Saturday, February 04, 2012

F*** it, I'm lighting 100 candles - Entitlement Management 2012

Photo credit: Alessandro Silipo
One of the most widely read series of posts on my blog relate to entitlement management (part 1, part 2). In fact, do a search on Google for "entitlement management" and part 1 appears on the first page of search results (albeit below the fold). Don't read them yet. You'll get tired and won't come back to continue reading this :-)

I wrote those posts over 2 years ago to stir the pot. They served their purpose and garnered some great discussion with a few luminaries in this space (including esteemed analysts from Gartner and Forrester).

At the time, I argued that the term "entitlement management" was typically used to refer to fine-grained access management or real-time, attribute-based, authorisation enforcement (e.g. as per the products offered by IBM, Oracle, Axiomatics and BiTKOO (now part of Quest Software)). But on the flip side, I did acknowledge (in part 2) that there were other ways to define it:
  1. The processes and solutions around gathering, interpreting, and cleansing entitlements.
  2. User-managed (or user-centric) entitlement management.
Point number 2 is a topic best left for another day, especially as it involves discussions around online services (see UMA for more info).

The first point however, is what we now commonly refer to as access governance (e.g. SailPoint, Aveksa). Some use "identity intelligence" (thanks to the analysts), but in my opinion, identity intelligence is a broader term that also includes data analytics and Security Information and Event Management (SIEM). However, "manage user entitlements" is another commonly used term in access governance discussions. In fact, it is used so often that I'm starting to find when anyone talks about entitlement management, more often than not, they mean managing user entitlements for access governance purposes.

Back in 2009 (when I wrote the posts referenced above), I was convinced that real-time, attribute-based, fine-grained authorisation enforcement would take off. IBM and Oracle certainly thought so too. I have yet to come across a security architect who doesn't think it's a good idea. I still think it's a great idea. But in the world of Information Security, just because something is a good idea does not make it compelling. Compelling; aye, there's the rub. If I had to distil security spending decisions down to one word, it would be: "compelling". In a recent presentation I gave, I said:
"Sexy technology doesn't sell security. Interesting technology doesn't sell security. But give someone a compelling reason, and they'll buy a security solution."
That statement sums up why entitlement management has evolved to be more about access governance than fine-grained access management.

Trying to sell someone on the fine-grained access management story is an almost impossible, thankless task. If any of you have ever had to sell a provisioning solution without out-of-the-box adapters (or agents, or drivers, depending on which vendor's solution you are familiar with), multiply that pain by a factor of 100 and you might start to get close to the challenges faced with selling a fine-grained access management solution. It's like saying: "please buy our power station, but you have to figure out how to build the light bulbs yourself after ripping out the ceiling to install wires and by the way, there are 1000 ways you can build light bulbs using 1000 different sockets into the wiring with each bulb running at a different wattage".

Access governance initiatives on the other hand, are almost always driven by regulatory compliance requirements. This makes access governance initiatives compelling. It is also why SailPoint and Aveksa are doing so well.

To be successful at selling fine-grained access management solutions, you have to go to customers with a pre-built set of light bulbs and only focus on the ones with wiring compatible with your set of light bulbs. It's why BiTKOO does well in Microsoft SharePoint environments.

Essentially, access governance solutions are much less intrusive, much easier to integrate and are supported by compelling reasons to buy.

As reliant as we are on electricity nowadays, if we were told we had to rip our ceiling out, install wiring ourselves and build our own light bulbs, most of us would say:
"F@#$ it, I'm lighting 100 candles."

No comments: