Faced with looming regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, Craig Shumard, chief information security officer for healthcare provider Cigna, knew he needed better tools for role-based access control.

"In the past many employees would just dole out access rights based on a peer's profile, but it is not efficient nor is it prudent from a security and regulations standpoint to give employees more access than they need to applications and data," Shumard says. "We only want to dole out the minimum access employees need to do their job effectively and only for as long as they need to do that job."

When his search began more than five years ago, nobody was offering what he needed. The limitation of his prior role-based access control tool was that it was "only as good as the day you do it because people are constantly moving, companies are realigning and functions are changing," he explains. Role-based access control was fundamental to his company's business processes, but the system he had "was a massive process with a lot of moving pieces that became a struggle to maintain."

Today, Shumard uses software from Aveksa to automate fine-grained authorization that involves 1,800 multi-layered roles and 2,400 sub-roles. The tool makes it possible for staff to stay on top of doling out, updating and pulling back roles and access rights to employees, he says.

"Fine-grained authorization and entitlement management allows you to externalize security from the applications and helps drive out complexity and improve policy-based management. It is not a trivial thing," Shumard says.

For example, when a new employee comes on board, Aveksa integrates with Cigna's human resources database to automatically provision pre-defined roles, but also to de-provision those same users if their jobs change or they leave the company. The Aveksa workflow tool is used by the security team to pull together role owners, application stewards and managers to keep roles up to date and systems secure from unauthorized access, he says.

The software runs on a Linux operating system and Oracle database, and is also available as an appliance. Pricing for Aveksa 3 Enterprise Access Governance Suite starts around US$140,000 for 1,000 users and 25 applications. But Aveksa features a Web-based interface that not only IT security staff can use, but which business managers can also tap into to create and review roles. "What a customer service representative does today can change by tomorrow so we had to expand how we defined roles and automate the process of keeping them up to date," Shumard says.

Taking on entitlements

Aveksa is one of a number of vendors in a new product category known as entitlement management. The benefits of entitlement management include improving security, particularly when it comes to protecting data from internal misuse, reducing risk and achieving compliance.

"I consider entitlement management the passing of the torch as the next great task for identity and access management technologies," says Earl Perkins, a research vice president at Gartner. "A critical mass has been reached in which IT managers have installed identity and access management and can now deliver authorization management in their application platform environment."

For instance, an employee with access to accounts payable data can be denied access to accounts receivable applications. An employee with access to sales account data at 3 p.m. may be restricted to the same data at 3 a.m. And an employee allowed to get into a database could be cut short if he tried to download amounts of data that exceeded pre-set thresholds.

Vendors such as BEA, Securent, Jericho Systems and Oracle (with its BridgeStream acquisition) say they can provide the technology to simplify what most describe as a necessary yet complicated and time-consuming task. Others such as SailPoint, Vaau, BHOLD and Eurekify also work to simplify enterprise role management.

"It's a young area and there is not a lot of agreement over which vendors or products belong in which market segment," says Mike Neuenschwander, vice president and research director of Burton Group. "There is a bit of frenzy around entitlement management because it can help with security and compliance audits, but mostly it is a great opportunity to centralize application access management and put more controls in place to reduce enterprise risk, while still making necessary resources available."