"You have to be really careful when looking at fine-grained authorization. One size doesn't fit all and in some cases centralized models work best and in others decentralized. If you deploy a framework that is not suited to your environment, you can actually make things run less efficiently and be less secure," Gartner's Perkins says. "It's an evolving market and customers need to talk to their existing vendors about what they offer."
Lastly, the technology available today is still young. Securent customer Moore says he'd like to see his vendor and others broaden the capabilities of the technology to include better tooling, standards compliance and legacy application support.
"It has to get easier for IT staff to integrate these solutions into third-party applications and systems. If vendors keep up with standards, that integration will get easier for us. Entitlement management for me was about driving operational efficiencies so vendors need to do this work upfront, otherwise it may not be worth the investment," Moore says.
How to develop an entitlement management strategy
Entitlement management technologies can protect networks from internal threats, automate the process of keeping roles and access rights up to date, and reduce headaches related to regulatory compliance. It all depends on an organization's needs.
IT managers facing compliance deadlines might appreciate the separation of duties features and audit trail data provided with entitlement management products from Jericho Systems, Oracle and Securent.
Security managers might embrace the fine-grained authorization policies that companies such as Aveksa automate for customers.
And companies looking to better protect intellectual property and customer privacy might decide to put entitlement management in place to lock down systems from widespread or unauthorized access.
Here are a few steps IT and security managers should take when determining how to fit entitlement management technologies into their organizations.
1. Create and define roles
Entitlement management technologies work with established roles to start, but can be used to analyze whether defined roles are appropriate or need to be redefined. While the software products will initially tap into existing identity management systems and access rights repositories, entitlement management tools can help update existing privileges to better suit the environment and changing business demands.
"There is a realization that the current approach to access governance isn't working, because it is too manual and fragmented," says Deepak Taneja, CEO of Aveksa. "Entitlement management allows for the review of access policies to determine if established roles need to be updated and if the privileges are appropriate given the current state of the environment."
2. Establish team of business and security managers
Craig Shumard, CISO at healthcare provider Cigna, advises those considering an entitlement management project to dedicate a team consisting of IT and business managers. He says the collaboration will help ensure the roles are defined with the business in mind.
"You have no idea how many rocks you are going to have to look under when you start defining roles and sub-roles. Involvement from the business is critical in creating roles," Shumard says.
Mark Diodati, an analyst at Burton Group, told attendees at the research firm's Catalyst conference that working with the business to establish entitlement management is critical to establish "complex policies created from a business objects perspective." Oracle acquired Bridgestream, a maker of enterprise role management software, that Oracle says would be added to its Identity and Access Management Suite.
"Entitlement management is about 80% internal review on the part of the customer and just 20% technology," says Earl Perkins, a research vice president at Gartner. "IT managers should talk to their existing vendors to see what the next logical step would be for them. It should be a natural progression from identity and access management to entitlement management."