Home CTR Exclusives Centralized Entitlement Management: Emerging Trends in Access Management

Centralized Entitlement Management: Emerging Trends in Access Management

Monday, 08 December 2008 11:55

These past few years have witnessed an exponential rise in the number of applications made available to employees, business partners, suppliers, and customers.  Of interest to information technology managers is that despite all of the new Web-based applications and architectures, the legacy distributed and mainframe applications haven’t gone away.

This creates significant challenges when it comes to managing identities. All you need to do is ask how identity information is exchanged among all of the various applications within your organization. Chances are that application managers and developers spend an inordinate amount of their time developing and maintaining identity “connections” that enable these applications to accept authentication and authorization information. This not only is inefficient and costly, but it also is extremely ineffective.

The typical enterprise has dozens, if not hundreds, of applications to which it needs to manage access, rewrite connections every time an application is changed, and develop new connections for new applications. These never-ending manual processes make it difficult, if not impossible, to implement a sustainable identity management program. They also fail when it comes to substantiating one of the key aspects of regulatory compliance: who has access to what applications and data.

Additionally, for many years, one of the biggest hurdles to a full-fledged IAM deployment, one that encompasses the bulk of any organization’s applications, was the technical difficulty in connecting all applications, whether built in-house or bought, to any IAM solution. To help in these efforts, many vendors have created application-programming interfaces (APIs) to help simplify access. These APIs, while making access to specific applications easier, untimately failed to solve the problem of having to write specific code for individual applications. There also was a lack of consistent entitlements management among all of these applications.

There’s no doubt that traditional access management, provisioning, and Web-based identity management solutions have helped to bring a sense of manageability to the situation. For instance, Web-base single sign-on makes it easier for users to access multiple applications, and federated identity management does the same across network and organizational domains. But these efforts do little for the bulk of in-house developed applications, off-the-shelf-software, and even legacy mainframe applications.

Considering that today's enterprises have to deal with more stringent government and industry regulations, an increase in the number of criminally-inclined hackers, and the rising insider threat -- the current condition of identity and entitlement management just is not good enough.

The need to abstract entitlement management from the application layer

Companies not only need to have greater control over who has access to what resources; they also need to be able to prove who has access to what specific resources, who granted access, and why that access is necessary. We’re not just talking about access to applications, but also access to specific fields within applications and databases.

Essentially, we are discussing entitlement management: specifically who has access to what.  The dependence on proper identity management, and the fact that many large organizations need to manage millions of entitlements, makes the viable management of entitlements more important than ever. It’s common for a large enterprise to have millions of entitlements it must create, audit, manage, and eventually terminate. And without good entitlement management practices in place, organizations may expose themselves to unnecessary risks every day.  Consider a situation in which an employee in the finance department who is authorized to make employee payments then moves to the HR department, yet still is able to access the employee payment system. That’s not only an audit failure; it’s a disaster waiting to happen.

This lack of visibility into user entitlements also is a major point of inefficiency. A leading security research company actually found that line-of-business managers may spend 60 hours a year performing entitlement reviews -- just to be able to sign off on compliance documents required by auditors.

What’s needed is a standard way to create entitlement-related authentication, authorization, attributes, controls, and auditing information across all applications and identity resources. Just as virtualization abstracts the operating system from the underlying hardware, this identity interface would abstract identity information from the application layer. It would manage identity entitlements in a way that easily can be leveraged by applications and communication protocols.

This, through the use of server plugins, Web service interfaces, and APIs, essentially would provide a way for both administrators and developers to express entitlement policies to a common authorization service, providing visibility to entitlements across the enterprise. And the support of industry standards, such as XACML (eXtensible Access Control Markup Language) also would make it possible to exchange authorization data without having to hard code entitlement information into each application.

Focusing on business needs, not access management

This would mean that application managers and developers just need to master the identity abstraction layer to build entitlements; they don’t need to learn identity nuances for each application within their environment. Also, once a change is made to the abstraction layer, it then would be applied automatically to all of the applications that policy affects.  This also could be done down to the individual fields in an application or database.

Perhaps most important to the business is the fact that this abstraction of the identity from each of the underlying applications will enable business managers to focus on running the business, and be less concerned with the drudgery of compliance reviews. Analysts have estimated that business managers are likely to spend 60 hours a year merely performing entitlement reviews so they can confidently sign off on compliance documents required by auditors. That’s not per company. That’s per manager. Even a mid-sized enterprise could have dozens of such managers who oversee credit card payments, company financials, regulated data such as health care, so the number of annual worker hours easily can reach into the thousands.

That wasted time would be slashed if entitlement data and privileges could be tracked and reported upon, in real time, across the enterprise. If asked, at any moment, managers could view across the enterprise to see who has access privileges to what resources. This high level of entitlement management also would enable audit information to be provided to various business managers, geared specifically to their job function.

For instance, while a console designed for business managers can be very task oriented, the internal compliance managers’ reports would look much different. The idea would be to present each business constituent the precise view needed. For example: a security officer won’t care so much about managing the actual entitlements, as he or she would be interested in viewing entitlement associations to make certain that the separation of duties, as called for in corporate policies, are being properly enforced. A simple for instance would be making certain that the managers running the financial applications wouldn’t also be able to cut checks to employees and contractors.

When identity is abstracted in this way, away from the individual applications, it becomes possible to manage entitlements with granular precision. This not only assures more cost efficient identity management, but as systems today are growing more richly connected, it also can reduce security risks by enforcing best practices. It should smooth regulatory audits through rapid and accurate testing. And it even could provide for a more nimble infrastructure as new suppliers, business partners, and customers could be swiftly on-boarded to the applications they need for new services.

Despite Many IAM Solutions, Gaps Remain

There’s no doubt: identity management is complex, and there seems to be a different tool for each task. There are directories used to store credentials. There are provisioning tools used to manage the creation of new user IDs. And then there are Web access managers who help users log-on once to access multiple sites. That’s not to mention all of the self-service password reset tools, virtual directories, and federated identity management tools that pass credentials from one domain to another. 

Despite the number and maturity of these identity and access management solutions, there still are challenges that need to be solved. For instance, all identity and Access Management tools are very user centric in that they provide access based on attribute, group, or role information.  None take into account more specific application entitlements, such as vetting whether the user has the right level of security clearance to read the requested document, or even to access specific database fields that contain requested information.

The second area where many access management tools currently fall short is that they handle authorization requests in a very binary fashion: users either have access to the application or they do not. With today’s complex set of regulatory and internal policy requirements, enterprises need more finely grained control. For instance, a Web portal can have very different entitlement policies for tabs, pages, buttons, and functions.

The best way to fill these gaps is for the industry to provide a way to abstract entitlement management from each specific application so fine-tuned access privileges can be managed centrally.

Jim Ebzery is senior vice president, Identity and Security Management for Novell.

 

White Papers

Achieving Rapid Data Recovery for IBM AIX Environments

The Benefits of Data Replication in HACMP/PowerHA AIX Cluster Management Implementations

Introduction to High Availability for IBM System i High Availability

Five Reasons Why Smaller Organizations Should Consider High Availability

The Benefits of Continuous Data Protection (CDP) for IBM i5/OS and AIX Environments 

State of Resilience of IBM Power Systems (AIX and i5/OS)

Journaling and High Availability - Understanding IBM i Data Protection

Breakthrough Data Recovery for IBM AIX Environments - How New Technologies Are Making Data Protection, Recovery and High Availability Easier and More Affordable

High Availability in an SAP Environment- Keep mission-critical SAP operations running no matter what

How to Solve Downtime Challenges to Manufacturing and Supply Chain Operations

Information Availability: What Every Health Organization Should Know      


Computer Technology News
  See current issue or subscribe below

Subscribe to CTN