ERM is based partly on the principle of role-based access control (RBAC), where access is granted not only based on an individual's unique access rights, but also on those of the group to which the individual belongs. This sounds a lot like ordinary access control even at the most basic operating system level -- even Active Directory and LDAP can aggregate users into groups -- but unlike those, ERM isn't tied to a single platform, and it operates at a higher level than a single system.
In some cases ERM is based on RBAC, but it can go beyond RBAC to encompass the entire enterprise, spanning multiple business units, functional areas and geographies within a single company. It can shift roles and groups to meet changes in the structure of users as the company grows both internally and through acquisition.
Compliance has driven interest in ERM. It's seen as a better way to track and document users and access throughout the enterprise -- required by such regulations as SOX, HIPAA and PCI DSS -- than traditional access management systems linked to specific platforms and systems.
ERM is a highly specialized part of identity and access management (IAM) suites, and is quickly becoming one of their standard features. However, a few standalone ERM vendors remain active, so it can be difficult to navigate the ERM vendor landscape. Two strong ERM vendors, Bridgestream and Vaau, were purchased in 2007. Oracle Corp. bought Bridgestream to beef up its growing IAM suite, and Sun Microsystems Inc. snapped up Vaau, partly to outflank Oracle's move, and partly to strengthen its own IAM suite.
Among the remaining standalone players are Eurekify Ltd., SailPoint Technologies Inc., Omada Solutions Inc., Bhold Company and Voelcker Informatik AG. Eurekify Sage ERM automates the process of assigning enterprise roles by regularly querying identity stores, looking for patterns of usage along business lines and then tuning the alignment of roles to business processes and systems. Checking for unusual usage patterns to clean up access, escalated privileges and appropriate segregation of duties among users are some of its other features. Eurekify bills itself as a compliance tool as well, since it can be used to check and certify users' privilege levels.
Both Bhold and Voelcker Informatik, based in Europe, draw heavily on RBAC to model user groups. Volcker Informatik's ActiveEntry also integrates with SAP, an HR system, as an add-on module for directly linking users to their roles in HR.
ERM deployment best practices
Here are a few guidelines concerning the current ERM market and some best practices for deploying ERM. But, first, it's important to understand the concepts of roles and groups.
An example of roles and groups would be a company's accounting department, where everyone has his or her own unique user ID and password, each with its own unique access rights. But everyone in the department might also be a member of a more specific accounting group, whose members have equal access rights to certain files or documents related to their work functions, i.e., only members of the payroll group would have access to the more restricted payroll information.
ERM adds even more flexibility by providing more precise mappings of users and roles to meet the diverse access management needs of companies with far-flung business units and departments, adding and removing users as they change jobs and functions.
In terms of best practices, it's good to start with an IAM suite that already has ERM as part of the package. This enables direct integration with the existing directory services through the IAM suite. Going with a standalone ERM vendor without a centralized identity warehouse in place might make it difficult to implement an independent ERM product. An identity warehouse can facilitate the role mining required for ERM, but many companies have a hodgepodge of directory services, making this a tall order.
Once the ERM system is up and running and monitoring users and their roles, it'll still need to be tuned. That requires continuous monitoring; roles will need to be reviewed regularly to make sure they're in sync with business processes and reassigned as needed. Without this continuous tuning, ERM is just a fancy way to generate user access reports.
About the author:
Joel Dubin, CISSP, is an independent computer security consultation. He is a Microsoft MVP, specializing in web and application security, and the author of The Little Black Book of Computer Security available from Amazon. He hosts a regular radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.
This was first published in July 2008