Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:05 AM
Connect Directly

ID Management: A Matter of Entitlement

The need for compliance is driving authorization, integration, and automation in identity management

In the past, identity management mostly has been about who you are. But it's increasingly becoming more about what you can do as well as when and where you can do it. It's something some security analysts and vendors call "entitlement."

Entitlement, and other emerging components of identity management, are on many vendors' minds as they prepare for the annual RSA conference in San Francisco next week. Identity management will be a key theme at the show, both in sessions and on the show floor.

Regulatory pressures (think Sarbanes-Oxley and PCI) are forcing the issue of entitlement, which is basically an evolved authorization model, vendors say. "We're seeing a lot more interest in authorization," says Ellen Libenson, vice president of product management for Symark Software. "It's really about what happens once [users] have access... [Knowing] what they are doing, and to restrict things they can do."

Trouble is, most of these user-defined policies are custom-coded individually into each application, along with each user's authentication credentials for the apps. Each application stores its own user credentials and in some cases privileges: "And each application has a custom way of storing it. There's no consistency," says Rajiv Gupta, CEO and founder of Securent, which sells entitlement management software.

Compliance audits are making this model of authentication and authorization both costly and unwieldy. "If you have to make a change [to meet compliance], remediation is required, you have to take the application down and get the developers involved again," Gupta says.

It's all about adding a policy layer across different systems, including instant messaging, VOIP, and email as well as data applications. If a brokerage's policy prohibits an analyst and broker from communicating with one another, today that policy typically must be applied and enforced individually for IM, VOIP, and email, Gupta notes. "I have to go into each channel and re-specify policy, which leads to mistakes and problems with visibility and compliance," he says. "This is becoming an issue with customers."

Vendors are moving on the identity management issue, even before the RSA show begins. Symantec yesterday showed off its upcoming Norton Identity Client, which are online credentials for consumers akin to a passport or driver's license for doing business on the Internet.

Some of the most established identity management vendors are CA, IBM, Novell, Oracle, Microsoft, and BMC, according to a recent Burton study. Burton expects identity management technology to be integrated into server platforms and applications as the market shifts from products and suites to more of a service-oriented identity services model. In addition to Securent, other players in the identity management entitlement space include Bayshore Networks, BEA, and Jericho Systems, notes Gerry Gebel, service director for identity and privacy strategies at the Burton Group.

Securent's Gupta says estimates for the identity entitlement management market are somewhere around $2 billion for this year. One of its customers, a large financial services firm that requested anonymity, is running Securent's Entitlement Management software in a services-oriented architecture for its applications and various lines of business.

A couple of years ago, the firm realized the missing link was "fine-grained entitlements and authorization," says the IT executive there who heads up the identity management project. "Our developers did their own thing... Each had built their own solution" for authorization, he says, which became challenging during audits.

But the biggest hurdle has been getting the firm's developer teams to shake their "roll your own" mentality for shared services, he says. So far, the firm has deployed Entitlement Management on two of its largest public Web applications, and hopes to roll it out for its own users as well.

The bottom line with identity management is that it must be continuous and dynamic, not just a snapshot of user credentials, notes Deb Pappas, vice president of market strategy for Courion, which sells an automated user access and authorization solution. "It's no longer enough just to have that access control," she says. "You need to proactively flag inconsistencies and move to preventative control [of user privileges]... This is tying the 'what is' to the 'what should be,' " she says.

Identity management must be automated in how it grants users access, and it should take into account moves, adds, and changes along the user's "lifecycle," Pappas says. Some users receive entitlements they shouldn't have, so there's a gap in security and compliance, she says. "It isn't enough to grant and assign privileges," she explains. "What's increasingly critical today is comparing what should be –- how you define what they should have -- with what they are actually doing... Companies are finding a disconnect there."

Symark's Libenson says the key is to stop reacting with point solutions and provide a more holistic approach.

But it won't be easy. Building an identity management architecture is no plug-and-play project. "It's a big endeavor to roll out an identity management system -- it touches so many departments and people. It's like an ERP application rollout," Symark's Libenson says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Securent
  • Courion Corp.
  • Symark Software
  • Burton Group

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-06-07
    HESK before 3.1.10 allows reflected XSS.
    PUBLISHED: 2020-06-07
    handler/upload_handler.jsp in DEXT5 Editor through 3.5.1402961 allows an attacker to download arbitrary files via the savefilepath field.
    PUBLISHED: 2020-06-07
    Crypt::Perl::ECDSA in the Crypt::Perl (aka p5-Crypt-Perl) module before 0.32 for Perl fails to verify correct ECDSA signatures when r and s are small and when s = 1. This happens when using the curve secp256r1 (prime256v1). This could conceivably have a security-relevant impact if an attacker wishes...
    PUBLISHED: 2020-06-06
    The Neon theme 2.0 before 2020-06-03 for Bootstrap allows XSS via an Add Task Input operation in a dashboard.
    PUBLISHED: 2020-06-06
    showAlert() in the administration panel in Bludit 3.12.0 allows XSS.