- Microsoft Windows chief decries standards grandstanding
- The 5 best, and 5 worst, features of Google Chrome OS
- Federal government using PS3 to crack pedophile passwords
- 10G Ethernet cheat sheet
- Top 10 free Windows tools for IT pros, at a glance
Linda Musthaler's CIO-level look at the latest networking technologies and their benefits and pitfalls.
There’s a new way of looking at security for your enterprise applications. It’s called entitlement management. Burton Group analyst Gerry Gebel calls it an important new development in the security arena – one that you’ll want to bring into your organization soon.
Entitlement management goes a step beyond authentication. Gebel calls it “finer grained access control.” With authentication, you are generally concerned with who is allowed into a network or application. With entitlement management, the interest shifts to who is allowed to do what once they are in the network or application.
Here’s a simple analogy. Authentication determines who can gain access to your house. Once they are in, they have access to everything within the home. Entitlement management would scrutinize each visitor to determine which rooms each one can enter, and what each person can do in those rooms once in them.
Traditionally, entitlements have been built into each application your enterprise has. The new strategy is to remove access management from the applications and run it as a shared service in front of the applications. Entitlement management can be used to strengthen the security of Web services, Web applications, legacy applications, documents and files, and physical security systems.
This approach has several benefits. First and foremost, it gives you the ability to implement a data-driven policy that is consistent across all applications. This is becoming more important in the face of regulatory pressures from Sarbanes-Oxley, HIPAA, PCI and the like. With an entitlement management service, you can simplify your audit and compliance burden.
In addition, the approach gives you tighter, more granular security that is more specific to your set of users. With centralized access policies, the moment a policy is entered or updated, all applications automatically receive the benefit of the new/updated rule. And, your applications can become less complex and easier to maintain if you remove the entitlement layer from within them. When you want to implement policy changes, you don’t need to modify your application code; rather, you configure the new policy at the external service level.
There are several vendors with products on the market today. Many have chosen a three module architecture consisting of the Policy Administration Point (PAP) to provide centralized administration management; the Policy Decision Point (PDP) to evaluate resource-specific authorization policies; and the Policy Enforcement Point (PEP) to enforce the entitlement policies.
Linda Musthaler is a principal analyst with Essential Solutions Corporation.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (7)
Entitlement management, the next security waveBy Anonymous on March 12, 2007, 10:50 amI must be missing something, I thought the data was what needed protecting not the actual access to the applications. Re: Entitlement management, the next security...
Reply | Read entire comment
How does policy enforcement actually work with these systems?By Mike Hale on March 26, 2007, 11:41 amI have read some of the vendors' literature, and it all seems to be glossed over. Must the application be rewritten to always go through policy enforcement point...
Reply | Read entire comment
Re: Entitlement management, the next security wave.By Rajiv Gupta on March 27, 2007, 1:48 amGood question. Data often is one of the resources access to which needs to be protected and audited. But that is rarely sufficient. Consider the following examples: a)...
Reply | Read entire comment
Re: How does policy enforcement actually work with these systemsBy Rajiv Gupta on March 27, 2007, 2:12 amHello Mike, In general the answer is no, applications do not have to be rewritten. The general case is where the policy enforcement point sits in the infrastructure...
Reply | Read entire comment
Answers, straight from the expertBy Linda Musthaler on March 28, 2007, 9:04 amReaders, for those of you who have asked questions and had them answered by Rajiv Gupta, you are getting them straight from the expert. Rajiv is the founder and...
Reply | Read entire comment
Model driven security:Authorization man. needs to be manageable!By objectsecurity on April 20, 2008, 9:53 amThis article outlines well why externalized authorization policies are the way forward. What it does not really clarify is that authorization management does not...
Reply | Read entire comment
View all comments