February 19, 2008

Over desktop computing's lifetime, data center and network security actually have been relatively simplistic: At the perimeter, toggle switches allow friendlies in and keep foes out. But the advent of true business collaboration tools also is bringing an IT security paradigm shift. The friend-or-foe approach is giving way to multivariant analyses that occur within the data center to regulate collaborators' access priviledges after they pass through the castle gates.

Let's suppose your firm adopts a collaboration platform, such as Microsoft SharePoint or Cisco's WebX Connect, which allow employees to establish their own mini-Web sites inside your network perimeter. One of your research analysts creates such a site to share various reports, drafts and other content with enterprise colleagues, to whom he grants site access. Your identity management (idM) system, however, considers every employee with the correct password as a "friendly" and grants everyone the same access rights to all the content on the analyst's site. Eventually, a report draft gets into the hands of a trader, and what started as an efficiency tool now has enabled an insider-trading scandal.

Fortunately, a new subcategory of idM, called entitlement management (EM), is coming to the rescue. Essentially, EM solutions centralize access management and stand in front of applications, replacing the time-honored IT tradition of custom-coding entitlements into the applications themselves. By decoupling entitlements from applications, EM provides flexibility and "fine-grained access control" across systems to prevent inappropriate activities, says Gerry Gebel, VP and services director for the Burton Group.

"It's unusual for a policy, such as a separation-of-duty rule, to apply to a single application or platform," notes Gebel. "With EM, you establish a rule in one place and it's enforced everywhere, regardless of the platform, system, database or application."

Developing Secure Products, Fast

When Wachovia set out on its five-year service-oriented architecture (SOA) overhaul in 2005, a key goal was harnessing EM, according to Ryan Bagnulo, the bank's VP and head of architecture innovation for corporate investment banking technology. "We wanted to enable the swift development of secure products," he explains. "Our traders develop innovative products all of the time. But new products need new security policies before anyone can trade them. Historically, this meant writing code, testing it, debugging it and promoting it into production. From a labor perspective, this was expensive. And from a time-to-market perspective, it was risky."

Early in 2006 Bagnulo began looking for an SOA-compatible entitlements solution. As a former ethical hacker at IBM, Bagnulo says he was intimately acquainted with the inherent integration and interoperability dilemmas. In addition, his aversion to vendor lock-in was strong. "I wanted open standards so other technologies could easily plug into the entitlement management solution," Bagnulo stresses. "Plus, I wanted a hedge against an EM vendor going out of business or having its solution disappear into a merger abyss, both of which are all too common in emerging technology markets."

Ultimately, a new open-source standard, eXtensible Access Control Markup Language (XACML), provided Bagnulo with his EM answer. "With XACML, infrastructure components speak the same language irrespective of vendor," he says. "This streamlines integration chores, and there's no vendor lock-in because I can always rip out components and replace them."

According to Bagnulo, IBM was working on an XACML-based EM project called Sparkle. "Not only wasn't it ready, but IBM was only coding it to the AS/400 [mainframe]," he relates. "Another vendor, BEA, had a promising product, the AquaLogic Enterprise Security suite, which worked great with WebLogic. But it didn't support SharePoint, JBoss, WebSphere, dB2, Oracle, Sybase and SQL, which we also needed."

Then Bagnulo found the Entitlement Management Solution from Securent, which now is a Cisco company. "Securent was very attractive due to its scalable architecture and delegated XACML administration tool," he says. "Not only did Securent eliminate custom coding, but its Web-based administration console put programming completely in the background. By exposing the admin console to business users, we could empower them to create enforceable security policies literally via drag and drop." Wachovia inked a deal with Securent in mid-2007.

Although Wachovia's EM rollout is just months old, it's already providing a return on the bank's investment. "I'm launching a new product in April that took us only three months to build," Bagnulo says. "Previously, the project would have carried a 12- to 18-month timeline. Securent not only paid for itself during its very first project, in terms of the ROI, but the resulting product is built better than was possible using the custom-coding processes of the past."