Going Beyond Authentication with Entitlement Management

Compliance requirements are slowly pushing forward the market for entitlement management products.

Slowly but surely, a new segment of the identity management market is gaining steam. Generally referred to as entitlement management, its percolating popularity is being driven primarily by the need to meet regulatory compliance mandates, analysts said.

"Theres been a lot of focus around identity management and provisioning and role management because of regulatory compliance," said Roberta Witty, an analyst with Gartner. "Its the regulations that have really brought this to a head in the last couple of years because when the auditor says, Show me everyone who can access this application and show me what they can do, thats a pretty tall order in most companies. In order to answer the question ... you have to get down to the business functions within an application. Thats where the complexity really comes in."

And that is where automated entitlement management tools by a handful of companies-such as CA, BEA Systems and Securent-come into to play. Though Witty could not quantify the size of the market in dollars, she said it remains tiny but growing. Securent CEO Rajiv Gupta sees a market on the cusp of a boom.

"Security is no longer about protecting the perimeter," Gupta said. "This has been made amply clear by many independent studies reports that point to more than 70 percent of security exposures and attacks originating from inside the enterprise. Moreover, enterprise boundaries are becoming even more fuzzy as we open our applications, data, and internal systems to channel partners, outsourced partners, remote employees, contractors, call center operators, [and so on]. And finally, with strict compliance, audit and governance mandates, enterprises are required to control and enforce different levels of access to employees based on their need."

Securent, of Mountain View, Calif., in May released version 3.0 of its Entitlement Management Solution, which allows organizations to manage, enforce and audit access control policies for numerous third-party applications and databases from a central console.

Securing applications and data means two things, Gupta said. First, it means figuring out who is attempting the access; second, it means figuring out through policy if a particular access attempt should be allowed or denied based on the context of the access, he said.

"Over the last 10 years, the industry has done a good job of the first part," Gupta said. "We provide the second part."

Still, this doesnt mean there should be less emphasis on protecting actual data, he said. Its just that protecting the data is about more than simply controlling who can access a database, he said.

"Protecting the data is about figuring out who is trying to access the data, and then about controlling through policy if this particular access should be allowed," Gupta said. "And in many cases, it is about returning only the appropriate subset of the data based on the context of the request, and on security and compliance policies. So for example, many people should have access to customer data or to sales data. But every customer service rep should not have access to all the data or all the customers."


Click here to read more about whats new in authentication technologies for online transactions.

Scott Crawford, an analyst with Enterprise Management Associates, said risk controls will be increasingly integrated directly into the application fabric as application architectures continue to mature. Entitlement management is part of this trend as well and should accelerate along with it, he said.

However, customers and vendors alike may have a long way to go. Herb Melhorn, director of product management at Islandia, N.Y.-based CA, said showing how entitlement management fits into a companys security and compliance strategy is key to winning them over.

"Aspects of entitlement management touch identity management, compliance management and access management," he said. "We hope to speed customer adoption by demonstrating the relevance of entitlement management to a customers overall security and compliance needs and then delivering solutions that integrate entitlement management capabilities into our mainstream IAM [identity and access management] offerings."

Entitlement management providers will also need to convince customers they can streamline identity management by starting with authorization, Witty said.

"The way most authorization is done today is that its built into the application, into the operating system, so its very, very siloed," she said. "Its usually very manual from an administration perspective and rather complex because youve got different operating systems and databases. Were going from a very, very fragmented, very siloed world of management authorization to one where you can aggregate for reporting purposes what everyone has access to," Witty said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.