Entitlement management: Access control on steroids

Faced with looming regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, Craig Shumard, chief information security officer for healthcare provider Cigna, knew he needed better tools for role-based access control.

"In the past many employees would just dole out access rights based on a peer's profile, but it is not efficient nor is it prudent from a security and regulations standpoint to give employees more access than they need to applications and data," Shumard says. "We only want to dole out the minimum access employees need to do their job effectively and only for as long as they need to do that job."

When his search began more than five years ago, nobody was offering what he needed. The limitation of his prior role-based access control tool was that it was "only as good as the day you do it because people are constantly moving, companies are realigning and functions are changing," he explains. Role-based access control was fundamental to his company's business processes, but the system he had "was a massive process with a lot of moving pieces that became a struggle to maintain."

Read a related story on how to develop an entitlement management strategy. 

Today, Shumard uses software from Aveksa to automate fine-grained authorization that involves 1,800 multi-layered roles and 2,400 sub-roles. The tool makes it possible for staff to stay on top of doling out, updating and pulling back roles and access rights to employees, he says.

Click to see: Picture of Craig Shumard

"Fine-grained authorization and entitlement management allows you to externalize security from the applications and helps drive out complexity and improve policy-based management. It is not a trivial thing," Shumard says.

For example, when a new employee comes on board, Aveksa integrates with Cigna's human resources database to automatically provision pre-defined roles, but also to de-provision those same users if their jobs change or they leave the company. The Aveksa workflow tool is used by the security team to pull together role owners, application stewards and managers to keep roles up to date and systems secure from unauthorized access, he says.

The software runs on a Linux operating system and Oracle database, and is also available as an appliance. Pricing for Aveksa 3 Enterprise Access Governance Suite starts around $140,000 for 1,000 users and 25 applications. But Aveksa features a Web-based interface that not only IT security staff can use, but which business managers can also tap into to create and review roles. "What a customer service representative does today can change by tomorrow so we had to expand how we defined roles and automate the process of keeping them up to date," Shumard says.

Taking on entitlements

Aveksa is one of a number of vendors in a new product category known as entitlement management. The benefits of entitlement management include improving security, particularly when it comes to protecting data from internal misuse, reducing risk and achieving compliance.