In the first incarnation of access management solutions, we put up walls around the perimeter and allowed people a single sign-on access experience to the applications behind the wall if they presented the appropriate credentials. At the time, this centralized control allowed us to provide better security, a better IT service level and a much improved end-user experience.
Unfortunately, the centralized control these earlier-generation systems provided was coarse-grained access control – the decision to grant access to an application was either a yes or no decision. Once a user had been granted access to an application, it was up to the application itself to police what the user can do.
Not too long ago, we met with a customer in the financial services industry that explained that they continued to provide loans to Enron during the collapse of the energy company, because their risk management applications were out of synch with the policies that were set in their lending applications. Had a centralized, fine-grained entitlements solution been in place at the time, the lending applications would never have approved the loans to the failing Enron.
Recent shifts in application development practices (such as SOA, re-usable and loosely coupled services, etc.), as well as stricter governance policies have necessitated a need for a new generation of access management technologies. This new generation of fine-grained authorization solutions can allow or deny very specific actions within the applications based on policies and other contextual information. These new access management systems allow authorization policies based on entitlements and roles to be created and managed outside of the applications themselves. Using these systems, organizations have a holistic view of authorization and access policies across all applications. A change in business policy can be addressed in the authorization solution as a change to a rule or an entitlement, eliminating the need to re-code the policy changes in all connected applications. Further, should it even be the IT team’s responsibility to have to code and re-code policy logic into the business applications or isn’t the organization better served by having these people focus on the business logic itself?
The need for centralized, fine-grained entitlements solutions are not only limited to the financial world. For example, healthcare institutions can create and administer policies that allow physicians to only view patient information for patients directly under their care, only when they are on-duty, and this set of policies can be enforced at all relevant applications.
While a centralized, coarse-grained access control system was a tremendous improvement over the siloed security approach that existed previously, a requirement for a similar approach to centrally manage fine-grained entitlements and authorizations was necessary. This next generation of access management solutions addresses this requirement allowing an organization to standardize access and authorization controls across all systems. A fine grained-entitlements solution aligns itself with the service oriented development methodologies that are the new norm. As more organizations move to a service oriented security model, business applications will be able to come on line more quickly and securely than ever before.