Entitlement management: Access control on steroids

Faced with looming regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, Craig Shumard, chief information security officer for healthcare provider Cigna, knew he needed better tools for role-based access control.

"In the past many employees would just dole out access rights based on a peer's profile, but it is not efficient nor is it prudent from a security and regulations standpoint to give employees more access than they need to applications and data," Shumard says. "We only want to dole out the minimum access employees need to do their job effectively and only for as long as they need to do that job."

When his search began more than five years ago, nobody was offering what he needed. The limitation of his prior role-based access control tool was that it was "only as good as the day you do it because people are constantly moving, companies are realigning and functions are changing," he explains. Role-based access control was fundamental to his company's business processes, but the system he had "was a massive process with a lot of moving pieces that became a struggle to maintain."

Today, Shumard uses software from Aveksa to automate fine-grained authorization that involves 1,800 multi-layered roles and 2,400 sub-roles. The tool makes it possible for staff to stay on top of doling out, updating and pulling back roles and access rights to employees, he says.

"Fine-grained authorization and entitlement management allows you to externalize security from the applications and helps drive out complexity and improve policy-based management. It is not a trivial thing," Shumard says.

For example, when a new employee comes on board, Aveksa integrates with Cigna's human resources database to automatically provision pre-defined roles, but also to de-provision those same users if their jobs change or they leave the company. The Aveksa workflow tool is used by the security team to pull together role owners, application stewards and managers to keep roles up to date and systems secure from unauthorized access, he says.

The software runs on a Linux operating system and Oracle database, and is also available as an appliance. Pricing for Aveksa 3 Enterprise Access Governance Suite starts around US$140,000 for 1,000 users and 25 applications. But Aveksa features a Web-based interface that not only IT security staff can use, but which business managers can also tap into to create and review roles. "What a customer service representative does today can change by tomorrow so we had to expand how we defined roles and automate the process of keeping them up to date," Shumard says.

Taking on entitlements

Aveksa is one of a number of vendors in a new product category known as entitlement management. The benefits of entitlement management include improving security, particularly when it comes to protecting data from internal misuse, reducing risk and achieving compliance.

"I consider entitlement management the passing of the torch as the next great task for identity and access management technologies," says Earl Perkins, a research vice president at Gartner. "A critical mass has been reached in which IT managers have installed identity and access management and can now deliver authorization management in their application platform environment."

For instance, an employee with access to accounts payable data can be denied access to accounts receivable applications. An employee with access to sales account data at 3 p.m. may be restricted to the same data at 3 a.m. And an employee allowed to get into a database could be cut short if he tried to download amounts of data that exceeded pre-set thresholds.

Vendors such as BEA, Securent, Jericho Systems and Oracle (with its BridgeStream acquisition) say they can provide the technology to simplify what most describe as a necessary yet complicated and time-consuming task. Others such as SailPoint, Vaau, BHOLD and Eurekify also work to simplify enterprise role management.

"It's a young area and there is not a lot of agreement over which vendors or products belong in which market segment," says Mike Neuenschwander, vice president and research director of Burton Group. "There is a bit of frenzy around entitlement management because it can help with security and compliance audits, but mostly it is a great opportunity to centralize application access management and put more controls in place to reduce enterprise risk, while still making necessary resources available."

Page Break

"Entitlement management technology can implement policies that say who can have access to what and at what time and in what context. The level of controls can be very deep and broad. Identity management systems don't cover the granularity requirements of entitlement management," adds Andras Cser, a senior analyst with Forrester Research.

How entitlement works

Typically entitlement management products pull identity management data from LDAP, Active Directory or human resource directories and integrate with identity and access management tools from CA, IBM, Oracle and others to help customers build entitlement policies. Some vendors such as Securent provide a drag-and-drop interface for building such policies.

Once built, the technologies monitor access across a company to determine if actions taken are in line with pre-set policies. In Securent's case, one part of its three-part Entitlement Management Solution sits, say, on the same server as Microsoft's SharePoint Server and monitors any interactions going into the server and determining based on pre-set policies deciding if the access should be allowed.

For instance, if a financial services firm had a policy that restricted brokers from contacting analysts directly, a company would have to write code in each application in which the two groups might interact to prevent such occurrences. The policies would restrict the contact between the people, Securent executives say. "Based on who you are, you only see a subset of certain resources. It becomes not even an option to access certain systems," says Rajiv Gupta, Securent founder and CEO.

Entitlement management tools can then track and report access to applications and systems - or even be tied to physical security systems - to provide data for audit purposes. Essentially, entitlement management products automate processes that were impossible to maintain in the past, industry watchers say.

"Entitlement management is the real-time enforcement of access control policies. The technology is able to look at what everyone has access to, review the access criteria, and certify and attest that management has granted the access," says Roberta Witty, a research vice president at Gartner. "These are actions that you always wished you could get to, but have always been difficult to do because there haven't been automated tools, IT managers can't keep up with the changes, and historically entitlements have been written for just a small subset of applications."

While many entitlement management products can work independently of existing identity and access management suites, industry watchers say IT managers should not expect the technology to exist as a stand-alone option.

"Long term, I see convergence of identity and access management technologies from Novell, CA or Tivoli with entitlement management features. No one is going to want multiple repositories and roles so entitlement management will be consolidated into larger identity life-cycle management products," Cser says. "Customers don't want point products for entitlement."

For instance, Aveksa has built connectors into identity management platforms such as Sun Identity Manager, CA Identity Manager, Windows File Shares and IBM Tivoli Identity Manager.

Putting it in place

While security seems to be a main driver for deploying entitlement management, IT managers say reducing administrative and operational headaches is another top reason to implement the technology.

Timothy Moore chose Securent to automate several time-consuming tasks around application entitlements at insurance provider First American. Moore, who previously served as senior architect in the enterprise technology group at First American and deployed Securent technology about 18 months ago for the insurance company, says he was addressing the company's fine-grained authorization problem - which was mostly administrative.

Page Break

"Policies can be hard-coded into an application and we'd have to go in there, find where the policy is stored, find the entitlement mechanism, alter it and redeploy the application to make the policy change to implement our rules," says Moore, who is now general manager of technology services at Diligent Enterprises. "It would take forever and it would cause a lot of frustration to the business."

Using Securent, Moore says, allowed him to abstract the entitlement outside of the application and apply policies across multiple applications. Securent technology included features that Moore used to enable business managers to assign roles as well.

"We didn't have the ability to delegate and carve out policies in the past," Moore says. "The software is very focused on the business perspective and provides those administrative services that let IT delegate policy administration in business terms to others in the business domain. It cuts down on a lot of administrative headaches."

Don Scott, CEO of enterprise security, risk and compliance management consultancy Adverant in Las Vegas, says he uses Imperva application data security software in concert with entitlement management technologies to enforce fine-grained security policies.

"Imperva offers a lot of capabilities around securing applications and prevents malicious activities on the application side," Scott explains. He says Imperva provides visibility into the application and helps IT managers move up to automating processes and then they can start thinking about entitlement management. "A significant part of managing risk is getting control of entitlements and coupling that information with systems that manage building access rights. Customers must slowly develop a model around such security best practices."

And if best practices aren't followed, entitlement management technology provides a comprehensive audit trail of who has accessed what and when, which could help companies during regulatory audits but also serve a role in investigating security breaches. And in some cases, IT security managers on top of entitlement management can stop breaches before they happen.

"There are a lot of reports out there that say more threats come from inside the company than outside," Gartner's Perkins says. If IT security executives have their policies and processes in place, then "entitlement management [technology] can help make an organization more secure and help them do it in a more uniform fashion, more efficiently and faster."

Entitlement work to be done

While entitlement technologies provide centralized management of entitlements across multiple applications and systems, help secure data and cut down on administrative headaches, industry watchers and customers alike say there is still a lot of work to be done.

To start, software vendors such as SAP, which has been doing entitlement management in a proprietary sense for years, need to open up their code to entitlement management systems. For instance, each application deals with entitlements differently, whether they are legacy, homegrown or packaged applications. Until all applications expose their entitlements in a standard method, true enterprise-scale entitlement management is not going to happen.

"The biggest barrier to entitlement management right now is internalized entitlements. Software vendors need to expose the entitlements to external systems to provide enterprise-scale entitlement management and enable true separation of duties," Forrester's Cser says.

Another hurdle to successful entitlement management is more of a cultural one. Not all companies should adopt the same entitlement management model, which may seem obvious to some, but industry watchers warn is a common misstep.

For instance, separation of duties may not be a big issue at one organization so that a company could lock down all entitlement data in a human resources system. But others who must prove they meet this regulatory detail, would have to expose entitlement data to other systems. And for those protecting data from internal threats, a centralized model might work better than a distributed model for such authorization frameworks.

Page Break

"You have to be really careful when looking at fine-grained authorization. One size doesn't fit all and in some cases centralized models work best and in others decentralized. If you deploy a framework that is not suited to your environment, you can actually make things run less efficiently and be less secure," Gartner's Perkins says. "It's an evolving market and customers need to talk to their existing vendors about what they offer."

Lastly, the technology available today is still young. Securent customer Moore says he'd like to see his vendor and others broaden the capabilities of the technology to include better tooling, standards compliance and legacy application support.

"It has to get easier for IT staff to integrate these solutions into third-party applications and systems. If vendors keep up with standards, that integration will get easier for us. Entitlement management for me was about driving operational efficiencies so vendors need to do this work upfront, otherwise it may not be worth the investment," Moore says.

How to develop an entitlement management strategy

Entitlement management technologies can protect networks from internal threats, automate the process of keeping roles and access rights up to date, and reduce headaches related to regulatory compliance. It all depends on an organization's needs.

IT managers facing compliance deadlines might appreciate the separation of duties features and audit trail data provided with entitlement management products from Jericho Systems, Oracle and Securent.

Security managers might embrace the fine-grained authorization policies that companies such as Aveksa automate for customers.

And companies looking to better protect intellectual property and customer privacy might decide to put entitlement management in place to lock down systems from widespread or unauthorized access.

Here are a few steps IT and security managers should take when determining how to fit entitlement management technologies into their organizations.

1. Create and define roles

Entitlement management technologies work with established roles to start, but can be used to analyze whether defined roles are appropriate or need to be redefined. While the software products will initially tap into existing identity management systems and access rights repositories, entitlement management tools can help update existing privileges to better suit the environment and changing business demands.

"There is a realization that the current approach to access governance isn't working, because it is too manual and fragmented," says Deepak Taneja, CEO of Aveksa. "Entitlement management allows for the review of access policies to determine if established roles need to be updated and if the privileges are appropriate given the current state of the environment."

2. Establish team of business and security managers

Craig Shumard, CISO at healthcare provider Cigna, advises those considering an entitlement management project to dedicate a team consisting of IT and business managers. He says the collaboration will help ensure the roles are defined with the business in mind.

"You have no idea how many rocks you are going to have to look under when you start defining roles and sub-roles. Involvement from the business is critical in creating roles," Shumard says.

Mark Diodati, an analyst at Burton Group, told attendees at the research firm's Catalyst conference that working with the business to establish entitlement management is critical to establish "complex policies created from a business objects perspective." Oracle acquired Bridgestream, a maker of enterprise role management software, that Oracle says would be added to its Identity and Access Management Suite.

"Entitlement management is about 80% internal review on the part of the customer and just 20% technology," says Earl Perkins, a research vice president at Gartner. "IT managers should talk to their existing vendors to see what the next logical step would be for them. It should be a natural progression from identity and access management to entitlement management."