlements. Software vendors need to expose the entitlements to external systems to provide enterprise-scale entitlement management and enable true separation of duties," Forrester's Cser says.
Another hurdle to successful entitlement management is more of a cultural one. Not all companies should adopt the same entitlement management model, which may seem obvious to some, but industry watchers warn is a common misstep.
For instance, separation of duties may not be a big issue at one organization so that a company could lock down all entitlement data in a human resources system. But others who must prove they meet this regulatory detail, would have to expose entitlement data to other systems. And for those protecting data from internal threats, a centralized model might work better than a distributed model for such authorization frameworks.