RealTime IT News

CA: Role-Playing Needs Security Test

The biggest cause of security breaches in enterprises is unauthorized access by staff to applications and IT systems.

Controlling that access has generally been a mishmash of policy-driven controls leveraging Microsoft Active Directory or a back-end database and ad hoc granting of rights by IT or systems administrators as needed.

That has led to the rise of role-driven access rights, where users are accorded access privileges according to the roles they play in the enterprise. For example, HR staff may have limited access to the accounting system's database and more complete access to the HR database, while other users may not be given any access rights at all to either the HR or accounting databases because their roles don't call for these.

CA (NASDAQ:CA) has become the latest enterprise software vendor to add role management as an answer to that trend, with a deal to resell Eurekify's Enterprise Role Manager.

"The role is basically the DNA of the organization," Azi Cohen, CEO of Eurekify, told InternetNews.com. "But enterprises have no lexicon or directory for assigning titles and roles."

Eurekify's product is designed to let enterprises automate the process of allocating roles. The company said its patented algorithms mine data from existing access rights, reflect them to the organization, notify the HR department, and create a hierarchy of roles based on definitions.

After the role hierarchy is set up, enterprises can conduct if-then analyses to specify just what access rights are allocated to whom. This is designed to resolve issues that arise when several people bear the same title, such as department manager, for example.

The idea is to simplify users' access to resources. After all, an organization with 20,000 staff might have "100,000 different IT resources and the links between access rights and resources would number one to two million" because of cross-linkages and multiple roles played by staff, Cohen said.

Establishing a logical role hierarchy would slash the number of links "to 1,000 business roles and the entire system would be clear and transparent," Cohen added.

The issues around role management can add up. In a typical large enterprise, with tens of thousands of users and thousands of applications ranging from back-end databases and ERP systems, compliance-related tasks such as identity audits and certifying users' access to data become Sisyphean undertakings.

CA argues that a centralized identity management system also makes compliance easier by automating identity management processes to create repeatable and auditable processes.

Role management has become critical in dealing with governance, risk management and compliance requirements because it ties users' access privileges to their job functions within the organization.

"You do need a good management solution to maintain not only who does what, but to provide a management interface that lets managers attest that a relationship's appropriate and to make sure the relationships are done in accordance with company policy," Kevin Kampman, senior analyst at The Burton Group, told InternetNews.com.

That helps with compliance, which "really demonstrates that you've complied with policy" because, if a policy has been established around a role, the enterprise can demonstrate that the policy has been effected, Kampman added.

Over time, every identity management system will need to incorporate role management, Kampman said.

That can add up for vendors sniffing out opportunities in role management software. Last year, Oracle (NASDAQ:ORCL) acquired Bridgestream, an enterprise role management software vendor; and Sun (NASDAQ:JAVA) acquired VAAU, a role management and identity audit vendor. As far back as In 2004, HP (NASDAQ:HPQ) acquired TruLogica. Now, CA has tied in with Eurekify.

It had to: CA had an ongoing relationship with VAAU when Sun purchased the latter, so it needed to find a new partner, Kampman added.

CA is complementing its Identity Manager product with Eurekify.

"We're including this as part of a larger solution," Bilhar Mann, CA's senior vice president of security management, told InternetNews.com. Roles from Eurekify will be imported into CA's Identity Manager product, and can be used to create access systems.

That's at the back end; at the front end, enterprises can use OpenID, Windows CardSpace, pretty much anything, Mann said.