The Business Case For Entitlements Server
By Naresh Persaud on Jul 24, 2011
Much of our content today discusses how to apply an entitlements server to provide external authorization, but less time has been spent discussing the business case for fine-grained entitlements. As we wrap up a week of sales training, I want to spend some time summarizing some of the data-points on how organizations rationalize the benefits of entitlements servers. The topic of role-based access has a rich academic history since role-based access control draws from a diverse range of subjects.
The demand for entitlements servers has increased drastically in the past few years as application and data security moved into the foreground. Despite the large number of “off the shelf” solutions used in IT, the majority of mission critical “line of business” applications are home grown. Financial services companies are perhaps the most mature users of fine-grained authorization because of the regulatory pressure and intrinsic monetary value of the data. In the past few years, demand has picked up in many verticals from healthcare to manufacturing. In cases where business processes are being outsourced, providing policy based control over data and transactions is essential.
A few years ago, the banking world was rocked by the scandal of a rouge trader who utilized his knowledge of gaps in control procedures to create a $7.1B loss for a major bank. While this case is certainly sensational, this type of insider fraud happens more often than we think. Some sources suggest more than 46% of fraud is caused by insiders. Separate of looking for an economic ROI for deploying an entitlements server, the most compelling reason is the security of the business itself. When a “line of business” application like a trading system or a clinical trials application gets compromised, the impact is always financially disastrous.
Today most of the organizations deploying an entitlements server solution have well defined requirements to separate access due to internal or external regulatory guidelines. The regulatory pressure alone provides the business case. In most of the cases, the customer's existing homegrown approach became too difficult to maintain and scale as security requirements changed. Looking across deployments, two economic value propositions are found in all cases:
- Time to value: Re-tooling applications to address security changes can take many months. Many organizations that deployed an entitlements server have reduced this time to weeks. This provides significant time to value when the organization is trying to address an audit finding or closing a security risk gap.
- Reduced development cost: Most organizations save 10's of thousands of dollars on a per application basis after deploying an entitlements server because so much time was spent hard coding security into the application. In one anecdotal case a company saved over $265K annually over 7 applications by externalizing security. Thanks to Andy Vallila for sharing this particular example.
We are still in the early adoption phase of entitlements servers. The customers who adopt have the most urgent security need. As we survey and summarize the results of the early adopters, we will gain better ROI data. For more background on entitlements servers and how to apply them the following resources may be helpful: