Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:05 AM
Connect Directly

ID Management: A Matter of Entitlement

The need for compliance is driving authorization, integration, and automation in identity management

In the past, identity management mostly has been about who you are. But it's increasingly becoming more about what you can do as well as when and where you can do it. It's something some security analysts and vendors call "entitlement."

Entitlement, and other emerging components of identity management, are on many vendors' minds as they prepare for the annual RSA conference in San Francisco next week. Identity management will be a key theme at the show, both in sessions and on the show floor.

Regulatory pressures (think Sarbanes-Oxley and PCI) are forcing the issue of entitlement, which is basically an evolved authorization model, vendors say. "We're seeing a lot more interest in authorization," says Ellen Libenson, vice president of product management for Symark Software. "It's really about what happens once [users] have access... [Knowing] what they are doing, and to restrict things they can do."

Trouble is, most of these user-defined policies are custom-coded individually into each application, along with each user's authentication credentials for the apps. Each application stores its own user credentials and in some cases privileges: "And each application has a custom way of storing it. There's no consistency," says Rajiv Gupta, CEO and founder of Securent, which sells entitlement management software.

Compliance audits are making this model of authentication and authorization both costly and unwieldy. "If you have to make a change [to meet compliance], remediation is required, you have to take the application down and get the developers involved again," Gupta says.

It's all about adding a policy layer across different systems, including instant messaging, VOIP, and email as well as data applications. If a brokerage's policy prohibits an analyst and broker from communicating with one another, today that policy typically must be applied and enforced individually for IM, VOIP, and email, Gupta notes. "I have to go into each channel and re-specify policy, which leads to mistakes and problems with visibility and compliance," he says. "This is becoming an issue with customers."

Vendors are moving on the identity management issue, even before the RSA show begins. Symantec yesterday showed off its upcoming Norton Identity Client, which are online credentials for consumers akin to a passport or driver's license for doing business on the Internet.

Some of the most established identity management vendors are CA, IBM, Novell, Oracle, Microsoft, and BMC, according to a recent Burton study. Burton expects identity management technology to be integrated into server platforms and applications as the market shifts from products and suites to more of a service-oriented identity services model. In addition to Securent, other players in the identity management entitlement space include Bayshore Networks, BEA, and Jericho Systems, notes Gerry Gebel, service director for identity and privacy strategies at the Burton Group.

Securent's Gupta says estimates for the identity entitlement management market are somewhere around $2 billion for this year. One of its customers, a large financial services firm that requested anonymity, is running Securent's Entitlement Management software in a services-oriented architecture for its applications and various lines of business.

A couple of years ago, the firm realized the missing link was "fine-grained entitlements and authorization," says the IT executive there who heads up the identity management project. "Our developers did their own thing... Each had built their own solution" for authorization, he says, which became challenging during audits.

But the biggest hurdle has been getting the firm's developer teams to shake their "roll your own" mentality for shared services, he says. So far, the firm has deployed Entitlement Management on two of its largest public Web applications, and hopes to roll it out for its own users as well.

The bottom line with identity management is that it must be continuous and dynamic, not just a snapshot of user credentials, notes Deb Pappas, vice president of market strategy for Courion, which sells an automated user access and authorization solution. "It's no longer enough just to have that access control," she says. "You need to proactively flag inconsistencies and move to preventative control [of user privileges]... This is tying the 'what is' to the 'what should be,' " she says.

Identity management must be automated in how it grants users access, and it should take into account moves, adds, and changes along the user's "lifecycle," Pappas says. Some users receive entitlements they shouldn't have, so there's a gap in security and compliance, she says. "It isn't enough to grant and assign privileges," she explains. "What's increasingly critical today is comparing what should be –- how you define what they should have -- with what they are actually doing... Companies are finding a disconnect there."

Symark's Libenson says the key is to stop reacting with point solutions and provide a more holistic approach.

But it won't be easy. Building an identity management architecture is no plug-and-play project. "It's a big endeavor to roll out an identity management system -- it touches so many departments and people. It's like an ERP application rollout," Symark's Libenson says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Securent
  • Courion Corp.
  • Symark Software
  • Burton Group

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    State of SMB Insecurity by the Numbers
    Ericka Chickowski, Contributing Writer,  10/17/2019
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-22
    Man-in-the-middle vulnerability in Micro Focus Self Service Password Reset, affecting all versions prior to The vulnerability could exploit invalid certificate validation and may result in a man-in-the-middle attack.
    PUBLISHED: 2019-10-22
    Stephan Mooltipass Moolticute through 0.42.1 (and possibly earlier versions) has Incorrect Access Control.
    PUBLISHED: 2019-10-22
    totemodata 3.0.0_b936 has XSS via a folder name.
    PUBLISHED: 2019-10-22
    IBM DB2 High Performance Unload load for LUW 6.1 and 6.5 is vulnerable to a buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with root privileges. IBM X-Force ID: 165481.
    PUBLISHED: 2019-10-22
    A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.