Posted 1:25 PM (0) comments

"Entitled" to an opinion?

My good friend Ian Glazer, over at the Burton Group, had an interesting post today called Nailing Down the Definition of "Entitlement Management". Unfortunately, he missed.

Ian started out pointing to Ian Yip’s definition ("Entitlement management is simply fine-grained authorisation + XACML") and showing why it's wrong. And I do completely agree with Glazer on that.

But he goes on to say that the enterprises that Burton is talking to use the term differently. He says:

"The enterprises that we talked to use 'entitlement management' to mean:
· The gathering of entitlements from target systems (for example, collecting all the AD groups or TopSecret resource codes)
· Reviewing these entitlements to see if they are still valid
· Reviewing the assignment of these entitlements to individuals to see if the assignments are appropriate
· Removing and cleaning up excessive or outdated entitlements"

My first question to Ian, then, is this: if your clients (as many have in the past) referred to the enforcement of access controls/policies as "authorization" would you assume that definition for further discussion or try to get people to use the term properly?

"AD groups" are not, but any stretch of the definition, an entitlement. Nor should an "entitlement" be assigned to "an individual". Let's use entitlement at least in an analogous way to the real world - no one is "entitled" to something based on their name. All entitlement comes from their group or role. The same should be said of digital entitlements. So gather users' access rights, please. But then group those rights into an entitlement and grant them to a role and/or group.

Differentiate entitlement management from access management, also (else, why use both terms?). Individuals get access, roles/groups get entitlements. Access is granted to resources (hardware, applications, services, etc.) while entitlements specify what a particular role/group can do with or within that resource.

If we all try really hard, maybe we can all speak the same language! That said, we should always be aware of what Richard Feynman said: "You can know the name of a bird in all the languages of the world, but when you're finished, you'll know absolutely nothing whatever about the bird... So let's look at the bird and see what it's doing -- that's what counts. I learned very early the difference between knowing the name of something and knowing something."

Labels: Burton Group, entitlement

Posted 9:01 AM (2) comments

Cisco gets entitled - updated

Cisco Systems announced this morning a definitive agreement to acquire entitlement management leader Securent, Inc.

I've disagreed with Securent CEO Rajiv Gupta on some issues, notably the use of role management in identity and entitlement systems, but I can't disagree about this move - it makes a good deal of sense from Securent's perspective.

Entitlements, usually linked to applications and the rights and privileges users have within those applications (as opposed to standard operating system rights to access the application), should also be linked to the field of Network Access Control - NAC (which Cisco calls Network Admission Control). From that point of view its also a good move on Cisco's part.

Whether or not it advances Identity Management at all, though, is open to question. Cisco, certainly, has a view of identity that's very much at odds with other major technology vendors. As a hardware company, it tends to focus on the platform, not the user. It's important to remember that all those "things" in the network have identity, but not at the expense of the people using those things. By the same token, Securent might be thought of as focusing too narrowly on the rules and not seeing the users who the rules are built to support.

I don't think this signals a round of acquisition activity for entitlement management companies, but only time will tell about that. In the meantime, keep working on your Role Management rollout.

UPDATE: As someone pointed out to me, Securent will join Cisco's "Collaboration Software Group" which, as far as I can tell, is the group responsible for WebEx and not much else. The group is headed by Don Proctor, formerly Senior Vice President of the Voice Technology Group, a remarkably unsuccessful branch of the networking powerhouse. In looking around the Cisco web site, in fact, they seem more of a candidate to become a Securent client rather than an acquirer - unless John Thompson Chambers (thanks, Ian!) wants to keep the technology all to himself!

Labels: acquisition, entitlement, roles, security