July 23, 2007
While I was looking through current offerings in Entitlement Management (EM), I was struck with the questions that will likely be the next logical thoughts in the CIO’s mind after they are sold on the obvious ROI of an EM solution.
Which organization should own the centralized Entitlement Management in the company? The first ideas will revolve around either Security Administration or Application Development. For a company, which has already implemented enterprise or Web single sign on (SSO), Security Administration would be the logical place to own Entitlement Management. For companies without an existing SSO system, the logical area could be Application Owners. Or would it? Entitlement management (EM) can and will be deployed in a standalone environment for only centralizing the entitlement management of a portal. But the greatest benefit of EM will be reaped where it integrates tightly with provisioning, job roles, access management, and SSO. Role-based entitlement management combines the benefits of provisioning with centralized EM. This thought process circles back again to Security Administration taking the lead in ownership of the EM solution. Obviously, even more than traditional Access and Identity Management, EM will require deep coordination between Security Administration and various business units and a well defined process for managing identities.
How will I integrate the EM framework with a global corporate GRC engine. As with any policy decision points (SSO, EM, provisioning), policies should not only be transparent and easily manageable, but they need to tie into and be cohesive with the company’s global governance, risk, and compliance (GRC) framework. Web services for checking back to the corporate GRC repository is a great start here, but a “policy feeder” would be ideal — this could automate integration with higher level GRC policies. ERP system segregation of duty policies also need to be enforced in a centralized EM system which controls other, non-ERP applications.
How will I make peace with warring factions of my security organization and application development organization? Authorization features of the application need to be moved into a centralized entitlement management system.The above is not an easy process though. Overcoming application owners’ resistance against moving authentication decisions to a centralized access control product policy is something that all CISOs are keenly aware of during implementation of even a simple Web SSO project. But this is still a small task when you compare it with moving entitlement management out of applications. Why? Two reasons: legacy code and siloed ownership of applications. Applications tend to mix business logic, security, and presentation. Externalized application authorization requires a rigorous application code review and untangling of legacy spaghetti code responsible for in-house application authorization decisions. Needless to say that owners of old, legacy, applications may not even have the understanding of source code level understanding required to undertake such a review process. Siloed LOB application ownership needs to maintain an ongoing relationship with the organization that owns the Entitlement Management product and nurture not only SSO, but EM integration points.
How will I integrate my access request helpdesk system with EM? For business users, the most visible element of the EM system will be creating and approving application entitlement request tickets. Thus entitlement management processes need to be integrated into the bigger framework and workflow of managing identities.
As with any other project with a sizeable cross-cut through organizational politics, in order to answer the above challenges, the identity management steering committee will have to put EM regularly on their agenda.