Enterprise Entitlements Management: Moving beyond authentication

The separation of environments and the management of identities (i.e., service accounts, user accounts, administrative, etc.) are being taken up under the auspices of entitlements management in more and more technology shops.

Authentication, authorization and auditing are crucial components of any security scheme, with each serving a separate and distinct purpose. Entitlement management adds to these to provide a more granular approach to security.

Authentication is the process of verifying the identity of a particular user. Authorization refers to the granting or denying access to specific resources based on the user’s identity and, typically, relies on access lists to provide the user with specific rights. Auditing is the result of authentication and authorization, recording the results in an audit log.

While authentication and authorization are proactive measures, auditing is purely a reactive measure. In addition to the audit logs, auditing also relies on an organization’s Change and Incident Management systems for the communication, tracking, and management of planned and unplanned outages.

While authentication is focused on who is allowed to have access to an application, or the network, for example, entitlements management is for finer grained access control and intended to move beyond authentication. Entitlements management is concerned with who is allowed to do what once they are in the network, host, or application.

Entitlements management was implemented one of my client sites recently, through the use of applications and tools within the UNIX infrastructure in efforts to provide a logical separation of production and non-production assets. The idea was to remove access management from an application so that entitlements may be run as a shared service in front their assets through policy management, thus achieving a finer grained data access control.

This approach benefited the firm across several areas. First, it allowed the firm to comply with the auditability requirements within a relatively short window.

Second, the firm was that the approach served to strengthen their existing security paradigm through the implementation of data driven policies across applications and systems.

Third, and lastly, this approach provided a more consistent and more granular security approach across users and groups.

There are several vendors, including IBM (Tivoli Security Policy Manager), Oracle, Computer Associates, Sun, Microsoft, Novell and RSA among others, who offer an ‘out of the box’ alternative to the bottom-up approach that Morgan Stanley is employing today.

Most of the entitlements management products consist of a 3 module approach to the entitlements management challenge. The architecture consists of a Policy Administration Point (PAP) module for centralized management, a Policy Decision Point (PDP) module to evaluate the resource specific authorization policies, and a Policy Enforcement Point (PEP) module as a mechanism for the enforcement of policies.

In addition to the core modules, many of the products available today provide a facility for translating business requirements to policies via a modeling or design tool (see illustration above).

Many also leverage Microsoft’s Active Directory to consolidate entitlements management across mixed platforms (i.e., UNIX, Linux, Wintel); additionally, they leverage a graphical user interface to simplify management and for compliance reporting.

Some vendor tools have the added advantage of leveraging management information from other products in the environment to provide runtime and environment data. This will assist in getting buy-in as asset owners will be saved from having to manually populate the tools.