There’s no denying it: buying security is in vogue.
In a year of constant headlines about data breaches, the loss of laptops and identity theft risks — coupled with more strict compliance regulations, vendors are noodling new and improved ways to help customers protect their networks.
Single sign-on, authentication, authorization: they’re all significant
pieces of the multi-billion-dollar identity management puzzle.
But how will the market evolve?
Some experts think entitlement management software is the next step. As the name suggests, entitlement prescribes policies for access to machines, applications and other resources on a network. In short, it determines who has access to what and for how long.
Securent Corp., co-founded by CEO Rajiv Gupta, is one of the first startups
to address this market segment with its Entitlement
Management Solution (EMS).
Gupta, the former CEO of Confluent Software and creator of HP’s E-Speak Web
services initiative, says his company is well
positioned to take a leadership position in this market, which includes
offerings from BEA Systems and CA. He recently sat down with internetnews.com to explain why.
What does Securent do?
If you’re trying to protect something of value, whether it’s a sensitive
application or confidential data on a network, you have to figure out who’s
making the access — that’s all about identity management, single sign-on,
authentication. You need to figure out if this particular access is for this
person, in this context, trying to perform this action, with this message at
this time of day, is allowed or not. The administration of these policies,
the enforcement of these policies, the audit and review of these policies — This is entitlement management.
We cover the second half of identity management to address the needs of
security. Just knowing who you are is not sufficient; it’s what you can do.
Security, compliance and governance are they key drivers but if you look at
it from the business perspective, it’s the notion of the extended
enterprise. I’m trying to connect with my partners, or I have an outsourcing
outfit in India or China or wherever it is. So, all of these are requiring
me to take my core assets and make them available to a broader audience.
Many more people with different levels of access. I need to control that and
audit that.
What are the market drivers for entitlement management software?
Besides compliance, these companies would write custom code for each
application and piece of infrastructure. Any company that has customer data
or employee data or any form of financial data has to protect it. And the
way they protected it earlier was with custom code. And that has issues, like
brittleness and high expenses to maintain. Plus, you don’t have any
consistency in policies and you don’t have a way to demonstrate that you are
meeting compliance.
What’s so hot or different about your Entitlement Management Solution software?
The most important thing is to externalize the entitlements from the
application. It has to be outside the development scope of the application,
otherwise you’re back to the same old problem of extending your development
cycle, of having all the brittleness. The other thing is that the policy is
defined right and uses not only identity information, but resource-specific
information. As an example, you may be the vice president in the enterprise,
but for one application you’re the administrator, while for another
application, you are the guest.
The third one is that policy needs to be enforced, but they need to be
managed centrally. I need to have one consistent place where I can
administrate my policies and review the policies across my applications. The
fourth one is an issue of how long people are willing to wait to deploy
this. It has to be very simple and easy to integrate with existing identity
access management and heterogeneous environments. The last one is they need
to be standards-based and be deployed as a SOA-compliant service.
Q: How does this separation of the security logic from the application logic
help in a service-oriented architecture (SOA)?
In SOA, I’ve broken out my application into component services, loose
coupling everything. But if I tight-couple security back into component
services, I’ve lost a lot of the SOA benefits I was hoping to achieve, so
any effective SOA you need to have entitlements as a separate infrastructure
service, which is SOA-enabling. So we’re finding a lot of traction from
customers who are in the process of deploying SOA. Most of these clients say
this type of security is a fundamental requirement before a company starts
to exploit SOA in an effective manner.
Q: What are some of the scenarios where a customer decided they needed
Securent’s entitlement management?
We closed a contract with one of our financial service customers in less
than three months because they were feeling competitive pressure from
another financial services company who could integrate their partners and
provide better self-service to their customers faster than our client could.
It is not simply a cost reduction issue. It’s not just a compliance and
governance issue. It’s actually a competitive issue for them, which carries
a lot of weight.
In another example, another financial services company, had done an analysis
of the business justification for rolling out enterprise instant messaging.
Just before they were going to go live, their compliance team asked them how
they were going to prevent an analyst from talking to a broker [and giving
away trade secrets]. If you can’t do that, you can’t roll it out. That,
again, became a very short sales cycle for us because they had done all the
business case analysis but they couldn’t go live because they couldn’t meet
their compliance requirement.
Q: How big do you expect this entitlement management approach to become?
Entitlement is the next big wave of enterprise security. By most measures,
it is expected to be larger than the market of traditional identity
management that came before us. The reason is very simple. Who you are is
who you are in the enterprise. But what you can do is a function of what
you’re trying to access. So whereas with [CA’s] Netegrity [ID management
software] I might try to sell you one one SiteMinder license for the
enterprise. With EMS, there are components I can sell you for each of the
applications. Just as a bottom’s-up number, each department of each Fortune
5000 company is about a $200,000 $250,000 or $300,OOO sale for us. So that’s
a $2.5 billion market, just in a very simple aggregate This market is huge.
We are driving the market.