As with so many security chores, access management just keeps getting more complicated.
Access management means setting and enforcing the rules for who has access to what information and which applications. It was complicated enough when you only had to manage multiple types of users, such as executives, managers and data entry workers, accessing multiple applications within your own organization. Today, you might find yourself managing many more users (such as vendors, customers, distributors or other business partners) using many different applications, accessing your systems over not only your internal network, but also over intranets, extranets or the Web.
Many of these applications have their own access management capabilities, and many of your business partners (or newly acquired or merged business units) have built their own management systems based on different directories or files (such as Excel spreadsheets) listing users and their access rights. To manage all this without busting your support staff budget, you ideally would have a single automated tool that could track, change and monitor access rights across multiple applications, directories and "legacy" access management systems -- and do it all based on pre-set policies or job descriptions of individual employees.
Eventually, you may find all this in a single product. But for now, you have to look at two types of software. The first is "provisioning" or "enterprise user administration/provisioning" tools. These automate, or least provide an automated workflow, for the "creation, modification or disabling of (user) accounts and associated access rights," says Giga Information Group Analyst Jonathan Penn, and usually work across multiple applications, directories or access management systems within the enterprise. The second type of tool, called "extranet access management" or "Web access management," enforces the authorization rights granted by the provisioning systems across extranet, intranet or other Web-enabled environments, says Penn.
The leaders in Web (or extranet) access management, according to Penn, are Netegrity's SiteMinder, RSA Security Inc.'s ClearTrust, Oblix's NetPoint and Tivoli Systems Inc.'s Policy Director. SiteMinder "was first to market, has a rich set of features and application support, and a highly scalable architecture," says Penn. ClearTrust boasts "very strong" scalability and application integration, he says, while NetPoint "delivers the richest set of delegated administration, self-service and workflow capabilities." Policy Director's proxy-based architecture, he says, means security managers don't have to deploy software agents at every server or resource they need to protect.
In the provisioning category, Penn gives top marks to BMC Software Inc.'s Incontrol for Security Management, Access 360's enRole and Business Layers eProvision Day One. Incontrol for Security Management, which supports more than 25 platforms and applications including mainframes, Unix and Windows servers, as well as databases and ERP systems, boasts the longest track record and the record for "the most deployments and the largest deployments," says Penn. Access 360 offers its provisioning tools in the form of its enRole software, or as a hosted service in partnership with VeriSign and has developed software agents to manage more than 70 operating systems, databases, applications, e-mail and directory services. Business Layers' eProvision Day One "has strong workflow capabilities," says Penn.
In evaluating either type of tool, Penn recommends looking for how easy it is to link the tool to existing applications, either through pre-built connectors or building custom links yourself. Customers should evaluate how easy it is to create and manage access policies based on employees' roles and to audit existing systems to determine what types of access users already have. Some provisioning vendors are looking to integrate business rules into their tools, says Gartner Inc. Analyst Roberta Witty. One example would be preventing a single employee from having authorization to both purchase goods and approve payment for them, a dual authority that could open the door to theft. Many customers are also demanding access management tools that allow users to learn or change their passwords without a call to the help desk, says Witty.
Mike Hager, vice president of network security and disaster recovery at Oppenheimer Funds in Englewood, Colorado, is using the workflow capabilities of Access 360's enRole to manage not only access to systems, but to alert other departments such as telecom about the services new employees need to be productive as soon as they begin work. The workflow features, and the fact enRole allows users to recover or change lost passwords themselves, have already trimmed the firm's provisioning and help desk requirements, he says.
As in many implementations, the access management and provisioning tools set out the rules for who gets access to what, but a separate authentication system determines if a user is who he claims to be. Oppenheimer, for example, is evaluating Smartpath, a behavior-based authentication tool from Authentor Systems Inc., for use with Access 360.
Security managers also should remember that automating what had been an ad-hoc, often unstructured and manual process means "you're clearly removing people" from their previous roles of granting and withholding access to systems. She recommends explaining how and why the access control process is changing and making sure all the affected managers support the change before implementing any tools.
Over time, the distinctions will blur between the two types of software, several analysts predicted. Netegrity, for example, has recently unveiled its SRM (Secure Relationship Management) platform that combines multiple Netegrity tools to provide identity management, single sign-on to multiple systems, as well as access control, provisioning, personalization and application integration services. Until then, know what you?re buying -- and why -- in a provisioning or a Web access management tool.About the author
Robert L. Scheier writes frequently about security from Boylston, Mass. He can be reached at firstname.lastname@example.org.