Comments on Ian Yip's Security and Identity Thought Stream: The entitlement and access management equation

Interesting hypothesis... I disagree with the fir...

2009-06-09T14:40:37.790+10:00

Interesting hypothesis...

I disagree with the first point and somewhat agree with the second point (although the XACML comment is highly debatable).

A WAM policy protecting an application entry point can be fine-grained or coarse-grained, depending on how much information needs to be evaluated...this could include form post data, query string data, session context data, authentication strength data, ip location data, etc.

If we assume for a second that entitlement management = authorization (not a done deal yet btw), then authorization is about fine-grained access management.

All authorization policies should be fine-grained in nature...its just a matter of how stringent security requirements are and how sophisticated one's policy engine to meet those requirements.

to summarize, I see the fine-grained vs coarse-grained discussion being about defining a security policy that meets the business need - it doesn't define the market.

And XACML is just one of many ways to implement authorization policies.

Well said Steve. I think IBM missed the mark with ...

2009-05-15T04:21:00.000+10:00

Well said Steve. I think IBM missed the mark with TSPM.

To Paul's point that the scope of policy-driven ac...

2009-05-14T01:57:00.000+10:00

To Paul's point that the scope of policy-driven access control is not limited to Web access layer, I think one aspect of the issue with IBM TSPM is that SOA-governance requirements were on the lengthy wish list involved in TSPM's product definition. The need to globally manage and reconcile local enforcement rules, and to integrate services registry information into policy definitions are DataPower product management concerns. On the other hand, the ability to apply attribute-based controls on application objects and containers is more of a Web access management policy requirement. There needs to be a shared abstraction layer that both (WAM, SOA/WS) feed off - that TSPM doesn't quite seem to satisfy.

Paul, I'm not making an assumption at all. I'm in...

2009-05-13T23:55:00.000+10:00

Paul,

I'm not making an assumption at all. I'm including ALL sorts of applications and systems. I didn't point this out (although I might soon) but I don't agree with the term "web access management" at all because it focuses too much on the reverse proxy component. In truth, many web access management products can do a lot more and that's my point. The word "web" in "web access management" is a red herring the industry's chosen to throw in.

Matt,

I like the way you're looking at this. After all, that's what I'm trying to say. It's all simply access management. There is no need to try to fool everyone into thinking entitlement management is a new concept that needs a new product. The reason I've thrown XACML into the mix is because in today's environments, there needs to be a standard and apparently some sort of web service capability. I agree that without XACML it would still be entitlement management, but by many definitions I would have been pulled aside for ignoring that part of so called "entitlement management".

Swannie,

Your TAM example is one of the things I'm referring to where IBM could have just tightened up the TAM product to bring it up to speed with that's required today. And yes, I don't particularly like trying to explain the difference between access and entitlement management to customers either.

Neil,

That's a pretty good way to look at it. Thanks for the clarification on the TAM and XACML thing. Will update the post. Minor point too mate. Why are you spelling like an American? :-)

One other way I have seen authorization vs entitle...

2009-05-13T22:54:00.000+10:00

One other way I have seen authorization vs entitlements characterized is by the perspective from which the access control data is viewed. I try to talk about authorization when taking a resource centric view (e.g. who can do something), and entitlements for a user centric view (e.g. what can this user do). In the end, it may be the same data making both of those determinations.

Also, to correct a minor point, there was never an XACML offering for TAMeb.

I agree with Matt with everyone :-) TAMeb, for ex...

2009-05-13T02:38:00.000+10:00

I agree with Matt with everyone :-)

TAMeb, for example, is usually used to provide coarse-grained access control at the URL level, but the Authorisation Server component provides fine-grained access control right down to the EJB layer but the API allows for any application to perform authorisation requests. (In a past life, I've knocked up a dodgy desktop VB application and had it talking to a TAMeb Authorisation Server for authorisation requests.)

BTW. Consider the terms: Entitlement Management, Identity Management, Access Management, Privacy Management, Security Management. To those who don't understand what each actually means, it could seem that these are basically variations on the same theme.

It can be frustrating telling somewhere why Identity Management is not the same as Access Management (believe me, I've had too many of those conversations). Trying to fit Entitlement Management into the conversation is not something I want to do :-)

Ian, in addition to what Paul wrote, I would also ...

2009-05-13T01:01:00.000+10:00

Ian, in addition to what Paul wrote, I would also be careful not to define a solution's business value by the technology used to implement it.

For example, some Web-SSO solutions have the ability to provide fine-grained access control through the use of API calls from the web app. In that scenario, it's entitlement management (because you use the Web-SSO solution to manage fine-grained entitlements) but not XACML.

So, IMHO, we use the term 'Access Management' broadly as a category and 'Entitlement Mgt' is one capability within that category. And XACML is one way to implement Entitlement Mgt.

'Enterprise Entitlement Managment' is about finding a solution to manage access permissions across a borad range of solutions. And the solutions that most people refer to as 'web access management' are just one of the systems that an enterprise entitlement management solution would help manage.

I think you are making a huge assumption that enti...

2009-05-13T00:07:00.000+10:00

I think you are making a huge assumption that entitlements management is only related to the web access layer. You seem to be purely discussing the concept of entitlement management as the next level from coarse-grained entitlements within a web application.

Whilst that is one of the applications of entitlements management, you seen to miss the point that a proper entitlements management solution can work at any tier and with any application.

For example, Oracle Entitlements Server can indeed integrate at the web application layer. However, it also has integration at the application tier, the integration tier and even the data tier. This allows you enforce a standard policy for a particular application or set of data across all tiers and channels of access consistently.

As soon as you understand this concept, then you appreciate why these are two separate products since they can address different requirements. I agree that they have complimentary capabilities but it isn't right to assume that all authorisation can or should be done within the web access management product.