There’s a new way of looking at security for your enterprise applications. It’s called entitlement management. Burton Group analyst Gerry Gebel calls it an important new development in the security arena – one that you’ll want to bring into your organization soon.
Entitlement management goes a step beyond authentication. Gebel calls it “finer grained access control.” With authentication, you are generally concerned with who is allowed into a network or application. With entitlement management, the interest shifts to who is allowed to do what once they are in the network or application.
Here’s a simple analogy. Authentication determines who can gain access to your house. Once they are in, they have access to everything within the home. Entitlement management would scrutinize each visitor to determine which rooms each one can enter, and what each person can do in those rooms once in them.
Traditionally, entitlements have been built into each application your enterprise has. The new strategy is to remove access management from the applications and run it as a shared service in front of the applications. Entitlement management can be used to strengthen the security of Web services, Web applications, legacy applications, documents and files, and physical security systems.
This approach has several benefits. First and foremost, it gives you the ability to implement a data-driven policy that is consistent across all applications. This is becoming more important in the face of regulatory pressures from Sarbanes-Oxley, HIPAA, PCI and the like. With an entitlement management service, you can simplify your audit and compliance burden.
In addition, the approach gives you tighter, more granular security that is more specific to your set of users. With centralized access policies, the moment a policy is entered or updated, all applications automatically receive the benefit of the new/updated rule. And, your applications can become less complex and easier to maintain if you remove the entitlement layer from within them. When you want to implement policy changes, you don’t need to modify your application code; rather, you configure the new policy at the external service level.
There are several vendors with products on the market today. Many have chosen a three module architecture consisting of the Policy Administration Point (PAP) to provide centralized administration management; the Policy Decision Point (PDP) to evaluate resource-specific authorization policies; and the Policy Enforcement Point (PEP) to enforce the entitlement policies.
Rajiv Gupta, founder and CEO of Securent, says that entitlement management is a strategic layer in the enterprise, and that it will take years for most companies to deploy one across their entire company. Many have deployed it across key applications and lines of business in only a few months time, though. He doesn’t expect many organizations are willing to rewrite custom applications to remove the entitlement layer today. However, as more companies adopt the notion of a service-oriented architecture (SOA), entitlement management will certainly be a critical service to centralize.
Securent’s offering in this market is called Entitlement Management Solution (EMS). Securent has been working with a number of Fortune 500 companies to provide granular access to applications and other resources. EMS has been deployed at a major financial management company, where they secured 100,000 entitlements and tens of thousands of users.
Read my colleague Ellen Messmer’s discussion about Securent in this article from November 2006.
Other companies with entitlement management solutions include:
This is an up-and-coming market and it will grow increasingly important in the years ahead. You might as well start your research now.