To Wachovia's Ryan Bagnulo, business rules are application security policies, and in the big picture he sees, security
lies at the heart of governance for both applications and IT systems.
Bagnulo, who is head of architecture and innovation for Wachovia Corp.'s Corporate Investment Bank Technology (CIBT) area in the CTO Group, has taken some first steps toward that vision with the deployment of an Entitlement Management Solution (EMS) from Securent Inc. for enforcing fine-grained application security.
"Authentication, who you are, is coarse-grained -- what role or group are you, or what application are you allowed to use. The tricky part is fine-grained -- when you're in the application, what are you allowed to do?" explained Bagnulo.
For example, he said, in a trading application, there maybe be certain traders who are authorized to execute particular types of trades, say oil and gas, but no others. "If he tries another type of trade, it should be denied. That's what I mean when I say fine-grained authorization for the execution of transactions."
To get that kind of fine-grained security, developers have been developing and deploying custom code for individual applications, and as a result, access polices have been managed in silos.
"The problem with that model is it's very costly, and it leads to inconsistency in the application of security policy," said Howard Ting, senior director of product management and marketing at Securent in Mountain View, Calif. "And when you need to change a policy, you have to change it across all resources."
Ting added, "It's also time consuming. The way most applications have access control policy enforced today is to write it into the code, so developers are writing thousands of lines of codes. That leads to a lot of potential problems. By externalizing the security policies from the application and managing them centrally, ROI becomes a strong message," he said.
"The issue isn't that we haven't done this in the past," Bagnulo said. "Every application has a fine-grained authorization system in it, but it's custom coded. That's why Securent is attractive. We looked at BEA [AquaLogic Enterprise Security, a fine-grained entitlements solution] and it works great for WebLogic, but we've also got JBoss and a lot of SharePoint servers, WebSphere, Documentum, Oracle database. Securent has plug-ins for all those application environments."
The ability to write a single security policy that goes across heterogeneous platforms saves time and complexity, Bagnulo said.
Ting said that while the function of entitlement management, or access entitlement, is not new, the term itself is. Entitlement management is one of several new categories, including identity audit and regulatory compliance tools, user-centric identity applications, consumer authentication products, role discovery tools, enterprise application controls management, and identity-aware appliances, that have emerged under the identity management umbrella over the past few years, according to the Burton Group report, The Identity Management Market 2007: An Expanding Universe.
Open standards important
Securent's EMS is based on the eXtensible Access Control Markup Language (XACML). According to the Burton report, support for Version 2.0 of XACML is growing, "riding the wave of interest in entitlement management solutions that rely on the XACML authorization standard."
"I've been following XACML for a while, which is what drew me to Securent," Bagnulo said. "I want open standards so other technologies can plug in. For example, I use DataPower [the XML appliance] from IBM because it natively speaks XACML. I didn't have to do custom development to get my security infrastructure powered by Securent to integrate. And if Securent goes out of business, I can find a replacement that speaks XACML; it's a way of hedging. The point is you have to think about the long term and not lock in."
Bagnulo said his group is just getting started with Securent for its business applications. "If we're building a new application, the application team shouldn't take on the work to build in entitlement management, they'll plug into Securent," he said. An example of a new rich Internet application that Bagnulo's group is building with Adobe Flex and that will utilize the EMS is an external letter of credit for clients to use.
"As legacy applications change, we'll refresh the security infrastructure," Bagnulo added. "Say with WebLogic, as we upgrade from 8.1 to 9.2, that's where we're inserting Securent. We don't do broad rip and replace."
Using an entitlement management solution takes a lot of work off the plates of application developers, Bagnulo said, and we "have less risk that someone did something that was not a best practice."
Entitlement management throughout the enterprise
Bagnulo's broader vision for entitlement management is that it's just as applicable for technology systems as it is for business systems. For example, he said, an entitlement policy could be that an IT administrator is not allowed to execute a change to a mission-critical system during working hours.
While an organization may have a policy in place, "in data centers today it's mostly an honor system," he said. "The only way to enforce policy is with security; you need something in the middle governing what the user is trying to do. Unapproved changes happen, in reality, because something like this isn't in place."
"Long term, customers want to use [EMS] through the enterprise," Ting said. Although custom applications and portals are Securent's core business, "We've spent a lot of time building agents, like for SharePoint and databases. This is Ryan's vision, to use this across the infrastructure. The need for policy-based management is relevant across every resource."
For now, though, Wachovia's CIBT group is in the process of testing applications utilizing Securent that run on SharePoint and JBoss.
But Bagnulo is excited about the possibilities. "In conversations I've had with Securent, I tell them they're missing an opportunity. I tell them to market that the business rule is security policy. I think you will see a sea change -- that XACML will emerge as an alternative to ILOG and Drools [business rules management systems]." For example, he said, a business rule says a trader can execute only so many transactions per day above a certain value.
"The only way to enforce that is through security policy," he said. "Otherwise it's wishful thinking, and good luck."