In-Depth

Securent Middleware Moves Authorization Out of Individual Apps

Network access control—or entitlement control, as Securent calls it—is all about authentication, access, and authorization.

• By Chris DeVoney
• 04/24/2007

The frequency of media accounts reporting improper access of computer data, including consumer, customer, patient, enterprise, employee, student, alumnus, or even average citizens, has increased from a news item every couple of months to reports on network news programs almost every other week. The recent revelation from TMX Corporation that 45.7 million accounts may have been compromised from its infrastructure, is just one example.

We don’t know the full story of the incident yet, but it reinforces the need to keep a handle on access to sensitive data. The reminder comes as many IT shops tackle more Web portals, collaborative projects, and SOA initiatives that increase the availability of data and complexity of managing access from inside or outside the house, whether by authorized user, trusted partner, or cyberfelon.

One player in the evolving access-control security field is Securent, Inc. which offers a middleware platform for IT assets. The company is headed by founders Rajiv Gupta and Dr. Sekhar Sarukkai, both cofounders of Web services management company Confluent Software (which was swallowed by Oblix, then Oracle) and established considerable chops at HP.

The product focuses on what Securent calls “entitlement control,” a term almost synonymous with network access control (NAC). Consider IT security’s Triple-A: authentication, access, and authorization. After establishing and verifying identity (authentication), access to IT assets is either permitted or denied; assets range from networks and applications to databases, Web sites, and portals.

Once access is granted to the IT asset, authorization determines the resources and actions the user is allowed. As the complexity of the asset (such as an application) increases, the granularity of authorization grows from very course (allow or deny all) to fine-grained (allowable actions vary by specific data or data sets).

Usually, the burden of providing the increased granularity is on the application (and its development/implementation team) and the burden for establishing, maintaining, and auditing the granularity is on the operations teams. Replicate that effort across the enterprises’ myriad applications and you have data fiefdoms with duplicated efforts, disjointed access security, and increasing response times.

That’s the major burden that Securent’s Entitlement System shoulders. The software consolidates by moving the authorization decisions out of individual applications and into an external system with central management and distributed enforcement.

A drag-and-drop administrative console is used to define dynamic roles and rule-based policies per application. Roles can be based on specific identities or attributes stored in repositories such as Active Directory or LDAP. Policies and subpolicies can enforce access based on a rich range of criteria such as roles, individual data element, data value (such as dollar amounts), device type or location, or time of day.

Depending on transactions levels and network geography, the roles and rules are pushed to policy decision points (PDPs) that evaluate access requests coming from the applications devices (including the application, Web, or database serves involved). Software on the devices performs the function of Policy Enforcement Point (PEP) which allows/denies access.

Securent cites a few examples of the granularity, such as:

• enforcing the Chinese Wall and stopping any instant messages between stock brokers and analysts
• allowing refund transactions only during business hours
• granting access to any patient medical record to emergency room personnel but restricting nursing personnel to accessing information only for the patients on the unit’s floor

Operationally, the centralized control and distributed execution permits pushing out an audit exception remediation or performing ad-hoc audits within seconds. Securent claims up to a 30 percent decrease in project time and costs by moving access control out of the application and into the manager.

Wanting to work with most applications, databases, and platforms, Securent supports J2EE, Spring-ACEGI, SOAP, .Net, C#, C++, VB and COM, integration with commonly deployed commercial applications including Microsoft SharePoint, BEA WebLogic Portal, IBM WebSphere Portal, JBoss Portal, and Documentum. Support for XACML 2.0 (the OASIS standard that describes the language that defines access control policies and communicates access-control decisions) allows faster implementations with an increasing number of applications.

Securent isn’t the only player in the access control market, but is one of the first to push support of XACML. The standard has heavyweight industry backing, but depends on the kindness of implementers to be interoperable. Even with a mature standard such as the health-care industry’s HL7, interfaces between major systems can takes days to months to design, implement, and test.

Securent says it has customers that have gone from zero to full function in under three months, and several have shaved months off of development and weeks off of auditing. The obvious sweet spots for the product are companies with heavy compliance needs such as financial (banks, brokerage, insurance) or health-care/pharma industries, telecommunications (with its extensive CSR use), and government.

Access control isn’t the next great computing frontier, but the headlines are pushing the need into the forefront of security concerns. It may be time to calculating the cost of maintaining access control, including audits, in the individual applications rather than a middleware solution. If those costs head into six digits, it’s probably time to investigate a product such as Securent’s.