"Entitlement management technology can implement policies that say who can have access to what and at what time and in what context. The level of controls can be very deep and broad. Identity management systems don't cover the granularity requirements of entitlement management," adds Andras Cser, a senior analyst with Forrester Research.

How entitlement works

Typically entitlement management products pull identity management data from LDAP, Active Directory or human resource directories and integrate with identity and access management tools from CA, IBM, Oracle and others to help customers build entitlement policies. Some vendors such as Securent provide a drag-and-drop interface for building such policies.

Once built, the technologies monitor access across a company to determine if actions taken are in line with pre-set policies. In Securent's case, one part of its three-part Entitlement Management Solution sits, say, on the same server as Microsoft's SharePoint Server and monitors any interactions going into the server and determining based on pre-set policies deciding if the access should be allowed.

For instance, if a financial services firm had a policy that restricted brokers from contacting analysts directly, a company would have to write code in each application in which the two groups might interact to prevent such occurrences. The policies would restrict the contact between the people, Securent executives say. "Based on who you are, you only see a subset of certain resources. It becomes not even an option to access certain systems," says Rajiv Gupta, Securent founder and CEO.

Entitlement management tools can then track and report access to applications and systems - or even be tied to physical security systems - to provide data for audit purposes. Essentially, entitlement management products automate processes that were impossible to maintain in the past, industry watchers say.

"Entitlement management is the real-time enforcement of access control policies. The technology is able to look at what everyone has access to, review the access criteria, and certify and attest that management has granted the access," says Roberta Witty, a research vice president at Gartner. "These are actions that you always wished you could get to, but have always been difficult to do because there haven't been automated tools, IT managers can't keep up with the changes, and historically entitlements have been written for just a small subset of applications."

While many entitlement management products can work independently of existing identity and access management suites, industry watchers say IT managers should not expect the technology to exist as a stand-alone option.

"Long term, I see convergence of identity and access management technologies from Novell, CA or Tivoli with entitlement management features. No one is going to want multiple repositories and roles so entitlement management will be consolidated into larger identity life-cycle management products," Cser says. "Customers don't want point products for entitlement."

For instance, Aveksa has built connectors into identity management platforms such as Sun Identity Manager, CA Identity Manager, Windows File Shares and IBM Tivoli Identity Manager.

Putting it in place

While security seems to be a main driver for deploying entitlement management, IT managers say reducing administrative and operational headaches is another top reason to implement the technology.

Timothy Moore chose Securent to automate several time-consuming tasks around application entitlements at insurance provider First American. Moore, who previously served as senior architect in the enterprise technology group at First American and deployed Securent technology about 18 months ago for the insurance company, says he was addressing the company's fine-grained authorization problem - which was mostly administrative.