One of the newer topics in Identity Management is the Enterprise Entitlement Management. This term describes approaches for a centralized management of the low-level entitlements (e.g. access controls) on system level from a central perspective.

That seems to be pretty complex. How shall you ever manage file server ACLs from a central tool in an efficient manner? Or other tools? Yes, it isn’t that easy to solve. But bring in services and you’re much closer to a solution - not only for entitlement management, by the way.

Think about abstracting file server resources as services (which is, by the way, not that different from shares in the Windows world). Users will understand services - a service provides the ability to store and retrieve their contracts or their personal files or their blueprints or their drafts of new marketing materials or… A service is simple to manage from a security standpoint: No access, read, write, do everything - or something like that are the relevant rights.

Services are easy to handle in accounting. Their might be restrictions like quotas applied on the service level. And managing entitlements on that level is not that complex - that can be mapped to concepts in the Enterprise Authorization Management pretty easy.

You might argue that the file system still has to be locked down. No problem - as long as you can access it only through services. There might be different overlapping services for the same resources. Administrative shares in Windows are one example for that. If that isn’t sufficient, you can still use ACLs - and the services might act as specific operating-system services which bypass that security level or (like today in Windows) combine their security settings with the operating-system level settings. The latter is pretty complicated and somewhat overengineered. From my perspective, a consequent service approach might be sufficient.

To add some web services for file system access might be helpful - but it isn’t mandatory. A service is not necessarily a web service. In fact, everything you need for such an approach is available. Some things might be improved. But with a service-focus for file server services, security is easier to manage and to audit.

In some of my last entries in this blog (here and here) I’ve mentioned the concept of Enterprise Information Management, something I will cover in depth in a report within the next few weeks. Enterprise Information Management will be sort of the long term evolution of today’s Identity Management and some of the tightly related topics, as well as the integration of IAM with some other technologies. I started thinking about this concept when I developed a simple chart which describes the future of IAM.

It starts with today’s IAM, which is sort of “Identity Management for Administrators”, e.g. solving mainly technical issues in synchronizing information, with support for single sign-on or with provisioning. I’ve titled the next level “Identity Management for Applications”, describing the service orientation and the integration into applications. It includes aspect like Application Security Infrastructures. Many vendors are working on a service layer or the integration of business applications with their IAM products.

Read the rest of this entry »

Dave Kearns, who will contribute as a track moderator and speaker to our European Identity Conference 2008, has introduced the term context-based authorization (and influenced my thoughts on this topic - thanks to Dave) as an approach for basing authorization on the context in which a user acts, which goes beyond the risk-based authorization in two ways: It’s not binary, e.g. either in or out. And it’s based potentially on more information about the context. I’d like to add some thoughts from my side to this and explain as well the difference between today’s risk-based authorization and tomorrows context-based authorization.

Risk-based authorization is an approach which has developed mainly in the financial industry. The idea is to observe and analyze user interactions to detect potential attacks and other dangerous situations. If there is a risk, the authorization to access a specific system or specific data within in a system is denied. There are several vendors in this space, including Oracle with their Bharosa acquisition and Arcot Systems.

The idea of context based authorization goes well beyond this, even while there is no hard borderline between vendors of risk-based authorization and the context-based authorization idea. It’s more sort of an evolutionary process. I personally expect that todays vendors in the risk-based authorization space (which sometimes have a some ability for context-based authorization as well) will expand their products towards context-based authorization. I assume that we as well will see some new specialists in the space of context-based authorization. And for sure the key players in the IAM space will enter the market for context-based authorization either with the make or the buy approach, e.g. building it by themselves or acquiring someone. Read the rest of this entry »