Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/1/2007
01:05 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

ID Management: A Matter of Entitlement

The need for compliance is driving authorization, integration, and automation in identity management

In the past, identity management mostly has been about who you are. But it's increasingly becoming more about what you can do as well as when and where you can do it. It's something some security analysts and vendors call "entitlement."

Entitlement, and other emerging components of identity management, are on many vendors' minds as they prepare for the annual RSA conference in San Francisco next week. Identity management will be a key theme at the show, both in sessions and on the show floor.

Regulatory pressures (think Sarbanes-Oxley and PCI) are forcing the issue of entitlement, which is basically an evolved authorization model, vendors say. "We're seeing a lot more interest in authorization," says Ellen Libenson, vice president of product management for Symark Software. "It's really about what happens once [users] have access... [Knowing] what they are doing, and to restrict things they can do."

Trouble is, most of these user-defined policies are custom-coded individually into each application, along with each user's authentication credentials for the apps. Each application stores its own user credentials and in some cases privileges: "And each application has a custom way of storing it. There's no consistency," says Rajiv Gupta, CEO and founder of Securent, which sells entitlement management software.

Compliance audits are making this model of authentication and authorization both costly and unwieldy. "If you have to make a change [to meet compliance], remediation is required, you have to take the application down and get the developers involved again," Gupta says.

It's all about adding a policy layer across different systems, including instant messaging, VOIP, and email as well as data applications. If a brokerage's policy prohibits an analyst and broker from communicating with one another, today that policy typically must be applied and enforced individually for IM, VOIP, and email, Gupta notes. "I have to go into each channel and re-specify policy, which leads to mistakes and problems with visibility and compliance," he says. "This is becoming an issue with customers."

Vendors are moving on the identity management issue, even before the RSA show begins. Symantec yesterday showed off its upcoming Norton Identity Client, which are online credentials for consumers akin to a passport or driver's license for doing business on the Internet.

Some of the most established identity management vendors are CA, IBM, Novell, Oracle, Microsoft, and BMC, according to a recent Burton study. Burton expects identity management technology to be integrated into server platforms and applications as the market shifts from products and suites to more of a service-oriented identity services model. In addition to Securent, other players in the identity management entitlement space include Bayshore Networks, BEA, and Jericho Systems, notes Gerry Gebel, service director for identity and privacy strategies at the Burton Group.

Securent's Gupta says estimates for the identity entitlement management market are somewhere around $2 billion for this year. One of its customers, a large financial services firm that requested anonymity, is running Securent's Entitlement Management software in a services-oriented architecture for its applications and various lines of business.

A couple of years ago, the firm realized the missing link was "fine-grained entitlements and authorization," says the IT executive there who heads up the identity management project. "Our developers did their own thing... Each had built their own solution" for authorization, he says, which became challenging during audits.

But the biggest hurdle has been getting the firm's developer teams to shake their "roll your own" mentality for shared services, he says. So far, the firm has deployed Entitlement Management on two of its largest public Web applications, and hopes to roll it out for its own users as well.

The bottom line with identity management is that it must be continuous and dynamic, not just a snapshot of user credentials, notes Deb Pappas, vice president of market strategy for Courion, which sells an automated user access and authorization solution. "It's no longer enough just to have that access control," she says. "You need to proactively flag inconsistencies and move to preventative control [of user privileges]... This is tying the 'what is' to the 'what should be,' " she says.

Identity management must be automated in how it grants users access, and it should take into account moves, adds, and changes along the user's "lifecycle," Pappas says. Some users receive entitlements they shouldn't have, so there's a gap in security and compliance, she says. "It isn't enough to grant and assign privileges," she explains. "What's increasingly critical today is comparing what should be –- how you define what they should have -- with what they are actually doing... Companies are finding a disconnect there."

Symark's Libenson says the key is to stop reacting with point solutions and provide a more holistic approach.

But it won't be easy. Building an identity management architecture is no plug-and-play project. "It's a big endeavor to roll out an identity management system -- it touches so many departments and people. It's like an ERP application rollout," Symark's Libenson says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Securent
  • Courion Corp.
  • Symark Software
  • Burton Group

    Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    10 Ways to Keep a Rogue RasPi From Wrecking Your Network
    Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
    The Security of Cloud Applications
    Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
    Where Businesses Waste Endpoint Security Budgets
    Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: "Jim, stop pretending you're drowning in tickets."
    Current Issue
    Building and Managing an IT Security Operations Program
    As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
    Flash Poll
    The State of IT Operations and Cybersecurity Operations
    The State of IT Operations and Cybersecurity Operations
    Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-1575
    PUBLISHED: 2019-07-16
    Information disclosure in PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier may allow for an authenticated user with read-only privileges to extract the API key of the device and/or the username/password from the XML API (in PAN-OS) and p...
    CVE-2019-1576
    PUBLISHED: 2019-07-16
    Command injection in PAN-0S 9.0.2 and earlier may allow an authenticated attacker to gain access to a remote shell in PAN-OS, and potentially run with the escalated user?s permissions.
    CVE-2018-19629
    PUBLISHED: 2019-07-16
    A Denial of Service vulnerability in the ImageNow Server service in Hyland Perceptive Content Server before 7.1.5 allows an attacker to crash the service via a TCP connection.
    CVE-2019-10100
    PUBLISHED: 2019-07-16
    Quake3e < 5ed740d is affected by: Buffer Overflow. The impact is: Possible code execution and denial of service. The component is: Argument string creation.
    CVE-2019-10100
    PUBLISHED: 2019-07-16
    UPX 3.95 is affected by: Integer Overflow. The impact is: attacker can cause a denial of service. The component is: src/p_lx_elf.cpp PackLinuxElf32::PackLinuxElf32help1() Line 262. The attack vector is: the victim must open a specially crafted ELF file.