RealTime IT News

Rajiv Gupta, CEO, Securent Corp.

Rajiv Gupta

There's no denying it: buying security is in vogue.

In a year of constant headlines about data breaches, the loss of laptops and identity theft risks -- coupled with more strict compliance regulations, vendors are noodling new and improved ways to help customers protect their networks.

Single sign-on, authentication, authorization: they're all significant pieces of the multi-billion-dollar identity management puzzle.

But how will the market evolve?

Some experts think entitlement management software is the next step. As the name suggests, entitlement prescribes policies for access to machines, applications and other resources on a network. In short, it determines who has access to what and for how long.

Securent Corp., co-founded by CEO Rajiv Gupta, is one of the first startups to address this market segment with its Entitlement Management Solution (EMS).

Gupta, the former CEO of Confluent Software and creator of HP's E-Speak Web services initiative, says his company is well positioned to take a leadership position in this market, which includes offerings from BEA Systems and CA. He recently sat down with internetnews.com to explain why.

What does Securent do?

If you're trying to protect something of value, whether it's a sensitive application or confidential data on a network, you have to figure out who's making the access -- that's all about identity management, single sign-on, authentication. You need to figure out if this particular access is for this person, in this context, trying to perform this action, with this message at this time of day, is allowed or not. The administration of these policies, the enforcement of these policies, the audit and review of these policies -- This is entitlement management.

We cover the second half of identity management to address the needs of security. Just knowing who you are is not sufficient; it's what you can do.

Security, compliance and governance are they key drivers but if you look at it from the business perspective, it's the notion of the extended enterprise. I'm trying to connect with my partners, or I have an outsourcing outfit in India or China or wherever it is. So, all of these are requiring me to take my core assets and make them available to a broader audience. Many more people with different levels of access. I need to control that and audit that.

What are the market drivers for entitlement management software?

Besides compliance, these companies would write custom code for each application and piece of infrastructure. Any company that has customer data or employee data or any form of financial data has to protect it. And the way they protected it earlier was with custom code. And that has issues, like brittleness and high expenses to maintain. Plus, you don't have any consistency in policies and you don't have a way to demonstrate that you are meeting compliance.

What's so hot or different about your Entitlement Management Solution software?

The most important thing is to externalize the entitlements from the application. It has to be outside the development scope of the application, otherwise you're back to the same old problem of extending your development cycle, of having all the brittleness. The other thing is that the policy is defined right and uses not only identity information, but resource-specific information. As an example, you may be the vice president in the enterprise, but for one application you're the administrator, while for another application, you are the guest.

The third one is that policy needs to be enforced, but they need to be managed centrally. I need to have one consistent place where I can administrate my policies and review the policies across my applications. The fourth one is an issue of how long people are willing to wait to deploy this. It has to be very simple and easy to integrate with existing identity access management and heterogeneous environments. The last one is they need to be standards-based and be deployed as a SOA-compliant service.

Q: How does this separation of the security logic from the application logic help in a service-oriented architecture (SOA)?

In SOA, I've broken out my application into component services, loose coupling everything. But if I tight-couple security back into component services, I've lost a lot of the SOA benefits I was hoping to achieve, so any effective SOA you need to have entitlements as a separate infrastructure service, which is SOA-enabling. So we're finding a lot of traction from customers who are in the process of deploying SOA. Most of these clients say this type of security is a fundamental requirement before a company starts to exploit SOA in an effective manner.

Q: What are some of the scenarios where a customer decided they needed Securent's entitlement management?

We closed a contract with one of our financial service customers in less than three months because they were feeling competitive pressure from another financial services company who could integrate their partners and provide better self-service to their customers faster than our client could. It is not simply a cost reduction issue. It's not just a compliance and governance issue. It's actually a competitive issue for them, which carries a lot of weight.

In another example, another financial services company, had done an analysis of the business justification for rolling out enterprise instant messaging. Just before they were going to go live, their compliance team asked them how they were going to prevent an analyst from talking to a broker [and giving away trade secrets]. If you can't do that, you can't roll it out. That, again, became a very short sales cycle for us because they had done all the business case analysis but they couldn't go live because they couldn't meet their compliance requirement.

Q: How big do you expect this entitlement management approach to become?

Entitlement is the next big wave of enterprise security. By most measures, it is expected to be larger than the market of traditional identity management that came before us. The reason is very simple. Who you are is who you are in the enterprise. But what you can do is a function of what you're trying to access. So whereas with [CA's] Netegrity [ID management software] I might try to sell you one one SiteMinder license for the enterprise. With EMS, there are components I can sell you for each of the applications. Just as a bottom's-up number, each department of each Fortune 5000 company is about a $200,000 $250,000 or $300,OOO sale for us. So that's a $2.5 billion market, just in a very simple aggregate This market is huge. We are driving the market.