Regulatory and industry compliance requirements, Sarbanes-Oxley and PCI, for example, are also driving the hunger for effective access management and auditing solutions. 数据挖掘研究院
Managing Access: A Big Ticket Item 数据挖掘研究院
The overhead associated with the task of managing appropriate resource access is staggering. Echelon One, a security research firm, has found that within the 700-member information security team at a major U.S. bank, fully 500 people were assigned to work on managing user access rights, also known as entitlements, for employee applications. Many of them spend their time hard coding authorization policies for employees to access specific functions and data within each application.
“As soon as the changes are made, many entitlements are already outdated, meaning the valuable assets fueling the bank’s business are dangerously exposed. Despite the best of intentions, they are no closer to the adherence of financial and compliance controls. Their risk level has not decreased,” according to Echelon One.
In fact, businesses everywhere are struggling with the challenge of how to provide access to key information without risking its misuse. Specifically, they are seeking to supply an increasingly growing and diverse user population, which includes employees, contractors, customers, vendors and partners, with the information necessary to fulfill their role - but not with more than they actually need. Huge risks result from granting broad access to sensitive enterprise data to people who have no need for them.
IT departments are now expending vast resources on internal security in this game of security catch-up. According to Echelon One’s estimates:
- 30 percent of new application budgets are allocated to authorization functions.
- Line-of-business (LoB) managers spend up to 100 hours per year doing manual authorization policy reviews.
- 100-500 hours are typically spent hard coding access policies for each application.
- 40-60 percent of information security budgets are now dedicated to access and identity management.
Clearly, the huge expense of these tasks implies the potential for a high order of savings, productivity gains and security improvements, provided that organizations can escape the need to endlessly repeat the same access management chores.
Databases, Security and Sisyphus 数据挖掘研究院
In the famous Greek myth, the gods condemned Sisyphus to perpetually roll a heavy boulder up a steep mountainside, only to have the rock roll back down to the bottom each time he reached the summit. An eternity spent in this exhausting and futile labor was a terrible punishment indeed. The burden of Sisyphus probably sounds a familiar chord for IT shops that must create, enforce, update and audit separate sets of access controls for each application and data store. That’s the way many companies still do it, however, and therein lays an opportunity for them to effect large improvements in productivity and security while shedding costs. 数据挖掘研究院
Enterprises that collect and store sensitive information such as customer identity, credit card numbers, patient records, intellectual property, classified documents, or other confidential information often struggle to effectively secure the database - from both external and internal attacks. A common approach to protecting the information in corporate databases is to code or configure security policies into each individual application that is connecting to the database. This approach is complex and costly to maintain because any change in security policy governing the data must be applied to each individual application. Furthermore, meeting compliance requirements is difficult, if not impossible, to achieve with this piecemeal approach due to the lack of centralized visibility over security policies and access activity. Existing security tools do not address the fundamental need of protecting the data itself based on the context of the access. Either they provide an excessively coarse-grained control over the data source – an all or nothing proposition that does not work in most cases – or they require changes in all the applications that can access the data. Every application touching the data source requires developers to write custom code to filter database tables and present only the subset of the data that is appropriate to the context of the application, process and user making the request. The disadvantages of this approach include:
- Costly redundant coding that is also difficult to maintain and update;
- Lack of visibility into security policies and difficulty auditing the actual application user accessing the data;
- Increased data leakage risk due to extraneous database columns, rows or fields sent to the application;
- Updating data access policies requires a change in all the applications connecting to the database; and
- A drag on the overall agility of the organization to quickly implement new applications and services or change policies.
Data-level authorization largely remains captive in individual applications, each with its own unique and disconnected access control policies. This creates inflexibility, inconsistent policy enforcement and redundant manual administration. 数据挖掘研究院
Entitlement management, the newest and most comprehensive approach to the problem, grants access to specific application and data resources only to those who are entitled to it. What’s more, security can be managed centrally, across all applications and data stores, regardless of platform or location. New applications emerging for the organization’s lines of businesses do not require custom code because they can leverage the policies that have been established for other applications. 数据挖掘研究院
Enterprises that need to control access to data based on a number of attributes – user profile, context of the request, time of day, etc. – have historically have been forced to custom-code security policy into every individual application that is connecting to the database. This redundant coding is costly, difficult to maintain and presents auditing challenges. Moreover, each application often stores this information in its own unique fashion. There’s no consistency and much wasted effort - that heavy old boulder just keeps rolling back down the hill.
As generally nonproductive as the model is, the growing need for compliance audits is making this model of authorization more and more difficult. If you have to make a change to meet compliance requirements, you have to take the application down, review the hard-coded policies that are filtering the database tables, and get the developers involved once again in order to remediate any compliance violations.
数据挖掘实验室
Figure 1
Building Productivity by Escaping the Silos 数据挖掘研究院
By abstracting fine-grained data authorization policy from core application logic and delivering it as a Access Control Markup Language (XACML) standards-based service, it is possible to deploy entitlement management on both a per-application and enterprise-wide basis quickly and effectively. This approach allows development teams to implement fine-grained data security at a fraction of the time and cost of custom development. At the enterprise level, security teams can administer consistent policy while risk and audit teams are able to review and change policy to meet with compliance requirements. The considerable benefits of this design approach include the ability to easily make updates, to ensure the consistent application of security policies and to audit for compliance.
Because an application or resource in an enterprise may have multiple owners or at least multiple independent entities that need to have a say in the access rules for a resource (for example the application team, the compliance team, the information security team, etc.) it is important that the system is also able to accommodate multiple entities, central or distributed. They must be able to autonomously define attribute-based access rules for a given database table, and where the inevitable conflicts in the rule decisions (in many cases these conflicts are good and are an example of oversight) can configurably and deterministically be resolved and audited.
Benefits and Caveats
Entitlement management for databases can yield great benefits, including consistent compliance, enhanced visibility and security and large productivity increases and accelerated product development times. Collectively, these benefits can offset changeover costs very quickly (in our experience, sometimes in a matter of months).
By deploying entitlement management delivered as a standards-based service, organizations can untangle data authorization controls from applications, so they can be managed centrally, across application and data silos, regardless of platform. Consistent, fine-grained authorization policy across the enterprise eliminates the need for time-consuming and expensive hard coding of policies for each new application. In a large organization, where new users and applications are added constantly, this typically adds up to millions of dollars in savings.
Data entitlement management also supports consistent compliance by creating centralized and automated audit reviews across applications and issuing real-time reports and alerts delineating who can access and who has accessed what data and who has made specific administrative changes. 数据挖掘研究院
But perhaps most importantly, effective entitlement management gives businesses the security of knowing that their valuable information is always safe; centralized, consistent authorization policies mean access is always limited to just those people who should have it. So organizations can open their doors with confidence to employees, partners or consultants who need specific information in order to collaborate and advance business and strategic objectives. This kind of agility is critical in business environments that are constantly racing toward hyper-competitiveness.
Transition to any new metasystem inevitably demands diligence and time. In this instance, however, the investment is amply repaid in productivity and personal relief: that heavy old boulder will be gone for good.
Rajiv Gupta founded Securent, Inc., and leads the company as CEO, directing Securent’s overall strategy and direction in the application entitlement management market. He has more than 17 years of successful enterprise software and security experience, and is widely recognized as a pioneer of Web Services. He can be reached at rgupta@securent.com. 数据挖掘研究院
