November 20th, 2006
Does authorization equal entitlements?
Back in the early mists of identity time, "identity management" was referred to as "AAA" (triple A) — authentication, access control and authorization. Over time, AAA evolved to mean authentication, authorization and acountability. Those were seen as the three large functional categories within what came to be called identity management. Eventually, as technology and understanding evolved, categories such as provisioning, federation, web access control, E-SSO, etc. were added. The big three categories remained, but we came to call the whole group of functions "identity management."
Recently, a startup named Securent brought me back to thinking about "authorization." Securent has released some products to deal with what they're calling "entitlement management" at the application layer. The naming convention is interesting, and useful.
As the enterprise has come to deal with the networking of everything, the topic of "authorization" has risen to the top. Controlling "access" to the enterprise was always a nice first step, but it doesn't solve the problems of compliance in today's regulatory environment. Access control was the application layer's version of the network firewall, it created an "inside" and and "outside" and controlled who could get inside. This concept works well as far as it goes, but as has been found with firewalls at the network layer it doesn't scale well and it tends to fight the type of mobility networking seeks to deliver.
Authorization — dealing with who has the right to do what with what, where, and when — gets to the heart of the problem: what are people *entitled* to do. It jumps over proxy concepts like location, devices, etc. and goes right to the problem at hand. Thus, "entitlement management" as a category makes some sense. Is that just semantic trickery on the part of Securent in this case? Maybe, maybe not (I haven't seen the products). But it could be a useful semantic step in facilitating the conceptual shift from "barrier security" paradigms to the truly identity based paradigms networked computing requires.
Beyond authorization and entitlement, the breaking wave in identity is visibility. You can provision, federate, authorize, entitle, and audit - but what you're ultimately trying to provide is real-time visibility into a network. Seeing what's going on gives you the ability to enforce policy, but seeing across the entire networked environment of the enterprise is not an easy process.
And the authorization of entitlements is the next step in that process.
