Information Security Research Library

How do CIOs make sure that credentialed users can access the IT resources they need while hackers and criminals are locked out? Unfortunately, the answer to this question is far from straightforward. In most companies, access controls are made up of a complex error-prone patchwork of network, system, and application security gates like firewalls, Access Controls (ACLs), network directories, and application-specific custom coding. Aside from being an ugly disconnected mess, do these controls really serve the business and security needs of large organizations? This white paper concludes:

• Business demands will obsolete today's access control tapestry. New Internet-facing Web 2.0 and SOA applications servicing a growing population of non-employees, mobile workers, and Internet devices are already breaking existing access control models compromising security and holding back business initiatives. Changes are needed -- quickly.
• Large organizations must embrace entitlement management. To meet business needs, enterprises need a new discipline called entitlement management, which provides authentication and authorization as a centralized service. Entitlement management promises granular access control across multiple applications while bolstering security and easing IT operations simultaneously.
• Entitlement management will move to the network. ESG believes that entitlement management will ultimately become a set of services called Network-based entitlement control (NBEC). In reality, this trend is already underway emulating a server-to-network migration similar to application acceleration functions like SSL acceleration, proxy/cache, and network traffic compression.