When it comes to restricting access to applications and services on the network, financial organizations are learning that black and white authentication is not sufficient. Companies typically lock down applications using simple yes or no access rights. A user or group is either granted or denied access to the resource. That may work for those who are denied access and have no business using the resource at all, but what about those who are granted access? Everyone who is granted access should not always have the same access.
Entitlement management delivers the ability to decide who gets access to a given application, what functions they can access within the application, and what they can do with the application once they are inside.
One custom application at a time
The managing of entitlement is not necessarily new. Organizations have had entitlement functionality within certain applications for quite some time. The problem has been that entitlement management has been included only in custom applications developed in-house, or by developing custom code to enable entitlement management of off-the-shelf products. Either way, entitlement management has been costly, tedious and time consuming.
In addition, this approach makes consistency virtually impossible. It is difficult to ensure that each application has entitlement management functionality to begin with. It is equally difficult to configure the entitlement management functionality consistently from application to application in those that do have it. Features and functions that exist in one application may not exist in another, creating gaps in the ability of the organization to effectively manage entitlement.
EMS to the rescue
The ability to consistently manage entitlement throughout the environment is a goal of many companies. Companies within the finance sector industry and regulatory mandates such as Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA), and the PCI Data Security Standard (PCI DSS) make it almost imperative. Financial companies need to be able to enforce entitlement policies across all applications, but custom applications and custom code for commercial applications don't provide an efficient method for managing, verifying or auditing entitlement for the environment as a whole.
That is where EMS comes to the rescue. I'm not talking about the Emergency Medical Services ambulance type of EMS. For our purposes, EMS stands for entitlement management system, a new breed of appliances and tools designed to help organizations solve their entitlement management issues.
An EMS takes the configuration, maintenance, and enforcement of entitlement out of the application and moves it to the network. An EMS typically consists of three major components that provide a layered approach to entitlement management:
- Policy administration provides centralized management of entitlement policies.
- The decision point evaluates resource requests against the policies
- The enforcement point enforces the entitlement policies.
By implementing an EMS, financial organizations can remove the cost and complexity of building custom entitlement solutions into applications, and achieve more granular and consistent control of entitlement throughout the environment. Management is more efficient because policies can be changed or added within the EMS and automatically applied across the infrastructure. Compliance goals can be achieved because entitlement policies are consistently enforced across all applications, and auditing for compliance verification is enabled through the centralized interface.
The concept of entitlement management systems is relatively new, but there are an increasing number of options available for organizations that want to implement EMS. Cisco Systems Inc. (which purchased Securent Inc. -- EMS's pioneer), Jericho Systems Corp., and CA Inc. are among the growing field of vendors offering EMS products. For financial organizations, an EMS may be a prudent investment to provide consistent control over which applications users can access, and what they can do within those applications once they have access.
It is not as simple as cutting a check to an EMS vendor and deploying an appliance on the network. Depending on the size of the organization, the number of applications in use, and the number of applications that already have their own entitlement management functions built in, the process of properly configuring the EMS implementation can be tedious. Time will have to be invested to develop pervasive entitlement policies and fine-tune the configuration of EMS to properly manage and enforce them.
About the author:
Tony Bradley is a CISSP, and a Microsoft MVP. He is a Director with Evangelyze, a Microsoft Gold Certified and Voice Premier Partner focused on unified communications technologies. Tony is also a respected expert and author in the field of information security whose work is translated and read around the world. He contributes regularly to a variety of Web and print publications, and has written or co-written eight books. In addition, Tony is the face of the About.com site for Internet/Network Security, where he writes articles and tips on information security and has almost 40,000 subscribers to his weekly newsletter. Mr. Bradley has consulted with Fortune 500 companies regarding information security architecture, policies and procedures, and his knowledge and skills have helped organizations protect their information and their communications.